This is why you never enable SMS based MFA. TOTP is well established and just works. If you need even more security FIDO2 devices like YubiKey are a thing.
For the love of God, someone inform Citibank and Chase of this. My dinky little local credit union allows me to use TOTP, but Citi and Chase still only seem to support SMS.
Chase supports push notifications via their app now, so at least they’re moving forward toward something a bit more secure. But yes, I’m so pissed that so many banks use SMS when it’s known to be easily spoofed.
Requiring the use of their own app is only marginally better than not supporting it at all. I try to minimize the number of apps pn my phone, and banking apps are prime examples of a use case that can be completely fulfilled in a browser. Even if I used the app, I would prefer to be prompted for non-biomotric MFA each time I sign in anyway.
Yeah I can respect that, I have one bank where the only account I have there is a credit card now that I paid off my loan. Their app is terrible and half the time it doesn’t load on my home network because of all my ad and tracking blocking on my DNS server. I just want to check balances, you assholes. So yeah that one is strictly browser only for me.
This is why we have MFA.
Hey want to play a game? Your bank is gonna text you a number, and I’m going to guess it. Tell me if my guesses need to be higher or lower.
This is why you never enable SMS based MFA. TOTP is well established and just works. If you need even more security FIDO2 devices like YubiKey are a thing.
It would be nice if that was a choice but SMS is unavoidable.
For the love of God, someone inform Citibank and Chase of this. My dinky little local credit union allows me to use TOTP, but Citi and Chase still only seem to support SMS.
Chase supports push notifications via their app now, so at least they’re moving forward toward something a bit more secure. But yes, I’m so pissed that so many banks use SMS when it’s known to be easily spoofed.
Requiring the use of their own app is only marginally better than not supporting it at all. I try to minimize the number of apps pn my phone, and banking apps are prime examples of a use case that can be completely fulfilled in a browser. Even if I used the app, I would prefer to be prompted for non-biomotric MFA each time I sign in anyway.
Yeah I can respect that, I have one bank where the only account I have there is a credit card now that I paid off my loan. Their app is terrible and half the time it doesn’t load on my home network because of all my ad and tracking blocking on my DNS server. I just want to check balances, you assholes. So yeah that one is strictly browser only for me.