Push towards banking apps

subjecttocontract

As long as my accountant can get hold of me at my beachfront property in the Bahamas I reckon I can still operate without a smart phone or an app in 2025. 

Zanderman

subjecttocontract said:

As long as my accountant can get hold of me at my beachfront property in the Bahamas I reckon I can still operate without a smart phone or an app in 2025. .  

That's missing the point, squire. Your servant, the accountant, will be doing your banking and will be needing a smartphone.  

km1500

https://www.bbc.co.uk/news/business-64240140

aboit banking apps. 

flaneurs_lobster

km1500 said:

https://www.bbc.co.uk/news/business-64240140

aboit banking apps. 

Apart from letting us know that Mr Jacopo de Simone is a handsome chap with an attractive girlfriend called Alicia, that article is very light on any useful information on how the bad people accessed a secured banking app on a secured phone and therefore how others might avoid the same fate.

km1500

Exactly right. I can only assume the person used the same pin for banking app as for eg unlocking phone and was shoulder-surfed

Adding a new payee - well some banks send a OTC so if they had the phone they could get that.

Edit: if you have a Samsung Galaxy S series phone I would recommend installing your banking apps in the secure folder and use a unique PIN to open that folder

flaneurs_lobster

km1500 said:

Edit: if you have a Samsung Galaxy S series phone I would recommend installing your banking apps in the secure folder and use a unique PIN to open that folder

Very good idea, not just S, my A52 has the same feature. Setting it up now.

k_man

km1500 said:

Exactly right. I can only assume the person used the same pin for banking app as for eg unlocking phone and was shoulder-surfed

Adding a new payee - well some banks send a OTC so if they had the phone they could get that.

Edit: if you have a Samsung Galaxy S series phone I would recommend installing your banking apps in the secure folder and use a unique PIN to open that folder

In the BBC article, they claim not:

"I don't access my phone using a pin code - I use facial recognition. My Barclays pin is different to my phone pin and they'd need to have both of them."

Isn't facial recognition/biometric a bit of a red herring though, as there still an underlying PIN/passcode? Albeit prevents shoulder surfing.

SMS (or other messages) shown on lock screens is a big risk.
IIRC there was an issue with Santander, where a stolen card and phone allowed registering of the card to a new device, using the OTP shown on the stolen phone.

I am sure there is a bit more to this story.

flaneurs_lobster

k_man said:

km1500 said:

Exactly right. I can only assume the person used the same pin for banking app as for eg unlocking phone and was shoulder-surfed

Adding a new payee - well some banks send a OTC so if they had the phone they could get that.

Edit: if you have a Samsung Galaxy S series phone I would recommend installing your banking apps in the secure folder and use a unique PIN to open that folder

In the BBC article, they claim not:

"I don't access my phone using a pin code - I use facial recognition. My Barclays pin is different to my phone pin and they'd need to have both of them."

Isn't facial recognition/biometric a bit of a red herring though, as there still an underlying PIN/passcode? Albeit prevents shoulder surfing.

SMS (or other messages) shown on lock screens is a big risk.
IIRC there was an issue with Santander, where a stolen card and phone allowed registering of the card to a new device, using the OTP shown on the stolen phone.

I am sure there is a bit more to this story.

Exactly my point. I know it's not a technical article but the valid points you make (and other guidance or advice) could have been addressed or linked to.

Personally, I've decided that it's not necessary to have every financial institution's app on my phone. Really hurts my inner geek but it just makes sense. And the advice about nor showing notifications on a lock screen is good.

km1500

flaneurs_lobster said:

km1500 said:

Edit: if you have a Samsung Galaxy S series phone I would recommend installing your banking apps in the secure folder and use a unique PIN to open that folder

Very good idea, not just S, my A52 has the same feature. Setting it up now.

Barclays is the only bank I found that used to not support secure folder but that may have changed now

Make sure you only specify the PIN to unlock the folder eg no fingerprint etc

AmityNeon

I dislike how convenience has compromised security.

For a locked phone secured by facial recognition and a different PIN used for the Barclays app, to still be drained of over £22K, only for you to be blamed for negligence after being a victim of crime and having to fight for your money back?

Where are the investigative details? What is happening exactly in these cases where no social engineering is involved? It’s abhorrent conduct for a bank to wash their hands of it and only refund when backed into a corner, and even then, the rest of us are none the wiser, only hoping the same doesn’t happen to us.

If the only other protective measure is to use a second device that doesn’t leave the home, I’m not surprised some people don’t trust mobile banking. A separate folder unlocked with a different password is definitely good practice, but it’s not a standard feature across all devices, and certainly not expected by banks who believe in their infallibility because they’re unable to conceive scenarios beyond rigid procedure. Fraud happens because criminals think outside the box; the only difference between ingenuity and fraud is ethics.

If I had the choice, I would choose facial recognition and fingerprint recognition and a custom password (not just a short numerical PIN) AND a OTP generated by a secure method (such as a card reader). There is nothing wrong with providing additional options for security; allow customers to inconvenience themselves if they so desire.

Texting OTPs via SMS to the same device being used to access the app is like a security guard handing over the keys to anyone who wants to enter a building, ‘by all means go on through!’.