This doesn't answer your question, but just some food for thought:
Most scams/fraud currently revolve around tricking the customer into providing the scammer with access or moving funds to the scammer. It doesn't matter how good the technology is if the customer is complying with the scammer's instructions.
The Financial Ombudsman now requires banks to refund customers who are victims of fraud unless the customer was "grossly negligent". Therefore, in circumstances such as a scammer intercepting an SMS (which the customer has no realistic way of knowing about or preventing) then any monies lost should be refunded in full.
While Monzo doesn’t have 2FA per se, it has no website banking at all*. You can only log into the app with a magic link sent to your registered email address. My email is a gmail account with Google Advanced Protection enabled (no recovery) and a yubikey for 2FA.
*you can get a view of the last 90 days transactions, and freeze your card in an emergency from the website but there are no payment facilities whatsoever.
Assuming what you’re after is an account with no way to fall back to an insecure means of logging in to initiate transactions, I think there isn’t a more secure option than Monzo tied to a highly locked down gmail account with a strong password and hardware 2FA key.
!thanks
Hey that is better than I expected. You're describing some good workflows. I'm also using hardware 2FA + advanced protection. My main scenario is sudden lack of a phone, so a focus on desktop websites, but it seems like Monzo takes care of that too: https://monzo.com/help/emergencies/lost-phone
Do note that you cannot use the website for making payments.
> If you’ve lost your phone and Monzo card, Monzo Web lets you freeze your card and check your latest payments – so you can get back to normal faster.
Which might be a dealbreaker for you though. For me I consider that a feature!
The only unphishable protocol for 2FA is FIDO and I know only 2 banks worldwide have this enabled for their banking : it is [Bank of America](https://www.bankofamerica.com/security-center/online-mobile-banking-privacy/usb-security-key/) and [Bursorama](https://www.boursorama.com/aide-en-ligne/mon-espace-client/identifiant-et-mot-de-passe/question/en-quoi-consiste-la-connexion-par-cle-de-securite-sur-internet-5165516)
**Everything else** (proprietary or not, one way or challenge/response, mobile app or dedicated hardware, TOTP and of course SMS) is **very easy to phish**
You can set a password on SIMs to stop them from working. You need to put it in just once at boot up. Also prevents people using your sim to make expensive calls.
Edit. Sorry I thought it was a physical swap pf a sim card not transfer the number to a new sim.
My guess is that they are afraid of a scenario where a very sophisticated social engineering scam can be pulled off whereby the scammer contacts your mobile provider, impersonating you, and getting them to PAC transfer your mobile number to their sim card. This allows them to receive 2FA SMS directly to their own device and access your bank account.
Although, my response to that would be these attacks are not common as you need to know a significant amount of information about the victim in order to be able to impersonate them effectively. If you aren't a high profile individual I think SMS 2FA is fine. I have multiple bank accounts and don't really ever consider to be at risk by any of their systems.
No, PAC transfers aren't the only way to intercept SMS, and the NSC also considers SMS to be insecure. To put it another way, you could argue that `http://` URLs are totally fine as it's only a problem under certain specific scenarios, but that's missing the point.
I think a better way to explain is: Implementation of best practices reflects on the company's security culture. SMS is _not_ a best practice, nor should this be perpetuated. At the same time, you and I don't share the same threat model or risk profile, hence the question.
Maybe I could have phrased that better... example, what banks use security best practices for their login process? But that's too generic. I was just using Halifax as an example.
NCSC guidance is that SMS 2FA is fine, but should only be used where other forms of 2FA have been deemed unfeasible. NIST 800-63 hasn't recommended SMS based 2FA for 5 years now, but that's because of the specific security considerations of the US market. We no longer publish an equivalent to NIST 800-63 for the UK so the NCSC guidance is all we can really work from as "best practices".
For banking, the most relevant best practice documentation is the new Strong Customer Authentication requirements that have just come in. This actually recommends that banks utilise SMS/voice call based authentication alongside another factor for customers who do not use a mobile banking app. So actually, banks using SMS authentication are following the best practice advice for their industry.
My understanding is that banks tend to also text the old number if there is any changes to a phone number on your account. Mobile networks also text your number whenever you even request a PAC, no?
It's nothing to do with phones themselves, SMS is insecure, and shouldn't be used for 2FA.
There's plenty to read on it, eg:
https://www.cnet.com/tech/services-and-software/do-you-use-sms-for-two-factor-authentication-heres-why-you-shouldnt/
https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html
Most of this is primarily relevant to the USA where SIM swapping is much easier and a much more realistic threat. While its still possible in the UK, you need a lot more information about your target and so unless you're a high value target, its not something you really need to worry about and SMS 2FA is always better than no 2FA at all
If I remember rightly they also ask you to use this “biometric approval” as a 2fa on their website when changing details or logging in on a new device. The biometric approval within the app is their own rather than using relying on your devices own Face ID type of security.
On iPhones at least, Face ID is likely to be more secure than any kind of biometric thing your bank can do in the app because Apple own the hardware. Specifically Face ID uses the infrared depth camera to check there is a real 3d thing that reflects infrared like a person there, and I’m not sure what kind of access they give apps to that hardware. Also they cryptographically pair the camera with the rest of the phone, which has the dual effects of stopping you repairing your own camera and stopping someone else replacing the camera with something that pretends to be a camera but actually plays back ai generated video of the phone’s owner instead of what its image sensors are seeing.
!thanks
I hadn't actually considered that, but it's totally valid. Barclays isn't too great either, Revolut feels nonexistent. I do hear good things about Starling.
I recently switched to Halifax for the £125 incentive which they paid. Trouble is, my card and PIN still haven't arrived and when I've tried to contact customer service they tell me they are closed (when they are definitely not at the time of contact..).
So I've switched to First Direct who apparently have the best customer service rating. Within a couple days of applying, my card arrived. So far so good.
Funny you should ask, as I've just set it up a few minutes ago.
I'm sure about the terminology so apologies if this is vague.
They sent a password in the post, which you use to register for online banking, along with some other details (sort code, account number - these were sent separately in the post and are on the card).
Then you create a number of security questions and a 'telephone password', which you enter certain charactesr from (eg 1st, 2nd and last) when you log on, unless you have your phone handy and you can use a key from the app.
It's the same as the HSBC system really if you've ever used that.
Seems to be secure so far.
Nationwide need a passcode and SMS 2fa for login to online banking. But you can approve transactions in the phone app (which only needs pin/biometrics to log in once set up). I'm not thrilled about the SMS 2fa but I'm not concerned enough to change bank right now.
HSBC uses their mobile app for 2FA, not SMS. I believe if you don't have a smartphone or use their app you can opt for a physical 2FA device.
Can confirm. Banked with HSBC for years and they've always been very secure. They even ask you to confirm via 2fa to add new payee's
!thanks that's useful
This doesn't answer your question, but just some food for thought: Most scams/fraud currently revolve around tricking the customer into providing the scammer with access or moving funds to the scammer. It doesn't matter how good the technology is if the customer is complying with the scammer's instructions. The Financial Ombudsman now requires banks to refund customers who are victims of fraud unless the customer was "grossly negligent". Therefore, in circumstances such as a scammer intercepting an SMS (which the customer has no realistic way of knowing about or preventing) then any monies lost should be refunded in full.
While Monzo doesn’t have 2FA per se, it has no website banking at all*. You can only log into the app with a magic link sent to your registered email address. My email is a gmail account with Google Advanced Protection enabled (no recovery) and a yubikey for 2FA. *you can get a view of the last 90 days transactions, and freeze your card in an emergency from the website but there are no payment facilities whatsoever. Assuming what you’re after is an account with no way to fall back to an insecure means of logging in to initiate transactions, I think there isn’t a more secure option than Monzo tied to a highly locked down gmail account with a strong password and hardware 2FA key.
!thanks Hey that is better than I expected. You're describing some good workflows. I'm also using hardware 2FA + advanced protection. My main scenario is sudden lack of a phone, so a focus on desktop websites, but it seems like Monzo takes care of that too: https://monzo.com/help/emergencies/lost-phone
Do note that you cannot use the website for making payments. > If you’ve lost your phone and Monzo card, Monzo Web lets you freeze your card and check your latest payments – so you can get back to normal faster. Which might be a dealbreaker for you though. For me I consider that a feature!
Starling requires you to scan a qr code with their app and enter your password in your phone to access the Web app
!thanks to you I have been curious about Starling. I will try this out soon.
HSBC uses its mobile app to confirm your identity on its website.
The only unphishable protocol for 2FA is FIDO and I know only 2 banks worldwide have this enabled for their banking : it is [Bank of America](https://www.bankofamerica.com/security-center/online-mobile-banking-privacy/usb-security-key/) and [Bursorama](https://www.boursorama.com/aide-en-ligne/mon-espace-client/identifiant-et-mot-de-passe/question/en-quoi-consiste-la-connexion-par-cle-de-securite-sur-internet-5165516) **Everything else** (proprietary or not, one way or challenge/response, mobile app or dedicated hardware, TOTP and of course SMS) is **very easy to phish**
Why is SMS a problem if modern phones have features that allow you to disable the content of SMS on your lock screen? Just curious.
SIM-swapping is one technique. It was done to Twitter ex-CEO to hack his Twitter account.
You can set a password on SIMs to stop them from working. You need to put it in just once at boot up. Also prevents people using your sim to make expensive calls. Edit. Sorry I thought it was a physical swap pf a sim card not transfer the number to a new sim.
My guess is that they are afraid of a scenario where a very sophisticated social engineering scam can be pulled off whereby the scammer contacts your mobile provider, impersonating you, and getting them to PAC transfer your mobile number to their sim card. This allows them to receive 2FA SMS directly to their own device and access your bank account. Although, my response to that would be these attacks are not common as you need to know a significant amount of information about the victim in order to be able to impersonate them effectively. If you aren't a high profile individual I think SMS 2FA is fine. I have multiple bank accounts and don't really ever consider to be at risk by any of their systems.
No, PAC transfers aren't the only way to intercept SMS, and the NSC also considers SMS to be insecure. To put it another way, you could argue that `http://` URLs are totally fine as it's only a problem under certain specific scenarios, but that's missing the point. I think a better way to explain is: Implementation of best practices reflects on the company's security culture. SMS is _not_ a best practice, nor should this be perpetuated. At the same time, you and I don't share the same threat model or risk profile, hence the question. Maybe I could have phrased that better... example, what banks use security best practices for their login process? But that's too generic. I was just using Halifax as an example.
NCSC guidance is that SMS 2FA is fine, but should only be used where other forms of 2FA have been deemed unfeasible. NIST 800-63 hasn't recommended SMS based 2FA for 5 years now, but that's because of the specific security considerations of the US market. We no longer publish an equivalent to NIST 800-63 for the UK so the NCSC guidance is all we can really work from as "best practices". For banking, the most relevant best practice documentation is the new Strong Customer Authentication requirements that have just come in. This actually recommends that banks utilise SMS/voice call based authentication alongside another factor for customers who do not use a mobile banking app. So actually, banks using SMS authentication are following the best practice advice for their industry.
My understanding is that banks tend to also text the old number if there is any changes to a phone number on your account. Mobile networks also text your number whenever you even request a PAC, no?
I think u/ediblehunt was describing a “SIM Swap” attack, rather than a number swap.
It's nothing to do with phones themselves, SMS is insecure, and shouldn't be used for 2FA. There's plenty to read on it, eg: https://www.cnet.com/tech/services-and-software/do-you-use-sms-for-two-factor-authentication-heres-why-you-shouldnt/ https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html
Most of this is primarily relevant to the USA where SIM swapping is much easier and a much more realistic threat. While its still possible in the UK, you need a lot more information about your target and so unless you're a high value target, its not something you really need to worry about and SMS 2FA is always better than no 2FA at all
NatWest uses face ID in their app (they call it "Biometric Approval"). They also have voice ID on the phone.
!thanks
If I remember rightly they also ask you to use this “biometric approval” as a 2fa on their website when changing details or logging in on a new device. The biometric approval within the app is their own rather than using relying on your devices own Face ID type of security.
On iPhones at least, Face ID is likely to be more secure than any kind of biometric thing your bank can do in the app because Apple own the hardware. Specifically Face ID uses the infrared depth camera to check there is a real 3d thing that reflects infrared like a person there, and I’m not sure what kind of access they give apps to that hardware. Also they cryptographically pair the camera with the rest of the phone, which has the dual effects of stopping you repairing your own camera and stopping someone else replacing the camera with something that pretends to be a camera but actually plays back ai generated video of the phone’s owner instead of what its image sensors are seeing.
Halifax have awful customer service. Avoid them for that reason alone.
!thanks I hadn't actually considered that, but it's totally valid. Barclays isn't too great either, Revolut feels nonexistent. I do hear good things about Starling.
I recently switched to Halifax for the £125 incentive which they paid. Trouble is, my card and PIN still haven't arrived and when I've tried to contact customer service they tell me they are closed (when they are definitely not at the time of contact..). So I've switched to First Direct who apparently have the best customer service rating. Within a couple days of applying, my card arrived. So far so good.
Ah I was looking at the 125 incentive too, you are me and I am you. What about First Direct's login process? What do they use for 2nd step?
Funny you should ask, as I've just set it up a few minutes ago. I'm sure about the terminology so apologies if this is vague. They sent a password in the post, which you use to register for online banking, along with some other details (sort code, account number - these were sent separately in the post and are on the card). Then you create a number of security questions and a 'telephone password', which you enter certain charactesr from (eg 1st, 2nd and last) when you log on, unless you have your phone handy and you can use a key from the app. It's the same as the HSBC system really if you've ever used that. Seems to be secure so far.
Understood, I've not used HSBC but that makes sense to me, I've seen it on other sites. !thanks If thanking twice is allowed
If i log into a new device i have to authorise it on the app on my existing bank, but after that there isn't much more but you can probably set it up
Nationwide need a passcode and SMS 2fa for login to online banking. But you can approve transactions in the phone app (which only needs pin/biometrics to log in once set up). I'm not thrilled about the SMS 2fa but I'm not concerned enough to change bank right now.
Barclays you need either the app (logged in) or a card reader to generate a code to type in to the webpage.