Using mobile banking/investment apps - Security and liability

cloud_dog

colsten wrote: »

which mobile banking app only requires a PIN to access?

NW, three from six.

EDIT: Or are you relating this back to the infallible fingerprint / face ID technology?

masonic

cloud_dog wrote: »

NW, three from six.

EDIT: Or are you relating this back to the infallible fingerprint / face ID technology?

Does Nationwide not ask for memorable information too, like they do for internet banking? And use of a card reader when setting up new payees? (asking as I don't use the NW app)

masonic

cloud_dog wrote: »

You're not really setting the bar too high then. You also have to be mindful of the physical possibilities also.

There was once a thread posted here by someone claiming to have fallen for one of the 'physical possibilities'. I don't know how much truth was in it, but essentially he went out drinking with some acquaintances, had his drink spiked, got driven to a remote location and abandoned there, but only after his drinking friends stole his phone and used his fingerprint while he was semi conscious to unlock his phone and banking app to transfer the contents of his bank account to them.

Is that the sort of physical possibility you are thinking of?

AnotherJoe

cloud_dog wrote: »

Because it was executed from your mobile device therefore you are responsible for whatever was carried out. It cannot be argued any other way. This will be/is the banks position should any untoward activity occur on your account executed from your mobile device. There cannot be any argument.
.

What's the difference between that or any other computer, be it a laptop (which is mobile capable) or even a fixed computer, that doesn't stop someone other than you using it.
OPs point was seemingly that a 4 digit PIN was not good enough and you can apparently be blamed for that. You can be blamed fir telling someone the pin. You cannot (reasonably) be blamed for using an app which isn't secure by the creator of the app.

cloud_dog wrote: »

You're not really setting the bar too high then. You also have to be mindful of the physical possibilities also.

Such as? Which are different to having a debit card in what way?

noh

masonic wrote: »

Does Nationwide not ask for memorable information too, like they do for internet banking? And use of a card reader when setting up new payees? (asking as I don't use the NW app)

No memorable word is needed.
A card reader is needed to set up new payees.

colsten

AnotherJoe wrote: »

Barclays. 5 digits only.

That is after you set up your mobile app access with several bits of info and with PINSentry. A fraudster would therefore need not just your mobile PIN but also your physical device (which, hopefully, you have protected with an access code or biometric ID, too).

stphnstevey

Doesn't seem like much of a consensus here and a lot of unknowns!

Public WiFi for financial activity seems to be a no no. Ok fine, someone else might be spoofing or watching
But what about checking emails that might contain financial details? Is that too much caution?

Laptops could have a larger number of exploits, but phones are likely to have less antivirus and firewall capabilities. How much is needed on a mobile device?

Banking apps appear to require less security details entering once set up, but security for unlocking phones to access the app might add to this

Liability, should someone fraudulent obtain and use your details via mobile device, seems to be a matter of opinion

To be honest I am not much further on and probably don't feel anymore comfortable with mobile banking apps than previously

rathernot

I wouldn't use a commercial VPN service, with very few exceptions.

What you're doing by doing so is giving your traffic to someone else.

If a banking app is written properly everything will be encrypted and the app will be "keyed" to only work with the banks servers.

Choice of phone is an interesting one.

For example would you be happier doing your banking on an Apple iPhone or a 50 quid Chinese Android jobby off eBay?

You also have some people who still don't protect their phone with a PIN/password/biometric which absolutely baffles me.

So I think it's difficult to be black and white about it because there are variables, but for most people doing normal sensible things I'd say it's entirely safe.

masonic

rathernot wrote: »

I wouldn't use a commercial VPN service, with very few exceptions.

What you're doing by doing so is giving your traffic to someone else.

If a banking app is written properly everything will be encrypted and the app will be "keyed" to only work with the banks servers.

Those are interesting points to make. In the end you have to give your traffic to someone. At home this will be your ISP (who I'm not willing to trust with all of my traffic); when away from home it will be an unknown entity providing a wifi connection to you. A VPN provider can be vetted to some extent and selected in advance. For example, ProtonVPN looks ok and a limited version of the service is perfectly adequate and free, so I wouldn't have any concerns about the service being malicious, which is the risk.

No banking app will be able to obscure the fact you are connecting to the bank's servers. I suppose the risk is that your traffic would flag you up as a priority target, and an attacker could use other means to compromise your phone - a large proportion of UK smartphones are not fully patched and are susceptible to compromise. This may or may not get the attackers what they want, but it seems sensible give away as little as possible. When the 2FA used to authorise new payees is on the same phone being used for mobile banking, that could lead to a much higher risk.

rathernot

I think the interesting thing is what should be necessary in the ideal world and what happens in the real world

A good example of Natwest doing something dumb that could be pretty easily exploited if you were using Public Wi-Fi or an evil VPN provider.

https://www.troyhunt.com/im-sorry-you-feel-this-way-natwest-but-https-on-your-landing-page-is-important/

Love to know what happens in that scenario where thanks to Natwest's poor decisions you visit their legitimate site and get bounced off to a malicious site because you were on an untrusted or malicious network.