Websites as platform can't solve a problem that's social in nature - that it's allowed and accepted for organizations to have such excessive, invasive levels of control.
The parties I accuse of driving this problem didn't suddenly go rogue when smartphones happened. They always wanted this level of control (and much more) - they just couldn't get it until relevant technologies matured enough.
I'm not speculating here - we have actual empirical evidence to confirm this. A clear example is that there are several countries that, unlike the US and most of Europe, went all-in on Internet banking back before smartphones. Web limitations and conventions didn't stop them from doing the same thing everyone is doing with the phones now - the banks there just force customers to install malware on their computers, so they can do some remote attestation and KYC (and totally no marketing data collection) on their PCs.
Most of the West never had this because of the inverse of leapfrogging phenomenon - big, developed economies had too fast progress and at the same time too much inertia to fully adopt a pre-smartphone solution nation-wide.
My bank had website which I can log in and just use. It does not force me to install anything. I need to type username, password and SMS code, that's about it.
Every org doesn't provide that choice. If your child's activities class only communicates via an app and that is the only option in a given radius, rejecting that will mean you child doesn't get to do their activity. There are other examples that are more way more serious and make avoiding installing apps infeasible.
Because your bank isn't even trying to be secure, relative to what's considered industry standard.
Be grateful while it lasts.
Why do you think their bank "isn't even trying to be secure"?
Because SMS is not considered a secure 2FA mechanism anymore, and hasn't been for a while. If that's the default for that bank, and not GP going out of their way to pick a legacy access path, then they're about a decade behind what's considered industry standard -- which today is querying a second factor not just per login, but also per important operations (money transfers, dispositions, changes in settings), with the second factor being by default a smartphone with hardware and software integrity verified via remote attestation.
Then literally every US business and government is not trying to be secure. I cannot name a single organization that does not have the option of or requires SMS 2FA.
I think the government and large businesses like it that way, as it makes the mobile network providers as a sort of credit check (or “are you worth dealing with”) mechanism.
Now that is more of a problem than a bank. Which is why someone beeds to integrate OTP tokens into ID cards, closing the issue.
I haven't heard a compelling reason why remote attestation is more secure.
The whole point of 2FA was to have two devices that you own. Now the bank is forcing your login and 2FA to be on the same device. Which is the easiest device to steal.
What about SMS is somehow worse than that?
It's fairly easy to get control of anyone's phone number without interacting with them in any form. Just some social engineering at the kiosk in the mall.
It is extremely common for people's phone numbers to be stolen (even if temporarily), and then their bank accounts drained.
> Just some social engineering at the kiosk in the mall
What scenario does a kiosk at the mall get control of my phone number but not control of my phone? I don't see how remote attestation solves anything here. Does the bank suddenly know a stranger is holding my phone?
We go from me needing to open a web browser on my computer and getting verified on my phone, to now my most important operations have to be from my phone. That's worse.
I am not arguing for some alternate solution. But sim swap attacks are common and relatively easy to do [1].
> The scam begins with a fraudster gathering personal details about the victim .... the fraudster contacts the victim's mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim's phone number to the fraudster's SIM. This is done, for example, by impersonating the victim using personal details to appear authentic and claiming that they have lost their phone.
SMS 2FA should simply not be used if one cares about security.
[1] https://en.wikipedia.org/wiki/SIM_swap_scam
> What scenario does a kiosk at the mall get control of my phone number but not control of my phone?
You can e.g. smooth-talk the customer service at a kiosk to give you replacement SIM card for the one you've "lost".
This is why banks increasingly don't trust your phone number, and their apps tie themselves to the phone itself, i.e. to hardware and OS IDs. But to trust those IDs, they need the phone to pass remote attestation.
Uh, banks still provide separate tokens and one time pad cards last I've heard.
If yours doesn't, pick one that does.
The larger point here isn't whether they do, but that they'd rather not. They want you to rely on their app, and have been pushing people to it for years now (some more intensely than others).
> clear example
> several countries
Doesn't name a single one
...
South Korea is, the go-to example I've seen brought up on on HN many times over the years. AFAIR, they used to legally mandate ActiveX controls to access banking and government portals, and that practice continues to date even though the legal mandate was dropped. From what I read, there's still a set of applications that are commonly required to access banking and tax filing services, that purport to provide a degree of remote attestation and "security" (firewalls, detection of keyloggers and screen capture), and to access digital certificates.
Brazil is another example - ironically, the software suite that's commonly required for banking is named after the capital of the country I live in :).
Some quick searching now also flags Slovenia and Serbia as places where some banks require custom desktop (or even Windows-specific) software to access banking services.