I got into an argument with a Chase representative one day. Used to be you could use email (they added that option again) for 2FA, but they went to purely text. I complained and the drone told me it was more secure.
I said "An email address on my domain with a long password, my own DKIM keys, set specifically for you, all of the entry points protected by multiple passwords is less secure than SMS - a non-encrypted format that barely works, was never intended for what it's doing, being provided by a company that gets hacked so often that it's a joke? That is what you're telling me?"
Yes sir.
morons.
The SS7 exploit is a security travesty, but phone service providers never—at any point—agreed to be identity verification services.
Using SMS for authentication is popular not because it is secure, but because it lets free online services permanently ban people (you ban their phone number) and prevent them from making thousands of accounts. They also love getting more of your personal information. A bank should not be forcing its customers to use it.
They have my phone number already, that I'm not worried about - and changing phone numbers is as easy as going into my account online and saying "I want a new number." So even that is not a thing.
(post is archived)