from Hacker News

Ask HN: Secure messaging to solve phishing scams

by helghardt on 7/29/23, 6:51 AM with 4 comments

Let’s use banks as an example, but it applies to other services too. Why do banks rely on emails and sms to communicate login alerts, password changes, transaction confirmations and even promotional alerts?

It is sooo prone for phishing attacks! HTTPS helped us confirm the website we visit is legit along with being confident the data transmission is encrypted. Everyone managed to fall in line adopting this standard and relying on a certificate authority sitting in the middle.

Taking this one step further, why have banks not tried to create a secure messaging service where there is a certificate issued and associated with your website to validate authenticity.

Furthermore, the messaging service could be opt-in only, more accurate labelling of incoming messages, etc.

So my question is why does such a messaging standard/service not exist, has anyone tried but failed?

by na4ma4 on 7/29/23, 7:52 AM
Because it would be fragmented and have 1000 incompatible implementations if it ever got that far.
Large institutions would prefer something they control 100%, email and SMS are only used because they became ubiquitous first.
But some companies use their apps as a secure alternative.
by dave4420 on 7/29/23, 8:18 AM
Banks who create a secure messaging service build it into their app and website. There’s no incentive to create a generic service.
by helghardt on 7/29/23, 6:54 AM
Another benefit that comes to mind is the cost saving of not having to send SMS’es. In some regions SMS’es go up to $0.25/SMS via services like Twilio/local variations.