Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think the parent posts meant that whoever reviews your banks 2FA should say "that is good" would also look at the SMS system and say "that is good".

If they are only doing it to tick compliance boxes then there is probably not much motivation to do it better. Those systems are security theatre.



Yes, I understood what the parent post tried to say, and just wanted to provide a counter example which is not a security theater in its nature.

Ah, also the same bank doesn't send SMS anmymore. Everything arrives to their app. Only they fallback to SMS if the app fails to acknowledge receiving the notification, which happens once a year?

Also, banks do not mail financial information by default to prevent wiretapping by 3rd parties.


How does wiretapping affect mail?


Email, unless you encrypt it yourself, is not encrypted at rest. This means any mail server or relay which your email lands on can be openly mined and analyzed transparently, and without any evidence (which is how GMail works, BTW).

If you're sending sensitive financial information over the mail, it can be read, classified, tied to you and be used against you if required.

So, we have a directive to not email anything financial to the recipient by default.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: