Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

My bank has two-factor using some special applet thingy on my phone (not a regular app, it's tied into the SIM card somehow). It shows me the details (amount and destination account) which I have to confirm using my password (in combination with a key from the SIM).

Much more difficult to circumvent, assuming the user pays attention...



Then, the malicious script can just pop up an official looking dialog box with a message saying that they are 'testing' the confirmation system, and please accept/agree to the next sms/alert from the app.

Having direct control of the user interface is very powerful.


Of course one has to have a minimum of awareness for any protection mechanism to work.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: