Seen so many old threads about this.
Just set up 2fa Google authenticator with Wise.
When are we going to have this option here?
99% of services offer this type of mfa now.
2 Likes
@CJD Hello 
We hear you and understand the demand for Google Authenticator as an option! We’re actively evaluating different 2FA methods and will keep you updated on any developments. Stay tuned. 
Veda | Community team
2 Likes
While totp based authentications undoubtedly can increase security, one of the downsides is that they can’t replace mandatory strong customer authentication for regulated financial service providers.
While totp apps can be used to increase daily log-in security, they’re not sufficient for mandatory strong customer authentication where all providers need to rely on an additional method like app binding or texts (SIMs).
Will it help to prevent phishing to the extend other mechanisms in place can’t? Taking over someone’s account already relies on more than SIM swap. Users often willingly provide SCA believing they’re in contact with a bank customer service agent, for example. Totp doesn’t really help here. I like totp apps, I am just not sure if they are that useful in this context. Passkeys seem more promising in 2024.
2 Likes
Disclaimer: I am not an it/cyber security professional so read my post with that in mind.
I read about recent (2023) instances of Apple pay fraud w/ Revolut which took place in my country.
All of them involved the victim having an iPhone and a Mac OS X device - then the victim’s Revolut card being fraudulently added to the scammers apple pay account, which in turn being used to empty the victim’s account (with cooperating retailers/merchants hence alleged purchases with the amount of 100 euro, 500 euro and the like)
Suspected mechanics of the fraud is a remote access trojan (RAT) being installed on the victim’s OS X machine to 1) get card data 2) use the mirroring/continuity feature of apple (where you can see messages sent to your iPhone on your MacBook) to get the SMS OTP password which is needed to add a new card to Apple pay
Thereby no SIM swap is needed.
Question: in that case using something else instead of SMS to provide the OTP for apple pay could prevent the fraud taking place?
One more thing: wise also makes possible to selectively block the use of apple/google pay on a card. Does revolut plan to introduce that feature?
Would be handy to prevent frauds like that described above
1 Like
The critical part of the case you’re describing is that SCA was compromised here. They were able to “read” the text message necessary to add the card to their wallet.
Here’s what’s not clear to me: text messages aren’t automatically displayed on a Mac. Users need to manually activate text message forwarding in iOS settings for this to happen. It’s not the standard setting. (This applies to text messages — SMS, not iMessages.) So how did they get the text? Either the account holder told them on the phone — a very common method. Or they had also access to texts because the user activated text forwarding. RAT apps can also be installed on phones, but this is currently hard on iPhones and more common with Android.
The first attack vector — the user tells the code over the phone — is hard to prevent. It’s not specific to text messages, and works with most SCA methods.
The second attack vector can be prevented by the users themselves: deactivate text message forwarding to computers and only activate it for devices you trust or not at all.
1 Like
If I remember correctly the RAT supposedly activated the text forwarding feature.
3 of the 4 victims of the case I read about subsequently found an SMS message on their phones about OTP password for Apple Pay (which they did not care about at the time or disregarded as they did not request it - this was probably an error for the victim’s part).
These were the messages the attacker could read via text forwarding
1 Like
This can only be activated on the device with the SIM card, not from the compromised computer. I was curious and checked this. The iMessage settings or the Mac OS settings have no option to switch it on.
Apoligies: my initial response might be incorrect. There might be a situation where iMessages on the Mac shows a prompt to activate the feature. It might be a proximity thing. I am not sure. I wasn’t able to replicate it.
1 Like