Citibank (AU) has sought to introduce another layer of security to the generation of its SMS 2FA codes via the bank's mobile app.
Previously, customers would simply receive an SMS containing a code when they were prompted or in-turn prompted the bank to send a code whilst using a digital banking channel.
In a change that amounts to additional layer of security to that process - one that is clearly designed to buffer against the ever increasing concerns regarding just how secure SMS codes are - the bank has sought to introduce a 4-digit passcode in order to trigger the sending of the SMS. As the bank explained in an email sent to customers today:
To authenticate transactions and certain actions you take via Citibank Online or the Citi Mobile App, we may ask you to enter a One-Time PIN generated via an SMS sent to your registered mobile phone or generated via the Citi Mobile App (Mobile One-Time PIN).To generate a One-Time PIN, you will be requested to enter a 4-digit passcode.
When banking through the Citi Mobile App, just enter your 4-digit passcode to authenticate transactions. When banking on Citibank Online, use your Citi Mobile App to instantly generate a One-Time PIN to authenticate transactions and certain actions.
Notably, the bank reinforces its email message with a series of images and associated and advisory wording, along with social media links - standard practice for Citibank correspondence around the world.