top | item 47140533

(no title)

the main issue is the bank using sms and OTP apps instead of something like passkeys and mandatory in bank setup.

discuss

One of my banks uses a card reader and pin to log in, seems more secure.

Pins can still be phished. Just make the phishing a live proxy resembling the real site.

A fundamental difference with e.g. FIDO2 (especially hardware-backed) is that the private credentials are keyed to the relying party ID, so it's not possible for a phising site to intercept the challenge-response.

thefounder|6 days ago

That’s just as bad. You need to take out the human error out of the equation.