> remember not to use your phone to do internet transactions!

Do you have time to explain?

I'm aware of the problems with using sms as 2FA but if I understand you correctly you mean something else?

(Around here most banks demand we use BankID which is typically downloaded to the sim card in the phone.)

You should never use the same device to perform transactions and receive your codes. The security of the scheme lies on using two separate devices under your control.

If you were to enter your credit card details on the same device you use to receive codes (most likely your only mobile phone), the attacker having some kind of malware code could first steal your card information and then use your phone to receive the codes to complete the transaction.

This requires infecting just one device, so basically as a fraudster you create a malware and wait for people to have their phones infected. Then you defraud those that use phones for credit card transactions and either don't need separate codes to complete the transaction or use the phone for this.

It is much more difficult to get two devices infected that are used by the same user. This only typically happens in case of targeted attacks and is rarely seen.

My colleague at one of the companies I worked for lost the money he saved to buy a flat this way. He got his phone infected with malware and then over few days he got all his money sucked out of his account in a series of increasing transactions.

Many banks supply you with a hardware security token.