On the contrary, U2F protects against fake sites precisely because it's tied to the login session. Same with FIDO2, popularized as "passkeys". Both get the domain name from the browser and generate an authentication code that depends on the domain name. A fake site has a different domain name, which results in an authentication code that is wrong for the real site, so the authentication fails and the attack is thwarted. This protection isn't possible with an authentication app that isn't connected to the browser.

Side-channel MFA is vulnerable to MFA prompt bombing.

A QR code was added to BankID as an afterthought. So the scammers copy the real QR code to their fake login page.

What enabled this scam was a fundamental design flaw in BankID. The protocol is designed such that the authentication is done in a side channel. Normally when you log in to a website, you send your credentials directly to the server you're connecting to. With BankID, when you initiate a login with the website, the web server contacts the central BankID server and asks it to verify your identity. Your BankID app also connects to the BankID server. The authentication is done between the BankID app and the BankID server. Then the BankID server tells the website "yep, this person is authenticated", and then you're logged in to the website.

Fraudsters quickly figured out how the side channel can be exploited. They initiate a dialogue with a victim. The pretexts used are many and diverse. In this case it was the pretense of buying second-hand clothes. Then some seemingly plausible reason for authentication comes up. In the background the fraudsters request a withdrawal from the victim's bank account, and so the victim's BankID app pops up and asks for authentication. The victim thinks they're authenticating to some other website, when they're actually authorizing the fraudsters' withdrawal.

People use BankID so frequently that it becomes routine, and one more thing that requires BankID doesn't raise suspicion. When they're used to it they no longer read every word the BankID app displays, so they don't notice the text that says what it is they're authorizing. Relying on people to be suspicious every time they use BankID doesn't work.

The way to stop this kind of fraud is to replace BankID with a protocol that sends the credentials through the login session, not through a side channel. A client certificate in HTTPS is one option that has existed for longer than BankID has. Webauthn is a newer protocol that would be suitable.

Another problem with BankID is that it stifles competition in the operating system market. It's a proprietary protocol that requires a proprietary app that requires an Iphone or Android device â" or sometimes Windows, but often not even Windows is allowed. Every additional thing that requires BankID contributes to excluding competing operating systems from the Swedish market, strengthening the Apple/Google duopoly.