• Midnight Wolf@lemmy.world
      link
      fedilink
      English
      arrow-up
      40
      ·
      edit-2
      9 months ago

      Or email OFA. Burger King, Popeyes (I know they are the same company), and just a bit ago, BuyMeACoffee. They let you enter a password; fuck if I know what their requirements are. No tooltip, no failure text. 60 char with special chars? Nope. (a few moments later) 20 chars with no special chars? Nope. Fuck it, let’s try 2FA. Get seed, generate code, go to setup verification page (on phone), first box, paste. ONLY THE FIRST NUMBER PASTES AND MY KEYBOARD CLOSES. SCREAMS

      (only factor authentication)

      • drolex@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        1
        ·
        9 months ago

        Nothing compared to BOFA, which is arguably even worse and a lot more stupid

        • grue@lemmy.world
          link
          fedilink
          English
          arrow-up
          28
          ·
          9 months ago

          For those who don’t know, the BofA app clears the username and password fields every time you switch to a different app, completely thwarting the use of password managers because Bank of America is apparently Hell-bent on forcing everyone to have easily-typed (and therefore easily-brute-forced) passwords.

          • Natanael@slrpnk.net
            link
            fedilink
            English
            arrow-up
            9
            ·
            edit-2
            9 months ago

            Android has password managers with keyboard app integration so you can paste both fields from the keyboard itself

            I use Keepass2Android and it’s own keyboard app for this. I switch active keyboard app when the login field shows up to paste and then switch back to my normal keyboard after

      • viking@infosec.pub
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 months ago

        My bank has its own authenticator app, which doesn’t work on my phone. Piece of crap. They now enabled fingerprint login without additional 2FA somehow, and I can also authorise payments with biometrics. Only to change my limits, update address etc. I have to use the app (on an old Pixel 3a as a standby device just for this purpose).

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          9 months ago

          I would change banks. Stuff like this is a reminder why letting government run such services is a bad idea. (I’m sure your bank isn’t state owned but still)

          • viking@infosec.pub
            link
            fedilink
            English
            arrow-up
            4
            ·
            9 months ago

            I can’t, live abroad and no bank I contacted would open accounts for non-residents.

            I have other accounts where I live, but all my investments and major holdings are sent back home.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          9 months ago

          For one that requires more training and support. However I think the biggest reason is that it is predictable and requires access to the device. You also can’t steal a phone number as easily as stealing poorly secured keys

          • KairuByte@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            5
            ·
            9 months ago

            Poorly secured keys usually still require device access, unless they are secured so poorly that the individual would be compromised in one of many other ways regardless.

            Stealing a phone number requires, at most, paying off an employee at a telco company. At best it just requires a call and some social engineering. And don’t forget, people who leave their phone laying around without a passcode exist.

            Now, neither of these are really options for a dragnet approach, they’d need to be targeted. But the fact that one can be done fully remote should be a red flag.

            • areyouevenreal@lemm.ee
              link
              fedilink
              English
              arrow-up
              0
              ·
              9 months ago

              The issue being what do you do when your phone gets stolen? You can get a new SIM with the same number easily. What’s the solution for TOTP?

              • KairuByte@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                1
                ·
                9 months ago

                You’re misunderstanding. Totp apps require authentication to use them, be it a password or bio-authentication. SMS does not, it just requires the phone number.

                You can get the phone number through any number of ways, but it can be done remotely meaning no one ever interacts with you or your phone. Through various methods, they have your phone number transferred to a different phone, and then have the SMS sent directly to them.

                Totp apps (typically) have a backup system in place. 1password as an example, uses their servers to host the data. But you can also back that up. The chances of someone gaining unauthorized access to your Totp account comes down to your security, and which service is chosen. 1password again as an example, is fully encrypted, they can’t see your passwords, if you forget your security token, the only solution is to wipe the entire password store and start again.

                The difference in security is mountainous. It’s the difference between a single family home, and a bank vault.

                • areyouevenreal@lemm.ee
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  9 months ago

                  Yes and muggers ask you for your phone pin. Ask me how I know. I am guessing this is why you need a separate password when using 2FA

                  I see now that there is a backup in place for losing a phone. That’s primarily what I was concerned about.