CHIP - contact if mobile phone unavailable?

k_man

Just tested this (albeit with a reinstall, rather than a new device) and the Secure login (PIN and fingerprint settings) are not persistent.

So SMS message is the only authentication factor, for app/account access. Funds are protected by the connected bank security.

grumbler

Yes, I have a record of some 4-digit password for Chip that I was probably asked only once.

Regarding the connected/linked bank, can't it be changed if someone gets into my Chip account? Or is it the customer name that must be the same for both Chip and the linked bank account?

masonic

k_man said:

Just tested this (albeit with a reinstall, rather than a new device) and the Secure login (PIN and fingerprint settings) are not persistent.

So SMS message is the only authentication factor, for app/account access. Funds are protected by the connected bank security.

Well that is disappointing. Renders it completely pointless as if anyone ever gets unlocked access to the device, they can simply clear data, open the app, receive SMS and they are in.

grumbler said:

Regarding the connected/linked bank, can't it be changed if someone gets into my Chip account? Or is it the customer name that must be the same for both Chip and the linked bank account?

If someone can receive messages/calls on your registered mobile number, and can get into the app as a consequence, then that would make them appear quite convincing to Chip customer services, who communicate primarily through in-app messaging.

I don't know what security steps are taken when adding a linked account, but someone would indeed need to open a current account in your name to steal your money by this route.

Band7

masonic said:

grumbler said:

fonesaver said:

masonic said:

You can normally get a replacement SIM within a few days. In the event you cannot retain your old number, you'd need to contact them to associate your account with your new number (which will mean going through ID verification again). You can contact them via email for advice if you find yourself in this situation.

I don't know if Chip allows you to log in from multiple devices (e.g. a tablet and phone). This can serve as a useful backup option, but not all providers support it.

I'd always recommend keeping enough money in a non app-only account to cover your spending needs for at least a week or two in case of such an event.

Yes the Chip app can be installed on multiple devices unlike Chase.

Does this mean that anyone who finds my phone with a SIM that isn't locked, can put this SIM into another phone, install Chip app there and get access to my account?

I was told earlier that a fingerprint is needed only to unlock the app. If so, the only authentication factor remaining that is needed is the code sent by a SMS.

You can set up biometrics to unlock the app, but as with all secure biometric access, this is specific to the device on which you activate it and never leaves that device. On a new device, there would not be the option to use biometrics until after a successful login, and those biometrics would be the ones stored on the new device.

No app security is set up by default, but you have the option to set a PIN, which is requested when opening the app. I believe this is a prerequisite of the biometric lock and is the secret that the biometric challenge unlocks. Therefore, if someone got hold of your SIM and it didn't have a SIM-PIN (or they did a SIM swap attack), then they could download the app, enroll the new device, but would need the app PIN to get in to your account.

They could also only xfer money to your linked account. The lined account can only be changed by calling CHIP CS. I have no practical experience of changing linked account but I suppose they will take you through security, Crucially, your new linked account will also have to be in your name, and they will check that it is. Now there is of course no 100% guarantee that your banking matters haven't been so badly compromised that you couldn't also lose all money that arrives in your current account but the reason for this wouldn't be lack of CHIP security.

masonic

Band7 said:

masonic said:

grumbler said:

fonesaver said:

masonic said:

You can normally get a replacement SIM within a few days. In the event you cannot retain your old number, you'd need to contact them to associate your account with your new number (which will mean going through ID verification again). You can contact them via email for advice if you find yourself in this situation.

I don't know if Chip allows you to log in from multiple devices (e.g. a tablet and phone). This can serve as a useful backup option, but not all providers support it.

I'd always recommend keeping enough money in a non app-only account to cover your spending needs for at least a week or two in case of such an event.

Yes the Chip app can be installed on multiple devices unlike Chase.

Does this mean that anyone who finds my phone with a SIM that isn't locked, can put this SIM into another phone, install Chip app there and get access to my account?

I was told earlier that a fingerprint is needed only to unlock the app. If so, the only authentication factor remaining that is needed is the code sent by a SMS.

You can set up biometrics to unlock the app, but as with all secure biometric access, this is specific to the device on which you activate it and never leaves that device. On a new device, there would not be the option to use biometrics until after a successful login, and those biometrics would be the ones stored on the new device.

No app security is set up by default, but you have the option to set a PIN, which is requested when opening the app. I believe this is a prerequisite of the biometric lock and is the secret that the biometric challenge unlocks. Therefore, if someone got hold of your SIM and it didn't have a SIM-PIN (or they did a SIM swap attack), then they could download the app, enroll the new device, but would need the app PIN to get in to your account.

They could also only xfer money to your linked account. The lined account can only be changed by calling CHIP CS. I have no practical experience of changing linked account but I suppose they will take you through security, Crucially, your new linked account will also have to be in your name, and they will check that it is. Now there is of course no 100% guarantee that your banking matters haven't been so badly compromised that you couldn't also lose all money that arrives in your current account but the reason for this wouldn't be lack of CHIP security.

Are you sure that you can 'call' Chip CS? I thought the only options were in-app messaging and email. The apparent lack of a phone service does weaken the security somewhat, as an offline discussion through messaging allows for improvisation and makes it much less likely that suspicion would be aroused.

This is of minor concern to me because of the challenge someone would have linking an account that would be accepted by Chip. However, the critical vulnerability in their biometric and PIN security is of far greater concern, as it shows a fundamental naivety on their part and is something I will be following up with them.

Band7

You are right, it’s “contact”, not “call”

flaneurs_lobster

Seems that there are very few reasons why adding a PIN to lock your SIM would not be a good idea (even if it was just the same as your phone unlock PIN, although ideally something else).

masonic

flaneurs_lobster said:

Seems that there are very few reasons why adding a PIN to lock your SIM would not be a good idea (even if it was just the same as your phone unlock PIN, although ideally something else).

Access to communications on a mobile phone number has become one of the primary ways financial (and non-financial) institutions challenge customers to prove who they are, so it is quite important. Along with locking down your account with your network provider so that someone cannot port your number onto a new SIM, protecting your SIM from being popped into any phone and used by someone else is quite important.

k_man

masonic said:

flaneurs_lobster said:

Seems that there are very few reasons why adding a PIN to lock your SIM would not be a good idea (even if it was just the same as your phone unlock PIN, although ideally something else).

Access to communications on a mobile phone number has become one of the primary ways financial (and non-financial) institutions challenge customers to prove who they are, so it is quite important. Along with locking down your account with your network provider so that someone cannot port your number onto a new SIM, protecting your SIM from being popped into any phone and used by someone else is quite important.

While also disabling SMS messages being shown on the lockscreen.

flaneurs_lobster

masonic said:

flaneurs_lobster said:

Seems that there are very few reasons why adding a PIN to lock your SIM would not be a good idea (even if it was just the same as your phone unlock PIN, although ideally something else).

Access to communications on a mobile phone number has become one of the primary ways financial (and non-financial) institutions challenge customers to prove who they are, so it is quite important. Along with locking down your account with your network provider so that someone cannot port your number onto a new SIM, protecting your SIM from being popped into any phone and used by someone else is quite important.

I would hope that every network provider has stringent procedures to stop a third party from swapping a number to a new SIM without my authorisation/knowledge but as we all know the bad people have ways to circumvent these.

I often see the advice that you will be aware of this happening if your phone loses service. So that's about 6 times a day as I walk around the city centre.

Are "big four" providers better at protecting their customer's assets than the MVNOs? Are there specific actions or instructions you can give to your supplier to make it more rigorous (and, of course, onerous)?