The variant I’m currently pursuing is the Yubico keys and am looking where it could work anywhere with the provider. There is a lot of talk about this method on YouTube. Just by the way, even outside of Swisscom, I mean
2FA with SMS is probably the least secure variant. Unfortunately, Swisscom only offers this and MobileID.
This also has the disadvantage if, for example, the cell phone is lost and nothing works anymore. I couldn’t even block my SIM myself.
It would finally be time for Swisscom to also allow TOTP via app for 2FA or, as far as I’m concerned, U2F via Yubikey, for example.
@WalterB I think you need to find out a little more about the Yubikeys. I think at the moment there is practically nothing safer for private users than what is also easy to use.
thank you @CorinaS for this article on double locking 😀
“Errare humanum est, perseverare diabolicum”
“To err is human, to persevere [in one’s error] is diabolical”
“On apprend parfois plus d'une défaite que d'une victoire” — José Raúl Capablanca
@hed Yes, of course. But if you set the TOTP in iCloud or 1Password or Bitwarden, for example, then this doesn’t happen. Only if you save the app on a second device, for example.
With MultiDevice, SMS only works on 1 device. Just like MobileID!
And if you only have 1 key, it’s your own fault anyway. There are people who have a concept for such security matters and want to avoid SMS if possible. MobileID would certainly be useful, but unfortunately it is only limited to 1 device.
Oh my goodness, but 2FA via SMS to the same mobile phone is probably a bad joke!
How would it be if Swisscom offered a *real* and uninterceptable 2FA via the TOTP?
In my opinion, that would be a real security gain because a second device could be used for this. Sorry, 2FA via the identical device is probably a bad joke!
Excuse me, but 2FA via SMS to the same mobile phone is probably a bad joke!
How about if Swisscom had a *real* and uninterceptable 2FA via the TOT[P](https: //www.zaun7.de/doppelstabmattenzaun “double rod mat fence”) would offer?
In my opinion, That would be a real security gain because a second device could be used for this. Sorry, 2FA via the identical device is probably a bad joke!
Also discover garden furniture in Zurich. And Buy double rod mesh fence!
Totally agree with you! Your approach sounds reasonable.
The idea with TOTP is that you don’t have to do it via the identical device (read “App” / SMS / MobileID), but you can use any other Internet-enabled device for 2FA!
(Unfortunately, those responsible at Swisscom do not seem to want to realize that 2FA via both SMS and MobileID via the IDENTICAL device excludes the SECOND FACTOR per se.
But - as the saying goes: hope dies last! - Maybe those responsible at Swisscom will also snack on the tree of knowledge over time <hope>)
Addendum: The “aha effect” is likely to set in for those responsible at the latest when they themselves become victims of a mobile device being stolen/lost. From a security perspective, it was and is simply a stupid idea to want to chain everything to a single device! Comfortable? - okay SURE???? - in your (wet) dreams!!!!
Thank you for the Apple commercial 😁
(there should also be people who
- neither the money
- still the opportunity
- still the desire to be brought into line “Cupertino-style”.
have)
The problem remains that 2FA without a real second factor is just a pious lie.
Addendum
And as soon as 2FA involves an American / Chinese / beat-me-dead / third party, it “died” anyway!
If you look back a bit…SMS was considered unbreakable and absolutely secure. There were banks that provided this as the only 2FA for their customers.
As an alternative, there was a token that showed a different code every 10 seconds.
If the user logged in to a fake website, the claim was limited to the respective account balance.
Then the unbelievable, unimaginable happened.
The user logged into a fake website and was asked to provide all sorts of data from the cell phone included in the online contract as part of a “security check.”
With this stolen data, the fraudsters were able to create a fake ID card so that they could, for example, identify themselves in a Swisscom shop.
A duplicate cell phone could then be obtained via the telephone company (keyword: multi-SIM).
Then set all the SMS messages to be sent to the other cell phone.
Thus:
1. Login to the real bank website with the data obtained via the fake website.
2. Since all the SMS messages are now sent to the other cell phone, the securities account and all the accounts can now be cleared out in peace and quiet.
With this “secure” login process, there were isolated gigantic claims of up to around a quarter of a million francs.
This was not possible with the other previously common login procedures, from the scratch list to that with the token - because you could only access the respective account balance.
The banks have now pushed CrontoSign - for some banks it is the only login procedure for customers.
What the fraudsters now have to do would be to steal the activation letter in order to integrate another device into the victim’s online banking.
Has that been achieved now? Damage would be just as gigantic here as with SMS.
Glotzologist
I have an even higher security level at the bank than “just” 2FA. I had the bank set the portal to read-only, so the savings account is protected and if it is stolen by hackers, full responsibility lies with the bank.
The payment transactions are carried out via Postfinance, where I logically also have write rights, but only as little money in the account as necessary. This means that the risk of loss is very limited even in the worst case scenario.
“full responsibility lies with the bank”
Have you read the terms and conditions? 😉
It usually says that the account holder (DU) agrees to every transaction that was sent to the bank in compliance with the usual blah-di-bla settings.
I would be *very* surprised if Postfinance handled things differently!
(I prefer to trust a *real* regional bank where I can speak to in person - try Postfinance - “good luck”!)
but I’m going a bit off topic here - SORRY!
@Anonymous
According to the terms and conditions, in most cases the customer is liable if the account is “emptied” via the eBanking channel. The read-only case is not reflected in the general terms and conditions because there are only a handful of customers who have ever requested this, even at big banks.
I therefore had the bank confirm this in writing that in the case of read-only access, the customer cannot be prosecuted, even if he handles the credentials carelessly.
And please read my post again carefully. At Postfinance I have write and read rights and therefore bear responsibility if the credentials are misused. That’s why I minimized the liability risk with PF by only keeping as little money as necessary in this account.
