Hello,
Having recently worked with several Spanish banks, I have noticed that many are abandoning SMS-based 2fa and forcing you to install a (proprietary) application on an Android or iPhone. Some banks won’t even allow you to operate remotely without the application. Others will let you, e.g., receive money but not send, and limit the account’s functionality in various ways, unless you install the application. These applications often do not work without Google Play Services on Android, and they are themselves riddled with spyware like the usual googletagmanager according to Exodus scans. In other words, you are forced to use a stock Android/iPhone, go through the official app store, and expose yourself not only to the third party surveillance on the app itself, but also the native surveillance on the device.
The story, which also appears to suffer from a whole bunch of copy-pasta on the Internet, is that SMS 2fa is not secure because of sim swapping, except that many phone providers nowadays allow you set up an OTP lock on the porting process such that if somebody were to impersonate you and trick the customer service, the system would send a one-time code to your phone/number, which you still own. Most people surely won’t bother doing this, but instead of passing legislation to force phone service providers to protect their customers or adopt actual 2fa standards such as TOTP or WebAuthn, both of which are actual standards and allow the free implementation by any interested party, and for which such implementations already exist, online services appear to have instead just called it a day on SMS 2fa, forced people into surveillance, and resorted to quote NIST’s deprecation of SMS everywhere on the Internet. I am sure there are security experts in this forum who can shed some light on the security front, but in any case, the security should not come at the expense of a loss of privacy, especially when alternatives already exist.
Has anybody noticed this trend in which you can no longer be a human being unless you subject yourself to this kind of surveillance? It’s getting pretty serious because it’s getting harder and harder to reject to use the service on moral grounds; a bank service is pretty much essential.
Is the FSFE working on this front by any chance?
I am not sure what to do. For now, I have just been complaining to the customer service, which, more often than not, completely fails to understand the problem, let alone solutions, like I’m an alien from outer space.
Thank you,
Marc