We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

MSE News: Bank customers promised access to all their accounts via one app

Options
124

Comments

  • jamesd
    jamesd Posts: 26,103 Forumite
    Name Dropper First Post First Anniversary
    Options
    takman wrote: »
    any phone with a good password will be more secure than a PC for mobile banking simply due to the device verification process that I posted above that is done before you can access the mobile banking app.
    Perhaps you don't know it but it is also not uncommon for PC banking applications to also require extra information during the first use.
    takman wrote: »
    Also on a PC you have to enter your online login details everytime you log in which could be recorded by a key logger.
    The details that are entered could be logged but they will often not be complete details and not entered with keystrokes, making the task of the logger more difficult.
  • badger09
    badger09 Posts: 11,324 Forumite
    First Post First Anniversary Name Dropper
    Options
    jamesd wrote: »
    Please provide a link to a description the mobile phone application that first direct uses as part of their login process on a conventional computer.

    The reason I'm asking is that so far as I'm aware they use a dongle not a mobile phone application. A thief with the dongle can get access to the account if they have the first part of the login details and know a very short password with a very limited range of acceptable characters.

    The dongle doesn't increase security by being more secure, it increases it by not being on the PC so not directly vulnerable to PC-based malware.

    This?
    https://www1.firstdirect.com/1/2/securekey

    I've never seen the FD dongle as I use the mobile app to generate a digital secure key when needed.
  • colsten
    colsten Posts: 17,597 Forumite
    First Anniversary Photogenic Name Dropper First Post
    Options
    agrinnall wrote: »
    I think you know my posting history on this board well enough that I'm hoping the tin hat comment was made with your tongue firmly in your cheek.
    it sure was, apols if it has come across as anything different!
    agrinnall wrote: »
    And if you're happy to use aggregators that's fine, I don't have as many accounts as you, maybe if I did I might change my mind, but I don't consider that there's any great overhead in logging into each of my accounts separately when I need to.
    I have counted mine now - at the moment, I have 70 accounts with 22 different outfits (banks, building societies, investment brokers), meaning 22 different passwords and login procedures. Getting the balance for all of these on one page (two, actually) takes less than a minute every day, making it a doddle for me to check my balances once a day. If I then have to make any transactions on any account, it takes next to no time to open up the respective website, as the login information is all known to the aggregator.

    Even if I had only a handful of accounts, I'd still use the aggregator as it's such a neat way to access multiple accounts.

    Someone will no doubt be along before long and point out that a hacker just needs to hack my aggregator login to get access to 70 accounts. That's true in theory but in practice there is plenty of security in the individual accounts which would prevent anyone from sending money to themselves. It's at least 6 years now that I have used aggregators and I am very happy that the one I use (accountunity) is secure.
  • colsten
    colsten Posts: 17,597 Forumite
    First Anniversary Photogenic Name Dropper First Post
    Options
    jamesd wrote: »
    Please provide a link to a description the mobile phone application that first direct uses as part of their login process on a conventional computer.

    The reason I'm asking is that so far as I'm aware they use a dongle not a mobile phone application.

    See the link badger09 posted. The 'dongle' is old technology although it's still an option for those who don't want to / can't use a mobile.

    HSBC use similar approach / technology
  • takman
    takman Posts: 3,876 Forumite
    Combo Breaker First Post
    Options
    jamesd wrote: »
    Perhaps you don't know it but it is also not uncommon for PC banking applications to also require extra information during the first use.

    The details that are entered could be logged but they will often not be complete details and not entered with keystrokes, making the task of the logger more difficult.

    Once you setup online banking on one computer it can then be used on any computer/device. Once you setup a mobile banking app it can only be used on that one device.

    If someone had my online banking username and passwords they could access my accounts from their computer. If someone had my mobile banking login details they would also need my phone password and my phone in their possession to access my accounts.

    That's what makes mobile banking more secure.

    If someone steals my phone I can remotely track it, lock it or erase it completely from any other device. I would also notice quite quickly that it's missing.
    If someone steals my computer they would have to turn it on and connect it to the Internet before I could wipe the data. I wouldn't notice it was gone unless I was home and most people (nobody that I know) has the software installed to allow remote wiping anyway so it's not very common.
  • [Deleted User]
    Options
    First Direct Internet Banking Plus already does this.

    You don't even need an account with First Direct to set it up.

    Note: Internet Explorer is the only browser that it works with.
  • jamesd
    jamesd Posts: 26,103 Forumite
    Name Dropper First Post First Anniversary
    Options
    badger09 wrote: »
    This?
    https://www1.firstdirect.com/1/2/securekey

    I've never seen the FD dongle as I use the mobile app to generate a digital secure key when needed.
    Thanks, the digital secure key there that uses the mobile phone is relatively new and I didn't remember previously reading about it. It'll presumably be no more secure than any mobile phone application and those tend to be riddled with security holes.

    I'd definitely avoid the digital secure key option because it places the key on a high value casual theft target, the phone, so it's very vulnerable to loss in many cases. Better the far lower value dongle that has no resale value so no value to a thief.

    Based on their description I'm not sure that the digital secure key option is as secure as the dongle based one. It appears that it'll be vulnerable to a range of phone-based and possibly transport protocol based attacks that just aren't practical with the dongle version.
  • colsten
    colsten Posts: 17,597 Forumite
    First Anniversary Photogenic Name Dropper First Post
    edited 11 July at 3:27PM
    Options
    [quote=[Deleted User];71126237]First Direct Internet Banking Plus already does this.

    You don't even need an account with First Direct to set it up.

    Note: Internet Explorer is the only browser that it works with.[/QUOTE]

    This is an implementation of accountunity, and not a very good one at it as it doesn't allow you to store your profile on a portable device. Last time I checked, it also didn't have all the providers that accountunity supports
  • colsten
    colsten Posts: 17,597 Forumite
    First Anniversary Photogenic Name Dropper First Post
    Options
    jamesd wrote: »

    I'd definitely avoid the digital secure key option because it places the key on a high value casual theft target, the phone, so it's very vulnerable to loss in many cases. Better the far lower value dongle that has no resale value so no value to a thief.
    replacing your digital secure key device will be a hell of a lot faster that replacing the physical one. It's also a lot more likely that people take their mobile with them rather than some dongle, and the digital secure key comes, of course, with a mobile banking app that can be used for most transactions.
  • masonic
    masonic Posts: 23,780 Forumite
    Photogenic Name Dropper First Post First Anniversary
    Options
    jamesd wrote: »
    Thanks, the digital secure key there that uses the mobile phone is relatively new and I didn't remember previously reading about it. It'll presumably be no more secure than any mobile phone application and those tend to be riddled with security holes.

    I'd definitely avoid the digital secure key option because it places the key on a high value casual theft target, the phone, so it's very vulnerable to loss in many cases. Better the far lower value dongle that has no resale value so no value to a thief.

    Based on their description I'm not sure that the digital secure key option is as secure as the dongle based one. It appears that it'll be vulnerable to a range of phone-based and possibly transport protocol based attacks that just aren't practical with the dongle version.
    It's been available from the outset IIRC. I definitely needed to make the choice between the two when FD first started requiring 2FA. I'm not sure if there were early adopters that only had the dongle as a choice.

    I opted for the dongle for the reasons you indicate and, given the fact that I so rarely need to perform any transactions that require it, the trade-off of security for convenience doesn't seem worth it for me.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 344.6K Banking & Borrowing
  • 250.6K Reduce Debt & Boost Income
  • 450.4K Spending & Discounts
  • 236.8K Work, Benefits & Business
  • 610.6K Mortgages, Homes & Bills
  • 173.8K Life & Family
  • 249.5K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards