We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

MSE News: Bank customers promised access to all their accounts via one app

Options
135

Comments

  • masonic
    masonic Posts: 23,780 Forumite
    Photogenic Name Dropper First Post First Anniversary
    Options
    jamesd wrote: »
    Unfortunately what would happen is that a hacked system that compromises the private key will then be used for fraud and the bank will insist that you must have authorised the transaction because the private key had to have been used. If the key itself isn't compromised a man in browser attack maybe sufficient because the key itself isn't implicitly linked to any specific transaction properties that would prevent it from being reused for a different transaction. Though a derived token might be. Which may not help because the algorithm to go from site provided information through private key to generate a token is presumably known and hence forged tokens are possible from a compromised key.
    This is equivalent to the existing problem posed by use of conventional password managers and aggregation services. It depends what level of access you are automatically granted. When I log in to FD using my username, password and characters from memorable information, I only have limited access to see my statement and transact with existing payees. Limited access is all I need 95% of the time and I'm ok with jumping through some extra hoops when setting up a new payee.
    First Direct at least has form in this area, introducing a key card to use for logging in that could then be used to assert that all transactions in the session must have been authorised by you in spite of the known existence and use of man in browser attacks. The result was a system that transferred fraud risk from bank to customer. After some fuss and a year of delay they adjusted the system to also provide transaction-specific authorisation.
    As you say, I think transaction-specific authorisation is an important additional security measure that needs to be done out of band for the reasons you specify.
  • agrinnall
    agrinnall Posts: 23,344 Forumite
    First Post Combo Breaker
    Options
    colsten wrote: »
    Do you also wear a tin hat whilst doing your online banking? I'm not a great fan myself of mobile banking apps, but mainly because I need a larger screen to do things on, and a proper keyboard. But mobile security can be at least as good if not better than on a PC. Biometric security - fingerprint, voice, face recognition - can all be used to make the user experience at lot better than it is today.

    Another reason I don't want to use a mobile app is the account aggregator - I couldn't possibly manage my 30+ accounts without an account aggregator. Again, I can't see how they could create something usable for a small mobile device. My account overview page already has more data than fits on a large display! So I remain very sceptical about the usability of mobile banking for serious users.

    As to current account switching............I don't understand what the obsession with it is. Perhaps the uptake is so low because people are actually quite happy with their accounts?

    I think you know my posting history on this board well enough that I'm hoping the tin hat comment was made with your tongue firmly in your cheek.

    I haven't commented on mobile device security though (as it happens my phone is encrypted and requires fingerprint and/or pattern recognition to log in, although none of that would prevent theft of the device), my concern was about the security of networks used while out and about. If you only ever do your mobile banking at home then it's likely to have a similar level of security as your PC, but you list some of the issues with doing that, and if you're not going to do mobile banking while, well, mobile, then there seems little value in it.

    And if you're happy to use aggregators that's fine, I don't have as many accounts as you, maybe if I did I might change my mind, but I don't consider that there's any great overhead in logging into each of my accounts separately when I need to.
  • alanwsg
    alanwsg Posts: 778 Forumite
    Name Dropper First Post First Anniversary
    Options
    Here's what 'The register' thinks about it ....
    http://www.theregister.co.uk/2016/08/10/open_banking_security/
  • bxboards
    bxboards Posts: 1,711 Forumite
    Options
    Do they mean app as in the modern meaning of software running on a mobile phone?

    With a small screen and with the possibility of losing the device, I would not use this on a mobile device.

    If this is something that could be accessed via a web browser on a secure PC at home this could be useful.

    'apps' offer less security than a home web browser. With Halifax / TSB and Lloyds all the mobile apps only require 3 figures out of a 6 digit passcode. When I wish to login at home, it requires user name, password and digits from the memortable data. I have nevee understoof why bank apps when a mobile phone can easily be lost or stolen requires less security to log onto banking than my home PC.

    Who is actually asking for this? And why do we all need it?
  • Paul_Herring
    Paul_Herring Posts: 7,481 Forumite
    Name Dropper Photogenic First Post First Anniversary
    Options
    bxboards wrote: »
    I have nevee understoof why bank apps when a mobile phone can easily be lost or stolen requires less security to log onto banking than my home PC.

    Because it's new, shiny and secure - the banks say so.

    File it under the same category as biometrics.
    Conjugating the verb 'to be":
    -o I am humble -o You are attention seeking -o She is Nadine Dorries
  • takman
    takman Posts: 3,876 Forumite
    Combo Breaker First Post
    Options
    bxboards wrote: »
    Do they mean app as in the modern meaning of software running on a mobile phone?

    With a small screen and with the possibility of losing the device, I would not use this on a mobile device.

    If this is something that could be accessed via a web browser on a secure PC at home this could be useful.

    'apps' offer less security than a home web browser. With Halifax / TSB and Lloyds all the mobile apps only require 3 figures out of a 6 digit passcode. When I wish to login at home, it requires user name, password and digits from the memortable data. I have nevee understoof why bank apps when a mobile phone can easily be lost or stolen requires less security to log onto banking than my home PC.

    Who is actually asking for this? And why do we all need it?

    Mobile banking is actually more secure than online banking on your PC.

    When you first download a mobile banking app you have to go through some security so they know it is definetly you using the device. The app is then registered to be used on this device. So because mobile phones are usually fingerprint protected to unlock it and kept with someone most of the time it is very secure. If the device is stolen the thief won't be able to get onto the phone nevermind into the banking app. Stolen phones are usually just wiped (if they can) and sold on so all your details get deleted.

    When using online banking on a PC they have no idea who is using that PC or who it belongs to so it could be anyone typing in your login details and accessing your account. Also PC's are a lot more vulnerable tof virus's and spyware than mobile devices which are a lot more locked down (for the average user).
  • bxboards
    bxboards Posts: 1,711 Forumite
    Options
    takman wrote: »
    So because mobile phones are usually fingerprint protected to unlock it and kept with someone most of the time it is very secure.

    I'd be very surprised if mobile phones are usually finger print protected.

    'Usually' implies a majority, and I'm pretty sure out of the billions of phones sold, finger print scanners are fairly new.

    Certainly my phone which is a recent Sony high end phone doesn't have it.

    Sorry but I am unconvinced mobiles phones are generally more secure for the majority of people with typical mobile phones.

    I guess some sales stats could answer this.
  • Paul_Herring
    Paul_Herring Posts: 7,481 Forumite
    Name Dropper Photogenic First Post First Anniversary
    Options
    bxboards wrote: »
    I'd be very surprised if mobile phones are usually finger print protected.

    And even if they are, it's not as if the key to the unlock isn't actually on the phone itself like a post-it note with an conventional unlock password written onto it stuck to the phone.

    Oh, wait...
    Conjugating the verb 'to be":
    -o I am humble -o You are attention seeking -o She is Nadine Dorries
  • takman
    takman Posts: 3,876 Forumite
    Combo Breaker First Post
    Options
    bxboards wrote: »
    I'd be very surprised if mobile phones are usually finger print protected.

    'Usually' implies a majority, and I'm pretty sure out of the billions of phones sold, finger print scanners are fairly new.

    Certainly my phone which is a recent Sony high end phone doesn't have it.

    Sorry but I am unconvinced mobiles phones are generally more secure for the majority of people with typical mobile phones.

    I guess some sales stats could answer this.

    Yes my use of the word "usually" is probably a bit optimistic. But any phone with a good password will be more secure than a PC for mobile banking simply due to the device verification process that I posted above that is done before you can access the mobile banking app.

    Not long ago the FBI took apple to court because they couldn't access data stored on an iPhone. So if the FBI and all their resources have trouble getting into it then how likely is it that an average phone thief can do it?.

    Also on a PC you have to enter your online login details everytime you log in which could be recorded by a key logger. On mobile banking only a verified device can access the banking app and you only have to enter a small amount of the information required to login from a PC.

    It's also worth mentioning that banks like First Direct actally use a mobile phone app as part of the login process to access online banking on a PC. But on the phone you don't need to use a secondary device.
    So they obviously know that a mobile device is much more secure.
  • jamesd
    jamesd Posts: 26,103 Forumite
    Name Dropper First Post First Anniversary
    Options
    takman wrote: »
    It's also worth mentioning that banks like First Direct actally use a mobile phone app as part of the login process to access online banking on a PC. But on the phone you don't need to use a secondary device.
    So they obviously know that a mobile device is much more secure.
    Please provide a link to a description the mobile phone application that first direct uses as part of their login process on a conventional computer.

    The reason I'm asking is that so far as I'm aware they use a dongle not a mobile phone application. A thief with the dongle can get access to the account if they have the first part of the login details and know a very short password with a very limited range of acceptable characters.

    The dongle doesn't increase security by being more secure, it increases it by not being on the PC so not directly vulnerable to PC-based malware.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 344.6K Banking & Borrowing
  • 250.6K Reduce Debt & Boost Income
  • 450.4K Spending & Discounts
  • 236.8K Work, Benefits & Business
  • 610.6K Mortgages, Homes & Bills
  • 173.8K Life & Family
  • 249.5K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards