TANDEM APP SECURITY CONCERN

Bobby4puddings

I've just opened a Tandem APP based savings account and put a small nominal amount to to make sure it worked.
I have never come across an APP like this before. It doesn't have a username, password, PIN or any security questions.
I open the APP and a 'log in' comes up, I press that and a message comes up to put my mobile number in and also a message "text me a code" I do that and a 6 digit code comes up in that same screen.
This then opens up my account to do as you please with it.
My concern is if I lose my phone and the finder can turn it on they can then open the Tandem APP without needing any password or PIN. This cant be right surely?
I have emailed Tandem twice about this but they haven't bothered to reply.
I might have to shut the account down and go elsewhere.

horsewithnoname

I’ve got facial recognition on mine. If it ain’t my face the app won’t open. Mind you neither would the phone in the first place to get to the app. 

twadds123

Yes they can open the app, but money can only be moved to an account in your name linked through open banking with the relevant security checks etc.

I would like the app to be a bit more secure but it's not a huge concern from that point of view.

Bobby4puddings

I see what you mean, it just seems a strange way.
Thanks for the replies!

masonic

There's a big push towards passwordless login these days. Obviously no system is without its flaws. For a savings bank that only permits withdrawals to a verified current account in the customer's name, fewer precautions need be taken. For a bank offering current accounts that can send payments anywhere, I would expect a bit more security.

However, the vast majority of smartphone users have things on their phone they wouldn't want a stranger to be able to access, and so they should protect their phone with a lockscreen using a strong password / biometrics. They probably also would not want their phone SIM to be used without their consent in another device, so should enable a SIM PIN.

Zaul22

It's lazy and negligent but it is also technically still relatively safe. 

Stargunner

Bobby4puddings said:

I've just opened a Tandem APP based savings account and put a small nominal amount to to make sure it worked.
I have never come across an APP like this before. It doesn't have a username, password, PIN or any security questions.
I open the APP and a 'log in' comes up, I press that and a message comes up to put my mobile number in and also a message "text me a code" I do that and a 6 digit code comes up in that same screen.
This then opens up my account to do as you please with it.
My concern is if I lose my phone and the finder can turn it on they can then open the Tandem APP without needing any password or PIN. This cant be right surely?
I have emailed Tandem twice about this but they haven't bothered to reply.
I might have to shut the account down and go elsewhere.

If someone can get into your lost phone I suggest you sort out the security settings of your phone first, before you worry about the security of the Tandem app.

Bobby4puddings

I do keep my security settings sorted and always update with latest security patches, along with anti virus software, so I reckon I have got my phone security as good as it can get.
Up until recently there was a hack that could unlock an Android phone in less than 1 minute without any additional software. Google cured this with with a security patch on Google Pixel phones but not others, they were working on it. I don't know if the other mobiles have been updated yet with a security patch.
How come every other bank want passwords etc. but not Tandem?

masonic

Bobby4puddings said:

How come every other bank want passwords etc. but not Tandem?

Most are moving away from passwords, which are often just needed to set up a new trusted device and as a fallback option. Other banks need greater security because they provide more dangerous features, such as the ability to transfer money to third parties. Other app-based savings banks are more like Tandem. Chip, for example, does not require a password either.

Stargunner

Bobby4puddings said:

I do keep my security settings sorted and always update with latest security patches, along with anti virus software, so I reckon I have got my phone security as good as it can get.
Up until recently there was a hack that could unlock an Android phone in less than 1 minute without any additional software. Google cured this with with a security patch on Google Pixel phones but not others, they were working on it. I don't know if the other mobiles have been updated yet with a security patch.
How come every other bank want passwords etc. but not Tandem?

With Tandem you can only transfer money to s linked bank account in the account holder’s name, so you don’t need to be worrying.

Qyburn

horsewithnoname said:

I’ve got facial recognition on mine. If it ain’t my face the app won’t open. Mind you neither would the phone in the first place to get to the app. 

That just secures use of the app on your phone. Nothing stopping someone else installing the app and accessing your account, except for that text code.

I've seen a few posts where people seem to think a biometric logins adds security. It doesn't. What it does is allow access bypassing other measures. So it's for ease of use, rather than security. When my fingerprint doesn't work on my iPhone I can unlock with the passcode. If a third party knew my passcode they could unlock the phone and add their own fingerprint.

Same with banking apps. If I allow TSB to use fingerprints I can login without knowing any account information, but if fingerprint doesn't work I can still access using passwords etc. Two alternative types of security, either one of which lets you in. Not two layers.