App based bank security

Bigwheels1111

I think every text,call,email etc is a scam. Someone wants what’s mine and act accordingly.
My bank has all uk staff on the phone, but its sister bank who runs the fraud team uses Indian and South Africa call centres.
Who in their right mind trusts a foreign voice saying something is wrong with your accounts. Big fail.
Only have WhatsApp and close family on that, could not fall for that scam, plus would ask a security question if anything was requested by friends or family. I don’t trust anyone especially my brother 😂
Phone and tablet need Face ID, locked the sim now too.

Qyburn

jaypers said:

Never type login details when you are connected to an unsecured network (eg: any free wi-fi etc). If you need to use use this sort of a connection, invest in VPN which will protect you from prying eyes. 

This one is over stated in my opinion. Any sort of finance application or web page is going to be using some sort of SSL or TLS so the data is encrypted before it leaves your device. Pretty much all public wireless networks use client isolation anyway.

jaypers said:

Always opt for 2 factor authentication where this is an option.

That's the point, a phone app is very much one factor.  Get past the PIN and you have full access. Fingerprints?  Not a problem, go into settings and add your fingerprints, and you're in.

jaypers

People should think more about some of the things that on the surface look perfectly innocent but in reality are there to steal your information. Good example are Facebook posts along the lines of ‘What was your first holiday’……..see these sorts of things all of the time and thousands of people reply. What’s actually happening here is data mining and there are underground databases of people being built full of personal information. Over time this can allow things like identity theft and access to even more information to take place. A lot of these ‘innocent’ looking questions are used by institutions to rescue passwords etc. Always be suspicious online. Take care people. 

km1500

Use a unique 6 digit PIN to access your phone. 

Don't use it anywhere else.

Then use fingerprint on top for your every day convenience, knowing if a fraudster gets hold of your phone the only way in is via that PIN

Use a different PIN if needed for banking apps

refluxer

I've just read this BBC News article about a guy who had his phone stolen and money taken via a banking app. It seems like he'd taken the normal precautions, but I guess being followed and watched while you're out and about is definitely something people need to be aware of...

Mobile phone fraud: 'They stole £22,500 using my banking app'

Because the device was locked and password protected, Mr de Simone said that initially, while he was upset his phone had been stolen, he didn't think much more of it until the morning after when he checked his online banking.

"I found both my current account and savings accounts had been drained of £22,500. I was completely shocked. I didn't know how this was possible. I don't access my phone using a pin code - I use facial recognition. My Barclays pin is different to my phone pin and they'd need to have both of them."

He phoned Barclays and also reported it to the police. He said Barclays told him it would do an internal fraud investigation which later resulted in Mr de Simone being held liable for all the losses.

"They could not identify a point of compromise from the back end - to them it looked like the pin had been entered. The only thing they could suggest was that someone knew the code therefore it's gross negligence on my part apparently. I was totally in shock, incredibly unsettled and you just think these things get resolved quite quickly," he said.

MattMattMattUK

This is going to sound harsh, but the way to avoid things happening to you is to avoid being the low hanging fruit, your security does not need to be perfect, it just needs to be good enough to be better than most other people. So yes logging in, especially to banking apps in public using a PIN is a bad idea, much like the old ATM based card skimmers with cameras above pointing at the number pad.

They guy who had his phone taken and used, if I had to hazard a guess I would say that they had seen him use the PIN for banking and at the point they pickpocketed his phone they timed it for when it was unlocked, the old lift it off the table whilst holding something over the top, distraction techniques etc. 

It is one of the reasons that banks still like to use token generators or card and pin code generators to authorise new payees, the ability to only pay existing payees makes it much harder for a scammer to do anything even if they gain access to the account on a mobile device. 

jaypers

While I’m incredibly sympathetic to anyone suffering this type of crime, I don’t understand that story and it doesn’t fully add up.

1) Most saving accounts will only allow withdrawals to a nominated account. 

2) If it was a Barclays account that was drained of £22.5k (or any amount) then a new payee must have been set up. This would require an additional element of authorisation within the app when making the payment such as debit card details.

P1Fanatic

Aye that whole story doesn't stack up and is extremely vague on detail. You would also think if you knew it was stolen you would lock it remotely via Lost Mode.

P1Fanatic

Qyburn said:

jaypers said:

Never type login details when you are connected to an unsecured network (eg: any free wi-fi etc). If you need to use use this sort of a connection, invest in VPN which will protect you from prying eyes. 

This one is over stated in my opinion. Any sort of finance application or web page is going to be using some sort of SSL or TLS so the data is encrypted before it leaves your device. Pretty much all public wireless networks use client isolation anyway.

jaypers said:

Always opt for 2 factor authentication where this is an option.

That's the point, a phone app is very much one factor.  Get past the PIN and you have full access. Fingerprints?  Not a problem, go into settings and add your fingerprints, and you're in.

Thats a good point tbh and something I've never tested. I mean even with 2FA apps like DUO, MS Authenticator etc - if you have Face/TouchID enabled, someone gets your PIN, gets in your phone, adds their own face/fingerprints - do such apps just work with the new face/finger or do you have to re-enter app PIN if any such change made?

AmityNeon

MattMattMattUK said:

They guy who had his phone taken and used, if I had to hazard a guess I would say that they had seen him use the PIN for banking and at the point they pickpocketed his phone they timed it for when it was unlocked, the old lift it off the table whilst holding something over the top, distraction techniques etc. 

That’s still just a guess to make ourselves feel better. It could be true, and it doesn’t help that Barclays insist on exposing manual PIN entry every five or so logins, but the story lacks technical detail
and only offers generic advice on protective measures.