Mobile app banking Vs Desktop online banking

CoastingHatbox

Deleted_User said:

never understood why people so passionate about open source, linux (and now this unheard of lineageOS) and against anything closed that Microsoft, google or apple do never seem to get any traction in the mainstream to create something that is "so called better" than what any of those companies have ever done.

It feels more like a hobby/niche area that does not have any scale. 

Not that this has anything to do with the topic, but Linux is used to run:

• 100% of the worlds super computers
• Over 95% of the top million frequently used websites, probably including this one
• 90% of the worlds cloud infrastructure
• Most likely a number of appliances in your home
• Even the Management Engine built into all Intel CPUs since 2008 is running a flavour of Linux called Minix
  

The irony is Google and expecially Microsoft owe a great deal of their profit to Linux as it is used extensively by customers of their cloud platforms.

CoastingHatbox

RumRat said:

CoastingHatbox said:

RumRat said:

Oh dear. You do have it bad, but, if what you do makes you feel safer, then I'm not trying to persuade you to do anything else.
However, rather than me typing out the explanation, give this article a read (one of many that can be found), it's for others and not to change your mind... Why Apple and Google Pay are the safest ways to spend – Which? News
The only tip I would give anyone is to never, ever, glean any tech knowledge from the mainstream newspapers....They have you reading one side on Monday and the other on Tuesday...None of it containing any real facts, as you say, full of 'journalistic sensationalism'.
The main security risk of any system is the human using it. Lack of common sense and a general state of gullibility account for the vast majority of banking fraud. 
There's no going back now, the Genie is well and truly out of the bottle. The mobile banking revolution will not be stopped, just look at the success of the online only banks, it's what people want.

Err this thread is about the security mobile banking versus online banking; the article you have linked to is exclusively about contactless payments with mobile devices. As an aside, Apple's 'secure element' has an exploit that cannot be patched (because requires a hardware change to resolve). Nearly every attempt at creating a 'secure enclave' in a processor or some other piece of hardware for handling secrets or signatures has been found to be exploitable.

The one good thing about contactless payment is that you would have to compromise a cloud service as well as a phone to well and truly exploit it. That does is raise the bar and bad actors typically go after low hanging fruit, which is where your comment, "Lack of common sense and a general state of gullibility account for the vast majority of banking fraud" comes in.

Of course, I'm involved with the development of software and the support of web applications and services and the infrastructure that they run on. So what do I know?

Edit:
List of Google Android Common Vulnerabilities and Exposures: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=google+android

List of Apple iOS Common Vulnerabilities and Exposure: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Apple+iOS

Err, because you asked "On what basis do you assert that a phone is more secure than a bank card?"... 
Yes, it's going to be an ongoing battle within tech and the individual needs to be savvy and aware, but, mobile banking is working for the majority and your concerns don't put me off in anyway.
I'm in the process of changing banks as my current one is lagging behind a bit. The majority of my tap and go payments are done with chip enabled ring connected to a credit card. Only occasionally do I use the phone for payments. However, all of my interactions with the bank, direct debits, payments in/out and reading statements are done via the phone app.
Historically, there has always been something, cheque fraud, card swipe fraud, counterfeit monies etc. etc. So, glass half full for me when it comes to mobile banking, a definite bonus compared with the alternatives. 
I don't really care if someone doesn't want to use mobile or PC based banking. It works for me and it's kept my money safe for years, so, onward and upward..

My concerns are my concerns. I'm not advocating that anyone should change their banking habits on the strength of what I write. My main point is, in answer to the question that that OP asks, there is not a simple binary yes/no answer - especially when many posters advocate that mobile banking is more secure with very little technical information to support that point of view.

The actual truth is we don't know and we can't possibly know because the code used in these apps is closed source and not subject to scrutiny or audit. The only bank I'm aware of that is truly open and transparrent about its security is Monza, because when they find a security problem they publish the details of it in a post-mortem so that people can see what they are doing to address the security problems they find and that other similar organisations can learn from the issues they have experienced.

I wouldn't put a banking application onto an Android phone, because as you saw from the lists of CVEs I posted links to, Android has a lot of security problems. Now it could be argued that it is simply easier for security researchers to find exploits in Android because its code base is published. Or it could be that Apple genuinely produces a much more secure mobile operating system. I suspect it is a bit of both. But in all reality, we don't know and there's know way of truly knowing.

If I could justify an iPhone and did want to make my way into Apple's walled garden then I might use that phone for mobile banking.

[Deleted User]

CoastingHatbox said:

Deleted_User said:

never understood why people so passionate about open source, linux (and now this unheard of lineageOS) and against anything closed that Microsoft, google or apple do never seem to get any traction in the mainstream to create something that is "so called better" than what any of those companies have ever done.

It feels more like a hobby/niche area that does not have any scale. 

Not that this has anything to do with the topic, but Linux is used to run:

• 100% of the worlds super computers
• Over 95% of the top million frequently used websites, probably including this one
• 90% of the worlds cloud infrastructure
• Most likely a number of appliances in your home
• Even the Management Engine built into all Intel CPUs since 2008 is running a flavour of Linux called Minix
  

The irony is Google and expecially Microsoft owe a great deal of their profit to Linux as it is used extensively by customers of their cloud platforms.

Your arguments against mobile banking come from the same realm of those who champion anything open source and are against anything closed or proprietary and propose solutions or opinions that have no scale. 

Consumers are not flocking to lineageOS for their mobile needs or dumping windows or Mac OS for linux. I'm still waiting for the sky to fall when it comes to my online privacy and security being comprised. Currently smart phones and its software keep moving forward and providing the opportunity for others to bring new apps/programs and interfaces to the masses.

I applaud Microsoft, Google, Apple and other companies for continuing to push forward and I also applaud those people who keep testing and looking for vulnerabilities in these companies. I don't support those who dismiss new technology that is already here and is being used. 

CoastingHatbox

Deleted_User said:

CoastingHatbox said:

Deleted_User said:

never understood why people so passionate about open source, linux (and now this unheard of lineageOS) and against anything closed that Microsoft, google or apple do never seem to get any traction in the mainstream to create something that is "so called better" than what any of those companies have ever done.

It feels more like a hobby/niche area that does not have any scale. 

Not that this has anything to do with the topic, but Linux is used to run:

• 100% of the worlds super computers
• Over 95% of the top million frequently used websites, probably including this one
• 90% of the worlds cloud infrastructure
• Most likely a number of appliances in your home
• Even the Management Engine built into all Intel CPUs since 2008 is running a flavour of Linux called Minix
  

The irony is Google and expecially Microsoft owe a great deal of their profit to Linux as it is used extensively by customers of their cloud platforms.

Your arguments against mobile banking come from the same realm of those who champion anything open source and are against anything closed or proprietary and propose solutions or opinions that have no scale. 

Consumers are not flocking to lineageOS for their mobile needs or dumping windows or Mac OS for linux. I'm still waiting for the sky to fall when it comes to my online privacy and security being comprised. Currently smart phones and its software keep moving forward and providing the opportunity for others to bring new apps/programs and interfaces to the masses.

I applaud Microsoft, Google, Apple and other companies for continuing to push forward and I also applaud those people who keep testing and looking for vulnerabilities in these companies. I don't support those who dismiss new technology that is already here and is being used. 

I haven't once said what other people should do. All I've done is state what I do/would do, based around a set of considerations that directly affect the answer to the OPs question, for any given individual. I am not dismissing mobile banking, I am trying to give an informed answer to the OPs question from my point of view. In my case, mobile banking doesn't make a lot of sense because I don't think it increases the level of convenience enough to justify ignoring the segregation and mitigations that run on my home network in order to use it. I was using my case as an example of the consideration needed before answering the question.

You simply cannot say definitively one way or the other, when comparing the security of mobile banking and desktop banking. It depends on a wide range of factors and is going to vary from one person to the next.

Microsoft, Google, Apple rely heavily on open source software and make contributions to open source software themselves. Microsoft and Google are members of the Linux Foundation. Android is opensource. LineageOS is a fork of Android. And it is a good way of continuing to get software updates for lots of phones after the manufacturers and carriers have stopped making them available.

To put it another way, a large portion of Google Chrome's codebase is open source. Hence Microsoft are able to build their browser, Edge based on the same codebase. The same used to be true of the engine in Apple's Safari browser.

Open source projects create a lot of the innovation that the large commercial players are profiteering from. Maybe you should be a little bit more open minded and less dismissive yourself.

[Deleted User]

CoastingHatbox said:

Deleted_User said:

CoastingHatbox said:

Deleted_User said:

never understood why people so passionate about open source, linux (and now this unheard of lineageOS) and against anything closed that Microsoft, google or apple do never seem to get any traction in the mainstream to create something that is "so called better" than what any of those companies have ever done.

It feels more like a hobby/niche area that does not have any scale. 

Not that this has anything to do with the topic, but Linux is used to run:

• 100% of the worlds super computers
• Over 95% of the top million frequently used websites, probably including this one
• 90% of the worlds cloud infrastructure
• Most likely a number of appliances in your home
• Even the Management Engine built into all Intel CPUs since 2008 is running a flavour of Linux called Minix
  

The irony is Google and expecially Microsoft owe a great deal of their profit to Linux as it is used extensively by customers of their cloud platforms.

Your arguments against mobile banking come from the same realm of those who champion anything open source and are against anything closed or proprietary and propose solutions or opinions that have no scale. 

Consumers are not flocking to lineageOS for their mobile needs or dumping windows or Mac OS for linux. I'm still waiting for the sky to fall when it comes to my online privacy and security being comprised. Currently smart phones and its software keep moving forward and providing the opportunity for others to bring new apps/programs and interfaces to the masses.

I applaud Microsoft, Google, Apple and other companies for continuing to push forward and I also applaud those people who keep testing and looking for vulnerabilities in these companies. I don't support those who dismiss new technology that is already here and is being used. 

I haven't once said what other people should do. All I've done is state what I do/would do, based around a set of considerations that directly affect the answer to the OPs question, for any given individual. I am not dismissing mobile banking, I am trying to give an informed answer to the OPs question from my point of view. In my case, it doesn't make a lot of sense because of the segregation and mitigations that run on my home network. But then, I have too maintain a reasonably high level of security because I use machines on my network to remote into data centres.

Microsoft, Google, Apple rely heavily on open source software and make contributions to open source software themselves. Microsoft and Google are members of the Linux Foundation. Android is opensource. LineageOS is a fork of Android. And it is a good way of continuing to get software updates for lots of phones after the manufacturers and carriers have stopped making them available.

To put it another way, a large portion of Google Chrome's codebase is open source. Hence Microsoft are able to build their browser, Edge based on the same codebase. The same used to be true of the engine in Apple's Safari browser.

Open source projects create a lot of the innovation that the large commercial players are profiteering from. Maybe you should be a little bit more open minded and less dismissive yourself.

If people use open source then more power to them and if this moves things forward then great. You can say what you want and what I'm saying is I don't support what you say.

To quote you 

From a security and a privacy perspective, I can't imagine anything worse than relying on my phone to make payments.

As you said it's about mobile banking and what you said is not a reflection of how Apple, Google, Samsung, financial sector and consumers have embraced this new technology and keep moving things forward for over a decade and keep doing so. For you to make such a statement in 2020 kinda shows that maybe you should be a little more open minded and less dismissive.

RumRat

Yours is a fairly unique situation that the vast majority of laptop/PC users will not find themselves in, let alone understand. I doubt you think that the average user has any of the safeguards you have implemented on your system, or, that they need them. As you say, for you it makes little sense, for us mere mortals, it does.
For that majority, I would still say, that Mobile banking is safer than on-line banking even if only marginally. 

CoastingHatbox

Yeah just read that sentence you have quoted and italicised again.
I'm talking about me ("I") and "my" phone. That's my personal opinion. I'm not advocating or recommending anyone else do anything.

There are three reasons I wrote that.

1. My propensity for leaving things behind, especially my phone. The same reason the debit card for my main current account is not in my wallet. This is by far the biggest reason, given that you can make a limited number of payments up to a certain amount with Google Pay. That and I use a pin on my phone which, as I've already discussed, is about the convenience of easily unlocking it without using biometric data because pins and passwords can be changed; biometric data cannot.
2. Android Security - I use LineageOS which is a derivative of Android. Android does not have the best record when it comes to vulnerability and exposure - see the CVE list posted earlier. I've already touched upon the fact that if I used iOS, I might reconsider.
   
3. Privacy - From a privacy point of view, there is simply more meta data that can be collected with a Google Pay transaction than I am personally comfortable with sharing. In stock Android, turning off the location feature doesn't stop your location data being sent to Google. You add that to large established retailers using wireless triangulation and bluetooth beacons to track customers movements throughout shops, I'm actually inclined to turn my phone off rather than unwhittingly share extra information with them. This is my personal perspective, which I hold for no other reason than I value privacy.

I have not made any denials about how this technology has been embraced by anyone. You are the person misconstruing my personal opinions about mobile banking in my circumstances, given my attitudes towards risk and privacy, into some sort of advocacy.

CoastingHatbox

RumRat said:

Yours is a fairly unique situation that the vast majority of laptop/PC users will not find themselves in, let alone understand. I doubt you think that the average user has any of the safeguards you have implemented on your system, or, that they need them. As you say, for you it makes little sense, for us mere mortals, it does.
For that majority, I would still say, that Mobile banking is safer than on-line banking even if only marginally. 

Yours is a fairly unique situation that the vast majority of laptop/PC users will not find themselves in, let alone understand. I doubt you think that the average user has any of the safeguards you have implemented on your system, or, that they need them. As you say, for you it makes little sense, for us mere mortals, it does.

Yes, absolutely agree with that.

For that majority, I would still say, that Mobile banking is safer than on-line banking even if only marginally.

Possibly true some of the time. Using an Apple Phone that still receives updates, compared to a Windows PC, most likely. A Samsung Galaxy S7? Support for that ended earlier this year so perhaps not, depending on what unpatched vulnerabilities the phone is subject to. That would need some research, but it may well transpire using a fully patched Windows 10 computer is the better bet.

In reality, it is probably not a concern for most people who are using fairly recent iOS/Android versions on non-rooted/jailbroken phones that are not allowed to join open Wi-Fi hotspots without user acknowledgement. And I'd hope that the mobile banking apps themselves would identify insecure or compromised versions of the operating systems running those apps. However, if they are relying on some of the traditional third parties for that kind of thing (like IBM's Trusteer), that is yet another conversation. Although I am not saying that they do, it is not something I have ever looked into. Possibly another avenue with exploring en route to enlightenment.

[Deleted User]

CoastingHatbox said:

Yeah just read that sentence you have quoted and italicised again.
I'm talking about me ("I") and "my" phone. That's my personal opinion. I'm not advocating or recommending anyone else do anything.

There are three reasons I wrote that.

1. My propensity for leaving things behind, especially my phone. The same reason the debit card for my main current account is not in my wallet. This is by far the biggest reason, given that you can make a limited number of payments up to a certain amount with Google Pay. That and I use a pin on my phone which, as I've already discussed, is about the convenience of easily unlocking it without using biometric data because pins and passwords can be changed; biometric data cannot.
2. Android Security - I use LineageOS which is a derivative of Android. Android does not have the best record when it comes to vulnerability and exposure - see the CVE list posted earlier. I've already touched upon the fact that if I used iOS, I might reconsider.
   
3. Privacy - From a privacy point of view, there is simply more meta data that can be collected with a Google Pay transaction than I am personally comfortable with sharing. In stock Android, turning off the location feature doesn't stop your location data being sent to Google. You add that to large established retailers using wireless triangulation and bluetooth beacons to track customers movements throughout shops, I'm actually inclined to turn my phone off rather than unwhittingly share extra information with them. This is my personal perspective, which I hold for no other reason than I value privacy.

I have not made any denials about how this technology has been embraced by anyone. You are the person misconstruing my personal opinions about mobile banking in my circumstances, given my attitudes towards risk and privacy, into some sort of advocacy.

Your personal opinion regarding how you think other companies use your privacy, data and the technology behind it. Which are those same companies used by others. Posted onto a public forum where others can see it and post their personal opinions on what you said.

JustAnotherSaver

I see the Internet as the land of the hard-headed. Everyone is right and nobody will entertain having their mind changed. 

I think if this thread hits 500 pages you lot will still be saying the same things while standing on the same side of the fence that you were on on page 1, 2 & 3.

On you go...