Online bank One Finance removed my account's password in favor of only phone/email OTP and a 4 digit pin (lemm.ee)

submitted 8 months ago by Rexios@lemm.ee to c/cybersecurity@infosec.pub

12 comments fedilink hide all child comments

How is this legal? This has to be the most insecure login method I’ve ever seen. They removed the password from my account without consent and have no way to go back to requiring a password. Literally all an attacker has to do it gain control of either my phone/email and brute force a 4 digit pin. I’m going to have to change banks because of this.

Oh also I posted this on the bad version of Lemmy and the mod tried to claim that this method of auth is actually more secure than a password, posted a Wikipedia article about passkeys, and then locked the post… In no reality is it at all possible that this is more secure than a password.

So stay away from One Finance if you value your money

you are viewing a single comment's thread
view the rest of the comments

[-] Rexios@lemm.ee 11 points 8 months ago

I would argue that a phone number barely counts as “something you have” because of how easy it is for attackers to gain access if they really want it. It’s more like “something your cellphone company has and lets you use”. I would rather have email 2FA over SMS because that account actually has a strong password and real 2FA on it. The truly terrible part is you can’t disable either auth option so any attacker has two attack vectors.

this post was submitted on 03 Mar 2024

33 points (92.3% liked)

cybersecurity

3231 readers

1 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 1 year ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub