You have to think of a Bank's threat model though.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate.
Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.)
And requiring a special app is quite difficult to automate.
Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.
Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.
As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.
Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.
Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.
SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.
SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.
If I lose my phone I can go to the office of my carrier, present my ID and receive a new SIM with the old number[0]. If Apple/Google decide what I'm not their customer anymore then I have literally zero ways to recover anything from them.
[0] and half a year later the bank would finally found out about and block the SIM 'to prevent fraud' at the most inconvenient time. But again, it's solvable with a visit to the office and an ID.
How realistic is this threat? I would think that the employees would have to jump through hoops that require you to be present (or at least a lot more of your info to be stolen than just your name and number) and that the home network would detect a duplicate E.164 number with conflicting IMEI/IMSI numbers and locations pretty quickly.
This is more like confused deputy than collusion (though that can happen as well), but nevertheless the end result is somebody else ends up with your number, and your device gets deactivated.
We're talking about recovery mechanisms, not day to day regular banking interactions. Ultimately, if there isn't a physical branch you can show up to easily, your access recovery time might be pretty inconvenient. This would be a good thing to consider when selecting a bank.
Online only banking is fairly popular for traditional banking services, and wildly popular when you consider money transmitters, lenders, and investment brokerages.
Whatever the problem you think they have with authentication resets -- much of the financial market seems to have solved the problem well enough without in-person resets to have successful mainstream businesses.
Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.
MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.
The biggest hurdle to money laundering is getting past KYC at the creation stage, which requires you to have stolen identities and/or identity documents, getting past the anti-fraud gauntlet, and probably intercepting any documents/cards that get mailed. Setting up a device farm that can receive SMS OTPs is simple by comparison. All you need as a $60 android phone and an app with SMS access.
There are ways of getting phone numbers that can be used in automation. Then there's SIM cloning, which is apparently very easy to do and very hard to defend against given how often this happens.
Because the government said so. Why did the government say so -- because the bank is the only place that can see your transactions and has a profile on you and has a dedicated person to call you and ask about that cash withdrawal on the Turkish side of the Syrian border or regular cash deposits of 100k each week in addition to your cop salary.
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
HSBC determined its retail banking operations in NA were not worth it any longer due to the liability they faced after their high-profile money laundering scandal [0].
Because look at what happens when the government thinks you don't care enough about money laundering. TD Bank recently got hit with a $3 billion fine.
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
Similar insofar as using e-ink, but they're battery operated (from what I can tell). The "coolness" of what I'm talking about would come from being a completely passively-powered device.
I use amaysim’s 50GB data pack, at $65 for 28 days, and on the Optus network. In the country town of Stawell (a few thousand people), I get roughly 23/12Mbps. I’m moving to Navarre soon (about a hundred people), and get about 45/15Mbps there.
For me, living by myself and working from home most days, it’s substantially better than ADSL2+, as it’s faster, more reliable, doesn’t lock me into any contract, allows me to use my internet supply from other places as well, all for the same price as ADSL2+ (which is admittedly generally $10–20 per month dearer in the country for a given service level, and at this price point would include 100GB instead of my 50GB, but I simply don’t need that).
Hey Chris, I just moved from Ararat. I never would have expected to see another regional western Victorian on HN!
For reference, Stawell has a population of 6,000 while Ararat is about 8,000. The towns are approx 30 minutes drive distance away. The world is smaller than I thought.
In Ararat it’s almost better to go with 4G. While you get decent caps (1000G/m for AUD$90) the problem is that the internet drops out every time it rains.
I can’t imagine running a business that requires internet access in regional Australia, good on you for finding a way!
I grew up in Melbourne, but preferred the idea of living in the country, so I made it so. (I’m employed by FastMail and head into the office every couple of weeks or so; I told them of my plan to move into the country before they hired me.) When I was first planning it, I had been considering NBN essential, but shortly before actually moving here it occurred to me that regular 4G was actually quite suitable—better than ADSL2+, a test rapidly revealed. My experience with about five months of depending on 4G in Stawell is that apart from a period of about five days where the supply was dodgy (mostly usable, but no more), the Internet supply is at least as reliable than I ever got from ADSL2+ in two locations in Melbourne—where running a ping all day typically has zero packet loss. And ADSL2+’s reliability was never superb.
Your 1TB/$90 and rain dropout refers to ADSL2+, does it not? I haven’t noticed any problems with rain and haven’t seen any caps anywhere near that high on 4G.
Well, now I’m buying in Navarre, which isn’t covered by NBN at this stage (hence it wasn’t in my initial dragnet) but does have an Optus 4G tower, and thus great internet supply.
You're right, I was using ADSL2+ and we were connected to a pillar where we were the only ones using it (50 pair). We reported a fault but rather than fix the problem properly they just hooked us up to another pair. The justification was "well you'll have NBN soon".
It's not exactly 'cheap', but if you need 100-140Gb a month there are data only sims for $70 monthly from Optus and resellers. They guarantee minimum 12Mbps supposedly. In metro areas with the latest LTE modems people are pulling 200Mbps down.
If you need lots of data though, the cost becomes less viable.
When I was investigating this stuff six months ago, I believe these plans were somewhat different (and indeed the Critical Information Summaries for them seem to have dates of May and July), with only the first month being cheaper or having as much data or something. (That the month-to-month one still uses the wording “$70 for the first month” on the marketing page makes me uneasy, but I don’t think there’s a catch, I think it’s merely outdated wording.)
Vivid Wireless offer unlimited 4G data capped at 12 Mbps for $90 a month. Its on the Optus network so your experience will depend on what the coverage is like where you live.
> Whilst the Vividwireless service uses the Optus 4G Plus network, it is designed to be used in the home and its data speeds are different to mobile and mobile broadband speeds on the Optus 4G Plus network. In metropolitan areas where you connect to 2300 MHz coverage at your nominated address, download and upload speeds of up to 12/1Mbps are available.
> Otherwise in other compatible coverage areas, download and upload speeds of up to 5/1Mbps are available.
So, 12/1 or 5/1 rather than 23/12 or 45/15 as I tend to get out in the country on the same network.
Yes, hiding this information in there is misleading, because people aren’t generally aware of what the different frequency bands and relevant 4G technologies (TDD/FDD) mean and think that “4G” is just one thing.
Useful to know. I was considering moving over to them to save money on my ADSL2+ connection. My area has fantastic 4G speeds without any congestion issues as its semi rural and I was expecting them to be quite good.
Have been with vivid for about 12 months, was supposed to be a temporary arrangement while I waited for my building's strata to fix the internal wiring between my apartment and the MDF in the basement. All of the NBN horror stories and the strata's malignant incompetence mean I'm still using it and it's pretty solid in my experience.
I'm in central Sydney and normally average around 10mbps down
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate. Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.) And requiring a special app is quite difficult to automate.