Password Tools - Invalidate Banks T's and C's

oldfella

and if you were a hacker, wouldnt you think that aggregator software was an ideal target ?

best avoided IMHO

blueberrypie

masonic wrote: »

It is somewhat irrelevant what you believe about the aggregator. ...You might choose to trust it. However, the bank may not.

My point isn't really about whether I or the bank trust the aggregator or not.

I suspect that almost everyone has their on-line banking details recorded *somewhere*. Maybe it's in a password program like Keepass. Maybe it's in a text-file in their computer. Maybe it's in their Filofax. Maybe it's on a bit of paper in their underwear drawer. An encrypted local file such as that produced by an aggregator (assuming the aggregator is not lying about this*) is almost certainly a safer way to store on-line banking details than any of those other options.

No bank really believes the majority of its customers actually memorise their PINs and then destroy the bits of paper on which they were sent. T&C banning the use of aggregators are not about the safety of aggregators, relative or otherwise. They are about the banks covering their backs and passing liability for losses due to fraud on to the customer rather than the bank.


(*Does anyone really think that Egg and First Direct are collecting the on-line banking information about *other* accounts from their customers and then lying about it? Think of the publicity if they were and it became public knowledge. And does anyone really think that Egg and First Direct would have started to use the AU software without first being *very* confident that it did exactly what it said? That they would take even the slightest risk of leaving themselves in such a very vulnerable legal position?)

blueberrypie

oldfella wrote: »

and if you were a hacker, wouldnt you think that aggregator software was an ideal target ?

Only if I didn't realise that I would have to hack not only the aggregator but the locally-stored file on the computer for each individual whose account I wanted to access.

masonic

blueberrypie wrote: »

My point isn't really about whether I or the bank trust the aggregator or not.

I suspect that almost everyone has their on-line banking details recorded *somewhere*. Maybe it's in a password program like Keepass. Maybe it's in a text-file in their computer. Maybe it's in their Filofax. Maybe it's on a bit of paper in their underwear drawer. An encrypted local file such as that produced by an aggregator (assuming the aggregator is not lying about this*) is almost certainly a safer way to store on-line banking details than any of those other options.

I agree. I don't remember all of the details for the dozen or so accounts I have. I do disagree, however, that an encrypted file is safer than a written record on paper stored in a secure place. I've seen bank T&Cs that permit you to write your password down and keep it somewhere secure, but not have any electronic record of it. The main vulnerability of passwords today is viruses and malware on peoples computers. A paper record of your password just doesn't carry the same risks. A properly encrypted electronic record should be safe, but if it is properly encrypted there should be no way of the bank finding out it exists.

No bank really believes the majority of its customers actually memorise their PINs and then destroy the bits of paper on which they were sent. T&C banning the use of aggregators are not about the safety of aggregators, relative or otherwise. They are about the banks covering their backs and passing liability for losses due to fraud on to the customer rather than the bank.

I agree completely, banks have some very strange ideas about security, but you need to follow their advice or accept the possible consequences if you don't. I do things the bank wouldn't be very happy about - but I do them in the knowledge the bank would never be able to find out about them. If the bank doesn't know, there is no risk of you being held liable. However, if the bank can find out about them, there is a risk liability will be passed on. Hence my comment that the minimum requirement for using some sort of password manager is plausible deniability.

(*Does anyone really think that Egg and First Direct are collecting the on-line banking information about *other* accounts from their customers and then lying about it? Think of the publicity if they were and it became public knowledge. And does anyone really think that Egg and First Direct would have started to use the AU software without first being *very* confident that it did exactly what it said? That they would take even the slightest risk of leaving themselves in such a very vulnerable legal position?)

I don't believe Egg or First Direct would be doing anything nefarious with these aggregators. However, I don't have complete faith in all of the software developers that have worked on the backend code these systems have been built with.

Presumably companies like Microsoft, Mozilla and Adobe release their code with the best of intentions, but even after years of heavy scrutiny new security flaws get found with alarming regularity.

You could also compare these aggregators to something like Trusteer Rapport, which is supposedly developed by security experts and endorsed by many banks. Well, some MSE'ers have already found flaws in that software that led them to fall victim to phishing sites and in at least one case Trusteer has admitted to a security vulnerability. If it can happen with Rapport, it can happed with Egg Money Manager.

The other thing that would concern me is how aggregation software would behave if it was misdirected to a phishing site. At least if you log in to an online banking site yourself, you can check the security certificate and be confident you are on the site you think you are. A simple entry put into your hosts file by malware could potentially misdirect an aggregator to a phishing site, where it might happily give up all your login details.

I think you have to accept that any software carries a risk of malfunction or exploitation. If you choose to use it, it's very desirable to be able to hide the fact you use it from your bank. If you can't hide the fact you use it and you fall victim to fraud, you need to accept the possibility you may end up liable for your losses.

oldfella

blueberrypie wrote: »

Only if I didn't realise that I would have to hack not only the aggregator but the locally-stored file on the computer for each individual whose account I wanted to access.

as far as the PC element is concerned, because its locally stored it makes it an easier target for trojans

for the central part, many major financial frauds are the result of inside assistance

the value of the aggregator services are IMHO not large, and the risk not worthwhile, apart from the fact that it invalidates the fraud cover provided by the bank

atypical

masonic wrote: »

a written record on paper stored in a secure place.

Just thought I'd add in here that as well as keeping it in a secure place you could add a bit of 'old-school' encryption. For example, writing the next letter along in the alphabet (Caesar cipher) e.g. 'password' becomes 'qbttxse'. Or adding a random letter between e.g. 'password' becomes 'pbaesvsgwuoxrtd'.

Stompa

savetilibleed wrote: »

I questioned Coventry BS about KeePass, I put their response HERE.

From their response I'd say they haven't got the faintest idea what Keepass is.

fwor

Stompa wrote: »

From their response I'd say they haven't got the faintest idea what Keepass is.

That was my initial reaction to it, but I suspect on reflection they are being deliberately vague. They are choosing to interpret "entrusting your data to a third party" and "entrusting your data to software written by a third party" as the same thing.

In fact they probably have a valid point. Software such as KeePass may be Open Source, but most people use the publicly available binaries instead of downloading the source code and compiling it themselves. I doubt that it would be hard for a programmer with bad intent to work their way into a position on the maintenance team for KeePass, and then get their own infected binary published (with valid MD5 hash, not that anybody checks those anyway) and be away on their toes ~long~ before anyone realised.

As Masonic says, the best defence is to deny to your bank that you use any such product or service, and let them prove otherwise.

Undisputedtruth

I think password managers are very secure. If you feeling very paranoid you can always put the password file on a usb drive protected with an encryted folder and biometric access for peace of mind. Many password managers also have inbuilt functionalities to prevent password compromises caused by trojans and keyloggers.

I do agree with Barclays stance on account aggregation service as this is effectively giving a third party access to your own personal account details. However, with password managers a third party cannot see your password details.

Banks do have problems with internal fraud. Where rogue staff can steal your password and gain access to other accounts held by another bank as most customers tend to use the same password due to memory problems. Using a password manager helps to eliminate internal fraud by allowing the use of a specific password for each account.

Since using my password manager I have monitored my bank account more frequently and feel that I have made an effort to be more safer with my finances and personal data.

masonic

Undisputedtruth wrote: »

I do agree with Barclays stance on account aggregation service as this is effectively giving a third party access to your own personal account details. However, with password managers a third party cannot see your password details.

Both aggregation services and password managers keep an encrypted vault containing your login information on your computer. Both require you to hand over your details to a piece of software running on your computer, but neither involve sending your details off to some remote location. There shouldn't be a distinction made between aggregators and password managers, because exactly the same risks apply to both.