App based bank security

Qyburn

jaypers said:

If it was a Barclays account that was drained of £22.5k (or any amount) then a new payee must have been set up. This would require an additional element of authorisation within the app when making the payment such as debit card details.

I don't know Barclays, but Lloyds authorisation to set up a new payee can be by a call to your mobile phone.

As for the bank's attitude, when we had fraudulent debit card transactions the bank did not believe that the card had never been used before and never taken out of the house either. Posters on here didn't believe that either.

qbs

Lots of interesting comments.

If anybody commenting hasn't watched the programme, please do and give your theories on how the various scams operated. Some were pretty obvious - a bit like hooking and playing a fish. The fast food woman at the beginning and the blonde woman at the end weren't so clear.

refluxer

P1Fanatic said:

Qyburn said:

jaypers said:

Never type login details when you are connected to an unsecured network (eg: any free wi-fi etc). If you need to use use this sort of a connection, invest in VPN which will protect you from prying eyes. 

This one is over stated in my opinion. Any sort of finance application or web page is going to be using some sort of SSL or TLS so the data is encrypted before it leaves your device. Pretty much all public wireless networks use client isolation anyway.

jaypers said:

Always opt for 2 factor authentication where this is an option.

That's the point, a phone app is very much one factor.  Get past the PIN and you have full access. Fingerprints?  Not a problem, go into settings and add your fingerprints, and you're in.

Thats a good point tbh and something I've never tested. I mean even with 2FA apps like DUO, MS Authenticator etc - if you have Face/TouchID enabled, someone gets your PIN, gets in your phone, adds their own face/fingerprints - do such apps just work with the new face/finger or do you have to re-enter app PIN if any such change made?

I made some changes to my phone's security recently (including adding extra fingerprints) and had to re-enter the pins on all my banking apps, so they did recognise when security changes are made and took the appropriate action (essentially turning fingerprint log-in off).

That's another reason for ensuring that you don't use the same pin codes for both your phone and your banking apps (because the fraudster would presumably have access to your phone pin in order to add/change the fingerprints).

Qyburn

refluxer said:

P1Fanatic said:

Thats a good point tbh and something I've never tested. I mean even with 2FA apps like DUO, MS Authenticator etc - if you have Face/TouchID enabled, someone gets your PIN, gets in your phone, adds their own face/fingerprints - do such apps just work with the new face/finger or do you have to re-enter app PIN if any such change made?

I made some changes to my phone's security recently (including adding extra fingerprints) and had to re-enter the pins on all my banking apps, so they did recognise when security changes are made and took the appropriate action (essentially turning fingerprint log-in off).

I tested with my Iphone, when I added an additional finger and no re-authorisation was needed for Lloyds, Nationwide, TSB, American Express or Aqua. So I guess that behaviour may depend on the application, or on the phone OS or version.

Authentication apps like Duo, RSA, MS Authenticator, Octa are a different beast. With the banking apps you're specifically telling it to use fingerprints instead of their own password/PIN/Code for future logins. For the authenticators I can't see options to set their own passwords, they seem to all rely on the phone security.

km1500

On my android phone, changing or adding fingerprints definitely disables fingerprint logon on everything. It has to be re-enabled app by app.

Arthurian

Thanks to this thread, I have just been into my phone's settings and stopped notifications being displayed on my lock screen. 

Aidanmc

The program also recommended setting up a pin for your sim card. One of the victims had their phone stole and the scammers supposedly removed the sim from the phone and put it in one of their phones.

qbs

It never ceases to amaze me how much faith people have in systems being foolproof. Sadly, there's no such thing, and clearly, there appear to be major flaws in some banking apps.
Anyone who thinks otherwise is deluding themselves.
The people creating these apps are unlikely to be any different from those who designed the Boeing 737 Max MCAS system,  ignoring basic engineering principles and creating a sytem that was vulnerable to a single point failure.

Beddie

Qyburn said:

jaypers said:

If it was a Barclays account that was drained of £22.5k (or any amount) then a new payee must have been set up. This would require an additional element of authorisation within the app when making the payment such as debit card details.

I don't know Barclays, but Lloyds authorisation to set up a new payee can be by a call to your mobile phone.

As for the bank's attitude, when we had fraudulent debit card transactions the bank did not believe that the card had never been used before and never taken out of the house either. Posters on here didn't believe that either.

For a new payee, Barclays asks for the PIN, not the fingerprint you used to unlock the app, and the last 4 digits of your debit card. So I don't see how the guy in the BBC story got scammed unless they had all of these details. 

I'm saying the app is secure and the human is the weak point!

Yellowman

I am glad this forum exists to help us evaluate these BBC reports.

I was seriously thinking about keeping my money as cash under the bed.