Banks do offer 2fA, its just not normally offered to home users. Commercial accounts can request it and they give you those nifty RSA key cards with an 8 digit code that changes every 30 seconds. I can get it for my BofA business account if I want.
Nonsense. SMS is vulnerable. But there is zero loss of security because 2FA is an independent layer.
What will actually happpen is that 2FA will increasingly use security keys and authenticator apps.
In other words, it’s an extra layer that doesn’t provide extra security on its own. The
“other stuff” that actually does increase security doesn’t need SMS. That’s definitely “security theater”.
No, that’s wrong.
Putting aside your conflating 2FA and SMS, if you have an independent but vulnerable security layer, it still adds security. Indeed, all security is vulnerable. We achieve reasonable levels of security by combining and overlapping vulnerable systems.
Canadian police shocked me when about 13 yrs ago I bought a camera on eBay from an online vendor. When more than reasonable time had passed and he was coming up with excuse after excuse, I found out that there os some sort of federal online fraud division. I emailed them with copies of the transactions and communications with the vendor.
The following day the scoundrel refunded my money and begged me to withdraw my complain. I am not Canadian, and was not in Canada.
Long live the Mounties!
Oh, my bank uses a password, randomly rotated questions, AND a physical key generator that expires every two years.
My bank has has armed guards.
I’m not sure how someone would go about spoofing me at the counter of my bank, but if I need to use their online banking I enter a username, then a PIN to log on and if I need to setup a new payee etc then they ask for use of one of those little one time code dongles.
Pretty much the equivalent of what Google asks me to do with their authentication app or checking when email on an Android device which requires the phone or tablet to be unlocked first.
I remember my bank sent me a letter to inform me that I was using their app on a new device :dubious:
That’s actually a form of 2-factor. If a bad guy has a device with your info on it, he has probably compromised your email too. So any notification by email would probably be diverted / deleted before you ever saw it.
Snail mail is a different channel and the bad guy needs to physically be in your town to hijack it. Yes, some of the horse (=$) may be gone from the barn (=account) by the time you get the mailing. But at least you’ll get it. Which may mean most of the horse is still in the barn.
Understand that nowadays the banks are not facing just ordinary low-lifes who mug people for their mobiles or who skim cc numbers from wherever they waitress or tend bar.
Instead they’re fighting organized crime using thousands or millions of stolen people’s records simultaneously. IOW, crime at scale. It is impractical / impossible for the Bulgarian mafia to send goons out to remove paper mail from your physical mailbox. It’s trivial for them to ensure any bank emails disappear instantly.
So the bank’s policy of sending snail mail isn’t directly protecting you for just your own sake. It’s protecting all their customers against that bank being successfully targeted for an *en masse *long-running theft campaign.
I agree Gmail is designed to access it on different computers like home computer, work computer, library computer and cafe computer and so on.
So there is no way Gmail will flag log in and send it to the police just because you have other IP address.
Most likely he hacked her account and she reported strange activity if he deleted or move some thing in the Gmail.
Even opening e-mail and reading will marked it as read would show some one has hacked that account. If I checked my e-mail and it marked read and I never open it!! I would think some one may be reading my e-mail.
Lots of people go on vacation and use their Gmail. There no way it going to flag it and sent it to the police.
Some thing does not add up with OP story.
Cr. context of the OP, not something outside this thread.
And if the “extra” layer is not actually extra, merely different, and isn’t secure, then it most definitely isn’t good.