alt Hacker NewsThere's a landlord/apartment portal where the whole login process has changed to be:
1. Enter username (e.g. an email)
2. Choose from either email or SMS on file
3. Enter the code you got somehow through the respective unencrypted channel
Given that this same site is involved with bank-account details for payment, I am concerned...
It’s really rich when banking/finance apps are fully happy doing 2FA to the phone when using its own browser…
Yeah — loose the phone and it’s pretty much game over.