App based bank security

qbs

There's been a growing move towards app based banking over the past few years and I've always avoided it due to concerns over security. Watching https://www.channel5.com/show/phone-scams-don-t-get-caught-out last night, it would seem that my concerns were justified as some apps used by (mainly) challenger banks seem to be light on security.
Some of the scams exploit people's stupidity/naivety, and no amount of security will change that, but the ease the scammers seem to have in accessing certain types of accounts is worrying.
Anybody had any nasty experiences?

Aidanmc

Watched that last night also. Couldn't understand the last girl's case, one who had phone/cards stole. How did they move money from her savings to current account, surely there would be user id/password to access account. Although they did have the sim to receive the code. I don't use app at all so not familiar how they work.

Qyburn

I've not looked into the details but I am a little uncomfortable with the trend towards not just 100% faith in phone app security, but also 100% reliance. More and more I'm finding that even when logged into normal Internet banking, certain actions have to be authorised from the phone.
If your phone dies or gets lost you're goosed. If someone nicks your phone there's only a PIN between them and all your banking.

Zaul22

That was my biggest problem with Monzo. 

masonic

It is a little concerning that a few of the banking apps have a passwordless login. Just enter a code sent by SMS and you're in. Many people don't have a lockscreen protected by a strong password, or allow message previews to be shown on the lockscreen. In an ideal world, banking apps would be loaded on a separate device that is physically secured and not taken out and about everywhere the owner goes.

km1500

one thing that is worth checking is the procedure your bank follows to add a new payee, and deciding if that procedure is good enough for you.

Lloyds for example tequire otc which is insecure if someone has your phone!

Nationwide on the other hand require card reader authentication

Beddie

Apps are more secure than websites by design, hence often only a PIN or fingerprint is enough. Fraud is caused by weak human behaviour in almost all cases. I agree that using SMS to assist with logging in is poor, as it is all on the same device. But as others have said above, do not allow message previews on lockscreens and that makes it much more difficult for scammers.

Think about all the stories you read about scams - they are about people being taken in by tricksters and willingly making transfers. It's like the posts you read about contactless cards being charged by someone who walks past - lots of scare stories but so little, if any, actual evidence.

jaypers

Most scams are the result of a human being caught out in some way into either directly or indirectly divulging some sort of information that should not be in someone else’s hands. It’s almost unheard of for systems to be compromised technically. A few precautions everyone should take……..

Use secure passwords (where passwords are required).
Don’t use the same passwords and/or PIN for different logins.
Always ensure your device is secured via biometric or PIN security.
Never type login details when you are connected to an unsecured network (eg: any free wi-fi etc). If you need to use use this sort of a connection, invest in VPN which will protect you from prying eyes. 

Always opt for 2 factor authentication where this is an option.
Never ever trust an unsolicited email or text and never click on a link that has been sent to you.

qbs

Interesting Beddie said:

Apps are more secure than websites by design, hence often only a PIN or fingerprint is enough. Fraud is caused by weak human behaviour in almost all cases. I agree that using SMS to assist with logging in is poor, as it is all on the same device. But as others have said above, do not allow message previews on lockscreens and that makes it much more difficult for scammers.

Think about all the stories you read about scams - they are about people being taken in by tricksters and willingly making transfers. It's like the posts you read about contactless cards being charged by someone who walks past - lots of scare stories but so little, if any, actual evidence.

The C5 programme suggested that some banking apps were far from secure, so, while agreeing that opinions generally favour app over website, the underlying assumption is that you start off with a secure app.
The app over website belief also relies heavily on levels of security installed on devices, and while it's relatively easy to maintain security on a PC at least for the supported life of the OS, won't phones become increasingly vulnerable after they lose support, which may be as little as 2 years? 

qbs

jaypers said:

Most scams are the result of a human being caught out in some way into either directly or indirectly divulging some sort of information that should not be in someone else’s hands. It’s almost unheard of for systems to be compromised technically. A few precautions everyone should take……..

Use secure passwords (where passwords are required).
Don’t use the same passwords and/or PIN for different logins.
Always ensure your device is secured via biometric or PIN security.
Never type login details when you are connected to an unsecured network (eg: any free wi-fi etc). If you need to use use this sort of a connection, invest in VPN which will protect you from prying eyes. 

Always opt for 2 factor authentication where this is an option.
Never ever trust an unsolicited email or text and never click on a link that has been sent to you.

One of the cases in the C5 programme involved the victim being called by bank security. The first mistake is obviously entering into a conversation on an incoming call, but setting that aside, the "bank" had an amazing amount of information on the victim - source not explained. I wondered if at least some of the information was gathered from a discarded or stolen bank statement. I'm always surprised at banks including full account information on statements sent through the post. Unnecessary and insecure.

If I remember correctly, it was also this scam that sent a fake QR code that allowed the scammer full access to the victims accounts. Is there any way to read a QR code?

JohnWinder

masonic said:

It is a little concerning that a few of the banking apps have a passwordless login. Just enter a code sent by SMS and you're in. Many people don't have a lockscreen protected by a strong password, or allow message previews to be shown on the lockscreen. In an ideal world, banking apps would be loaded on a separate device that is physically secured and not taken out and about everywhere the owner goes.

You can lock some phones with a 6 character ‘pin’ of letters and numbers, to protect your apps. And the phone will give a baddy only a few guesses at the pin before the phone is disabled. That’s not bad security. And any notifications don’t have to appear on the lock screen, nor should they if they’re sensitive.