App based bank security

km1500

One interesting experiment is to see what happens when you click 'forgotten logon details' on your banking website

I remember Lloyds only wanting details from your debit card and a sms text to reset everything

Qyburn

flaneurs_lobster said:

Qyburn said:

Our home LTE router can receive SMS messages. I'm experimenting using that as the designated mobile for some savings accounts. 

That's an interesting idea, the router I'm guessing doesn't leave the house. 

Would the device that you read the SMS messages on also be non-mobile (PC rather than mobile phone)?

Are there not times when the savings provider might need to talk to you on the mobile number? Is that possible on a 4G router?

Correct, the router stays in our roof space. To read the SMS I access from the LAN side via SSH, web or their proprietary management application. This can be done from phone, tablet or PC but only from inside our LAN, management protocols are disabled on the WAN as well as blocked by the firewall. For a savings account I don't need access from away from home. Theoretically I could VPN into the home network, to access from elsewhere.
There's an element of security by obscurity as well.
My router doesn't support voice calls, some modes do by having an analogue phone port.

Qyburn

I just noticed another weakness in on bank's App. It allows you to view full debit card details, including the security code. That particular bank authorised debit card transactions via the app so we're back to that single factor - break into the phone and you can do anything.

masonic

Qyburn said:

I just noticed another weakness in on bank's App. It allows you to view full debit card details, including the security code. That particular bank authorised debit card transactions via the app so we're back to that single factor - break into the phone and you can do anything.

If you can break into the app (i.e. get past lockscreen and app password or biometrics), then you wouldn't need to commit fraud by debit card. It would be more convenient just to transfer out all available funds via faster payment. It wouldn't be single factor, as it would still require something you have+know (password) or have+are (biometrics).

35har1old

JohnWinder said:

masonic said:

It is a little concerning that a few of the banking apps have a passwordless login. Just enter a code sent by SMS and you're in. Many people don't have a lockscreen protected by a strong password, or allow message previews to be shown on the lockscreen. In an ideal world, banking apps would be loaded on a separate device that is physically secured and not taken out and about everywhere the owner goes.

You can lock some phones with a 6 character ‘pin’ of letters and numbers, to protect your apps. And the phone will give a baddy only a few guesses at the pin before the phone is disabled. That’s not bad security. And any notifications don’t have to appear on the lock screen, nor should they if they’re sensitive.

The banking apps that i use don't send SMS to log in. You enter a numerical code of 6 numbers that you set when you first use the app

I recently opened a current account which could only be opened by app and in branch but it required you to have a mobile

cwep2

For what it's worth, any banking apps which could be used to send money to a new payee, I never use FaceID/Biometrics for, I always don't choose that when setting up so I still need to put in a password/passcode I remember. Slightly slower but feels more secure.

Some savings accounts I use Face ID but these can only transfer to the one linked current account and the current account needs a passcode I have to remember. There may be edge cases where someone could try to change linked account but I'd like to think this would have some comeback to the institution if that happened after a phone gets stolen.

Of course if someone comes at gun point and threatens to shoot me if I don't let them into the account, there's not much that can stop that.