>It is better if banks include a security warning / specific reason the code is sent with the password reset pins and similar credentials. My bank did not. Another twitter user noted being subject to the scam, and just glancing over the warning copy. So it helps, but it is not perfect. Especially pre-coffee.
I'm seriously surprised there are banks that send SMS codes without a reason for the code. All banks I deal with always send the reason for the code. For example: "This is a new payee addition authorisation code. Last 4 digits of the payee's account number are XXXX, the code is: XXXXXX" or "This a transaction authorisation code for the amount of $XX.XX, to an account ending digits XXXX. The number is XXXXXXX."
I would seriously reconsider giving your business to a bank that doesn't do that.
Interestingly there was an EU regulation passed recently that sets certain standards requiring 2FA for certain operations performed by bank customers. Having set up the 2FA auth app on an elderly relative's android phone and having to set up a pin to unlock a device as this is one of the 2FA app requirements and then spending 2 hours explaining how to unlock the phone, how to use it with a tablet to log in, how to authorise payments etc I have mixed feelings. On one side, it is a pretty secure system that will lower the number of victims of fraud. On the other hand it is a massive inconvenience for elderly people. I like the SMS verification system if done right. I think 2FA is a bit of an overkill.
Elderly are the most common subject of these attacks. So it is especially important to set strong protection for them. The inconvenience is regrettable but necessary.
I have seriously reconsidered giving my business to a bank that does do that: I'm not a fan of sending transaction amounts or account info via text. My bank does this (and over email!); their security posture is fairly decent otherwise, but why oh why send transaction amounts out into the world where they can be intercepted by anyone between here and there?
Think about the useful information for an attacker in messages like that: Recent transaction details can help an attacker auth on a call, account numbers can do the same. And large transactions are catnip, alerting attackers to worthwhile victims.
I'm seriously surprised there are banks that send SMS codes without a reason for the code. All banks I deal with always send the reason for the code. For example: "This is a new payee addition authorisation code. Last 4 digits of the payee's account number are XXXX, the code is: XXXXXX" or "This a transaction authorisation code for the amount of $XX.XX, to an account ending digits XXXX. The number is XXXXXXX."
I would seriously reconsider giving your business to a bank that doesn't do that.
Interestingly there was an EU regulation passed recently that sets certain standards requiring 2FA for certain operations performed by bank customers. Having set up the 2FA auth app on an elderly relative's android phone and having to set up a pin to unlock a device as this is one of the 2FA app requirements and then spending 2 hours explaining how to unlock the phone, how to use it with a tablet to log in, how to authorise payments etc I have mixed feelings. On one side, it is a pretty secure system that will lower the number of victims of fraud. On the other hand it is a massive inconvenience for elderly people. I like the SMS verification system if done right. I think 2FA is a bit of an overkill.