TANDEM APP SECURITY CONCERN

Qyburn

Stargunner said:

With Tandem you can only transfer money to s linked bank account in the account holder’s name, so you don’t need to be worrying.

Security should be in layers and here's a complete layer missing. Are you really happy for others to access your Tandem account, sure they couldn't link a new bank account, won't learn something from Tandem or your OB linked accounts that can help with identity theft?

friolento

Qyburn said:

horsewithnoname said:

I’ve got facial recognition on mine. If it ain’t my face the app won’t open. Mind you neither would the phone in the first place to get to the app. 

That just secures use of the app on your phone. Nothing stopping someone else installing the app and accessing your account, except for that text code.

what is stopping someone else to using the app to access your account is the fact that you need an access code which is sent to your registered mobile number. Provided you have a SIM lock - as recommended, not just for Tandem - that code arrives on your mobile and thwarts all efforts of the fraudster.

But even if you choose not to have a SIM lock, all they could do is send money to a current account in your name. 

horsewithnoname

Look after your mobile phone 😁

friolento

Qyburn said:

Stargunner said:

With Tandem you can only transfer money to s linked bank account in the account holder’s name, so you don’t need to be worrying.

Security should be in layers and here's a complete layer missing. Are you really happy for others to access your Tandem account, sure they couldn't link a new bank account, won't learn something from Tandem or your OB linked accounts that can help with identity theft?

A new current account could only be linked if it is in your name. It will be checked by OB, or manually, that it is an account in your name. For either method of checking, access to the account, or at least to a statement for the account, is required. It's not impossible for a fraudster to have that information - though if they do, it's because you failed to protect your information.

If you allow the fraudster to access your mobile and your current account data, they could see how much money they can't get their hands on. They also can see which accounts you have linked, together with the sort codes and account number (which are printed on most debit cards and on cheques). But they cannot access those current accounts unless you have been negligent with your login information for the current accounts.

All your perceived issues are down to the user being negligent with their login information

flaneurs_lobster

Bobby4puddings said:

Up until recently there was a hack that could unlock an Android phone in less than 1 minute without any additional software. Google cured this with with a security patch on Google Pixel phones but not others, they were working on it.

That sounds very worrying, do you have a link to more information about this security flaw?

friolento

It might be of interest to those worried about the lack of a password in Tandem to read up about FIDO2, the passwordless authentication method coming to more and more of our apps and online accounts. Even Password Managers have now started authentication without passwords, and just about all big players are members of the FIDO alliance

Also worth a read:  Why FIDO 2 Represents The Death Knell For Passwords

Note I have no insight into the technology deployed by Tandem (doubt they are using FIDO2) but I am satisified that my money is safe with them, despite the absence of a password.

.

masonic

Qyburn said:

horsewithnoname said:

I’ve got facial recognition on mine. If it ain’t my face the app won’t open. Mind you neither would the phone in the first place to get to the app. 

That just secures use of the app on your phone. Nothing stopping someone else installing the app and accessing your account, except for that text code.

I've seen a few posts where people seem to think a biometric logins adds security. It doesn't. What it does is allow access bypassing other measures. So it's for ease of use, rather than security. When my fingerprint doesn't work on my iPhone I can unlock with the passcode. If a third party knew my passcode they could unlock the phone and add their own fingerprint.

Same with banking apps. If I allow TSB to use fingerprints I can login without knowing any account information, but if fingerprint doesn't work I can still access using passwords etc. Two alternative types of security, either one of which lets you in. Not two layers.

All true, but use of biometrics does allow for people to use more complex passwords without the inconvenience of having to enter them frequently and/or store them in a manner that they may be more easily observed.

What is frustrating is that some of these apps will let you set up a PIN, but it is local to the app and doesn't stop someone reinstalling the app to bypass it.

flaneurs_lobster

I've come to the conclusion that carrying a phone around with 30-odd apps that give access to financial institutions' systems holding my money is silly. Not so much the security aspect, I'm happy that the phone and each of the apps is tied down about as hard as they can be, but more from the sheer inconvenience of having to a) re-secure access to those systems that have online access and, b) regaining access to those which are app-only, should I lose access to my phone (for whatever reason).

On a day-to-day basis I only need mobile access to a couple of current accounts (and a Revolut account that it only used for contactless payments) so I have a second phone with just those three apps installed and that's the one that gets out of the house. 

Not a cheap option if you want both phones to have OS/security updates for a few years but makes for less anxiety. 

masonic

flaneurs_lobster said:

I've come to the conclusion that carrying a phone around with 30-odd apps that give access to financial institutions' systems holding my money is silly. Not so much the security aspect, I'm happy that the phone and each of the apps is tied down about as hard as they can be, but more from the sheer inconvenience of having to a) re-secure access to those systems that have online access and, b) regaining access to those which are app-only, should I lose access to my phone (for whatever reason).

As it happens I went through this process this week, having upgraded my phone. I already have a limited number of banking apps on my phone (those I might conceivably want to access while away from home, totalling 12, any others are on a cheap tablet I keep at home). The whole process took the better part of 90 minutes, with some apps requiring a further ID check, some an automated phonecall, some required the old device to authorise the new device, etc. I suspect it would have taken a bit longer if I couldn't use my old device where requested. I certainly feel no animosity towards those that required me to jump through some hoops, but it was an eye opener to how differently organisations approach this.

flaneurs_lobster

masonic said:

I certainly feel no animosity towards those that required me to jump through some hoops, but it was an eye opener to how differently organisations approach this.

Yes it's interesting to see the differences. Of the three apps I wanted to run on the new phone, one I could duplicate with a fair chunk of security (face-id, passwords on both phones), one could only be installed on a single device at a time and required a full re-install and ID verification and the third I'm fairly sure I could get running on a Ring doorbell.