The banking sector is EXACTLY where "cyber 'security'" and "compliance" will mandate for this to be implemented.
When I worked a bank at $oldjob, compliance mandated we had a full-blown anti virus engine (from Microsoft or McAfee, "at your option") deployed in quasi-ephemeral container images.
It does not have to be reasonable, it doesn't have to be a net positive - it just has to tick some box on some compliance sheet for this to be required, and I will never again be able to perform a banking transaction from my personal computer or degoogled phone again.
So what, let's not worry about it until after it's implemented when it's a 10,000 kg gorilla, instead of trying to nip it in the bud now? Is the world going to end tomorrow so lets just eat, drink and be merry for tomorrow we die?
Now is the time to fight this. It will impossible to unravel it once it's been implemented.
> Most banks have barely implemented 2FA, and when they have, they implement SMS.
One reason I slightly swallow my guilt at having a savings account with Goldman Sachs (marcus.com) is that they offer email-based 2FA. I closed my savings accounts at Chase when they enforced SMS-only 2FA.
BTW, I feel slightly less guilty about saving with these banks instead of my actual credit union after my brother-in-law (who has been in the CU world for decades) told me that if a credit union can't offer competitive savings rates, it means they are lacking in opportunities for significant local lending.
That's the problem. They do implement things, and they do them in the worst possible way.
My bank forces me to 2FA trough SMS when I connect from a new IP range. This means that I can't do any banking through them when I'm outside of my country.
I wish they just didn't implement any form of 2FA instead. That would be better than the current situation.
When I worked a bank at $oldjob, compliance mandated we had a full-blown anti virus engine (from Microsoft or McAfee, "at your option") deployed in quasi-ephemeral container images.
It does not have to be reasonable, it doesn't have to be a net positive - it just has to tick some box on some compliance sheet for this to be required, and I will never again be able to perform a banking transaction from my personal computer or degoogled phone again.