> If Payoneer was using sms based auth codes, then it was clearly Payoneers error for doing something so incredibly stupid.
It's sort of ironic that the Krebs article indicates that these dudes were specifically targeting the "most secure" OTP methods we know: authentication apps, rather than SMS or email codes.
They were simply using social engineering and human trust to bypass the industry's best technical practices.
SMS and email are side-channel communications, so the attacker would need to intercept them, and hopefully suppress the legitimate receipt as well. I'd get kind of worried if my bank sent me an unsolicited code. But a consumer may be more credulous when their "bank" calls in to request one from them...
It's sort of ironic that the Krebs article indicates that these dudes were specifically targeting the "most secure" OTP methods we know: authentication apps, rather than SMS or email codes.
They were simply using social engineering and human trust to bypass the industry's best technical practices.
SMS and email are side-channel communications, so the attacker would need to intercept them, and hopefully suppress the legitimate receipt as well. I'd get kind of worried if my bank sent me an unsolicited code. But a consumer may be more credulous when their "bank" calls in to request one from them...