undefined | Better HN

0 pointstialaramex5y ago0 comments

> SMS as a second factor is purely additive. It cannot reduce security.

You are forgetting social engineering. Humans find it reassuring that the security process happened as usual, even if in fact the apparently "usual" process was them being being phished. This can mean they're actually less alert than they would be otherwise.

You get an urgent message from your bank about an unexpected $500 transaction, you follow the link & you need to enter your password as usual of course, and then it tells you that you'll get an SMS and to type in the code so you do so. Phew! Disaster averted! Right? This must have been real, you even got an SMS from the bank.

Alas the SMS was from your bank, and the bad guys didn't have a way to intercept it, but they didn't need one because you typed it into their phishing website. That unexpected $500 transaction wasn't real, but their emptying of your bank account will be.

0 comments

3 comments · 1 top-level

jsnell5y ago· 2 in thread

Here's the same story without 2FA:

"You get an urgent message from your bank about an unexpected $500 transaction, you follow the link & you need to enter your password as usual of course. It was a phishing website. Your bank account will be emptied."

It did not reduce security.

tialaramexOP5y ago

But in your revised story I don't receive reassurance that everything is going as planned. That's what I'm getting at, the SMS step is reassuring even though it actually shouldn't be.

jsnell5y ago

If there is no 2FA, not being asked for a confirmation code is things going as normal. Also, it's totally irrelevant whether the user gets cold feet since in the password-only world they've just handed away the keys to the kingdom.

j / k navigate · click thread line to collapse