At this point in 2019, we’ve all dealt with some flavor of two-factor authentication that uses SMS one-time passcodes. We attempt a sign-in and see a prompt that tells us that a six- (or nine, or four) digit PIN is being texted to us, and that we have to enter it to proceed with our login or password change. It’s a mild piece of friction, but it’s not terribly onerous and is doing something useful: keeping consumers safe.
Unless, of course, it isn’t. SMS one-time passcodes are more of a risk than most consumers realize, Boku CEO Jon Prideaux told Karen Webster in a recent conversation. The consumer thinks their bank is sending them a unique code that only they can directly access — but the reality is a little different.
A fraudster doesn’t always have to hack a phone to access a user’s identity and information — they can hack the person. Read full post