App based bank security

masonic

AmityNeon said:

masonic said:

Yellowman said:

Cynergy and Al Ryan use QR Code logins.

What Al Rayan is doing is displaying a Cronto image on a desktop browser in order for the user to view online banking on a larger screen. The user still needs to log in to the Al Rayan app and then must scan the image using the app. The image is useless unless you have the user's logged in mobile device (which itself gives you full access to online banking).

It still allows a remote user to log in by sending the code/image to the unsuspecting customer, who authenticates on their mobile and then scans the code, immediately granting the remote user account access, which was demonstrated in the show (it was a fintech).

Well yes, true, if the customer is foolish enough to go through authentication on their device in response to a phishing email they'll get nobbled whether they scan a malicious Cronto or get taken to a fake webpage. In Al Rayan's case, they time-limit the validity of the Cronto, but allow 5 minutes, which is too long in my view - why not 30 seconds, or even less?

masonic

qbs said:

masonic said:

qbs said:

It never ceases to amaze me how much faith people have in systems being foolproof. Sadly, there's no such thing, and clearly, there appear to be major flaws in some banking apps.
Anyone who thinks otherwise is deluding themselves.
The people creating these apps are unlikely to be any different from those who designed the Boeing 737 Max MCAS system,  ignoring basic engineering principles and creating a sytem that was vulnerable to a single point failure.

Quite right, nothing is foolproof, whether you're securing cash and valuables at home, doing your banking via branch, making card payments, using an ATM, walking around with a wallet and/or phone, writing cheques, telephone banking, online banking, app banking etc. Risk of loss can never be zero, so the pragmatic approach is to try to understand the risks, take reasonable precautions, and get on with your life. Where you lose money through liability of another party, then there is at least a prospect of recovering it from them, which is easier to do if you can show you took those reasonable precautions. We each have to choose which risks we take, as there is no risk free option.

Part of the problem is the illusion of security that banks create to protect themselves. 
As an example, I've experienced problems with internet banking when I've been opening a new account.
It should be easy, but then comes the call from the bank's overseas call centre (you're bank will never call you???) to run security checks. First they want to go through security (your bank will never ask you security questions???), so that's a bit of a concern. However, I've found that giving them a wrong answer or two gives me the chance to reverse security check "the bank". It takes a bit longer, and they're not always amused, but it's my money and I'm paying them for the service so they can like it or lump it. 
The rest of the process once they're happy that they're speaking to the correct person is a waste of time. There's nothing in the Q&A that gives me, the customer, any protection, but it protects the bank.
I've had calls that were barely audible or intelligible, which obviously raises concerns as to who is calling.
I raised the matter of these calls with my bank at executive level, and got nowhere.
I've got to the point now of carrying out such transactions by cheque now, if at all possible.

Going back to the TV programme, if some of those had reverse security checked the caller, they'd probably have had a shorter call and lost no money.

Yes, banks are poor on authenticating themselves to us customers. This is also a bugbear of mine and I've done similar to you when receiving an incoming call (if unable to call them instead). It really shouldn't be that hard to set up some sort of account password that they need to provide to prove it is them, or use a push notification in-app to mutually authenticate (as Chase bank does). These are the sort of precautions it is good to share and be aware of, as they all help reduce risk.

AmityNeon

masonic said:

AmityNeon said:

masonic said:

Yellowman said:

Cynergy and Al Ryan use QR Code logins.

What Al Rayan is doing is displaying a Cronto image on a desktop browser in order for the user to view online banking on a larger screen. The user still needs to log in to the Al Rayan app and then must scan the image using the app. The image is useless unless you have the user's logged in mobile device (which itself gives you full access to online banking).

It still allows a remote user to log in by sending the code/image to the unsuspecting customer, who authenticates on their mobile and then scans the code, immediately granting the remote user account access, which was demonstrated in the show (it was a fintech).

Well yes, true, if the customer is foolish enough to go through authentication on their device in response to a phishing email they'll get nobbled whether they scan a malicious Cronto or get taken to a fake webpage. In Al Rayan's case, they time-limit the validity of the Cronto, but allow 5 minutes, which is too long in my view - why not 30 seconds, or even less?

In the show, it was revealed fraudsters somehow researched the victim beforehand (a hot food market stall) and recited her details over the phone, including names, addresses, phone numbers and card details (she didn't divulge anything herself), which convinced the victim the call was genuine. Obviously a bank would/could never do that, and it was a classic excuse of 'moving money to a safe account' just by scanning a QR code which was emailed to the victim. It was a Friday evening at a market stall so I'm assuming it wasn't the best environment to be vigilant. Apparently there was also no notification, email, text, warning or further verification to indicate £25,000 was transferred away.

masonic

AmityNeon said:

masonic said:

AmityNeon said:

masonic said:

Yellowman said:

Cynergy and Al Ryan use QR Code logins.

What Al Rayan is doing is displaying a Cronto image on a desktop browser in order for the user to view online banking on a larger screen. The user still needs to log in to the Al Rayan app and then must scan the image using the app. The image is useless unless you have the user's logged in mobile device (which itself gives you full access to online banking).

It still allows a remote user to log in by sending the code/image to the unsuspecting customer, who authenticates on their mobile and then scans the code, immediately granting the remote user account access, which was demonstrated in the show (it was a fintech).

Well yes, true, if the customer is foolish enough to go through authentication on their device in response to a phishing email they'll get nobbled whether they scan a malicious Cronto or get taken to a fake webpage. In Al Rayan's case, they time-limit the validity of the Cronto, but allow 5 minutes, which is too long in my view - why not 30 seconds, or even less?

In the show, it was revealed fraudsters somehow researched the victim beforehand (a hot food market stall) and recited her details over the phone, including names, addresses, phone numbers and card details (she didn't divulge anything herself), which convinced the victim the call was genuine. Obviously a bank would/could never do that, and it was a classic excuse of 'moving money to a safe account' just by scanning a QR code which was emailed to the victim. It was a Friday evening at a market stall so I'm assuming it wasn't the best environment to be vigilant. Apparently there was also no notification, email, text, warning or further verification to indicate £25,000 was transferred away.

Yes, that does sound like it was enabled by very lax security practices beyond the QR code issue. New payee setup should have triggered a separate OTC or app authentication. This fintech was obviously not SCA-compliant, which perhaps it didn't need to be if it was was not offering traditional FCA regulated banking/savings products. Normally in such a situation there is protection in the form of being restricted to withdrawals to a nominated account, which obviously couldn't have been the case here. Urgency is a big red flag all by itself. Hopefully there are avenues of complaint escalation for the victim, such as the FOS, although that may not be the case when dealing with non-mainstream products.

qbs

masonic said:

qbs said:

masonic said:

qbs said:

It never ceases to amaze me how much faith people have in systems being foolproof. Sadly, there's no such thing, and clearly, there appear to be major flaws in some banking apps.
Anyone who thinks otherwise is deluding themselves.
The people creating these apps are unlikely to be any different from those who designed the Boeing 737 Max MCAS system,  ignoring basic engineering principles and creating a sytem that was vulnerable to a single point failure.

Quite right, nothing is foolproof, whether you're securing cash and valuables at home, doing your banking via branch, making card payments, using an ATM, walking around with a wallet and/or phone, writing cheques, telephone banking, online banking, app banking etc. Risk of loss can never be zero, so the pragmatic approach is to try to understand the risks, take reasonable precautions, and get on with your life. Where you lose money through liability of another party, then there is at least a prospect of recovering it from them, which is easier to do if you can show you took those reasonable precautions. We each have to choose which risks we take, as there is no risk free option.

Part of the problem is the illusion of security that banks create to protect themselves. 
As an example, I've experienced problems with internet banking when I've been opening a new account.
It should be easy, but then comes the call from the bank's overseas call centre (you're bank will never call you???) to run security checks. First they want to go through security (your bank will never ask you security questions???), so that's a bit of a concern. However, I've found that giving them a wrong answer or two gives me the chance to reverse security check "the bank". It takes a bit longer, and they're not always amused, but it's my money and I'm paying them for the service so they can like it or lump it. 
The rest of the process once they're happy that they're speaking to the correct person is a waste of time. There's nothing in the Q&A that gives me, the customer, any protection, but it protects the bank.
I've had calls that were barely audible or intelligible, which obviously raises concerns as to who is calling.
I raised the matter of these calls with my bank at executive level, and got nowhere.
I've got to the point now of carrying out such transactions by cheque now, if at all possible.

Going back to the TV programme, if some of those had reverse security checked the caller, they'd probably have had a shorter call and lost no money.

Yes, banks are poor on authenticating themselves to us customers. This is also a bugbear of mine and I've done similar to you when receiving an incoming call (if unable to call them instead). It really shouldn't be that hard to set up some sort of account password that they need to provide to prove it is them, or use a push notification in-app to mutually authenticate (as Chase bank does). These are the sort of precautions it is good to share and be aware of, as they all help reduce risk.

What I forgot to add was that I was asked for security information (not a password) in full. When I had my broadband from Plusnet and called them, their security check asked for two specific digits from my birthdate and two from my password. Pathetic when a broadband company has a better concept of security than one of the biggest banks in the UK.

GeoffTF

Arthurian said:

Thanks to this thread, I have just been into my phone's settings and stopped notifications being displayed on my lock screen. 

Disabling notifications on the lock screen can be circumvented by moving the SIM to another phone. It is possible to set a password on the SIM if your supplier supports that.

P1Fanatic

The women in the gym was also an interesting one. Puts her phone, purse, car keys etc in a locker whilst working out. Comes back finds it all stolen. Then finds the thieves have spent £5k on her card after transferring funds from attached savings account. She wondered how they got into her bank account as would need to know here phone and banking app pins which were different. Not sure it was every proved but the show suggested it was the thieves contacted her bank and pretended they were locked out. Were sent a new pin to her phone via sms but they had moved her sim into their own phone so were then able to receive the pin that way and get back in. The recommended setting up a SIM PIN which I must admit I did not have enabled so have now done that for myself and the wife.

You have to treat every call and every contact as if its a scam until you have verified otherwise. I have a friend who is very clever and involved in Network Security. His wife had a Dell laptop with issues so he raised a fault. Then got a call a couple of days later from Dell who had all the details and asked to connect to the laptop remotely to try a few things. He agreed but immediately got suspicious when they started navigating random folders on the desktop. Disconnected them and took the laptop offline. Called Dell himself and it wasn't them. Clearly someone inside using or selling on details to help fraud. Easy to say you wouldn't get caught but when busy in between works calls, kids messing around as working from home and someone knows all your info then you can see why people let their guard down.

stevelogan

I did have an experience when some casino website charged my account at night when my phone was off, even i always need to press an approval button in my bank app.

Qyburn

Our home LTE router can receive SMS messages. I'm experimenting using that as the designated mobile for some savings accounts. 

flaneurs_lobster

Qyburn said:

Our home LTE router can receive SMS messages. I'm experimenting using that as the designated mobile for some savings accounts. 

That's an interesting idea, the router I'm guessing doesn't leave the house. 

Would the device that you read the SMS messages on also be non-mobile (PC rather than mobile phone)?

Are there not times when the savings provider might need to talk to you on the mobile number? Is that possible on a 4G router?