A Smartphone and online banking

GeoffTF

friolento said:

400ixl said:

friolento said:

booneruk said:

libra10 said:

Is using facial recognition to access the apps safer than inserting password?

of course.. no one could "guess" your face. Personally I'd use fingerprint though.

On more recent iPhones, you either use FaceID or passcode. No fingerprint.

Why do you prefer fingerprint?

The majority of the world do not use iPhones which allows fingerprint recognition for many.

Its harder to involuntary get someone's fingerprint than to just point their phone at their face. Although to be honest if you are in that situation you are pretty buggered anyway.

PIN / password is the weakest of the 3 as that can be observed and then used on a pickpocketed phone. Face is next as they could just point it at you to unlock, fingerprint the hardest as they have to physically interact.

I'd rather close my eyes (in which case face recognition fails) than have my fingers forced onto my phone. But yes, if you are in that situation, you are pretty welll snookered

Unlocking the phone will make it more valuable to a mugger, but it will still be worth something unlocked. If you do not have any financial apps on the phone, your accounts should not be at risk. I do have one banking app on my phone, but that account has no overdraft facility and never has a large balance. It is also well hidden away. The main risk is to my phone. If I need to carry it, I keep it well hidden away, and in "Do not disturb" mode. Nonetheless, if you do not have another device in a secure location, you may be forced to have an app for your main account on your phone.

Scotjock

Using a public computer is a serious risk.
Banking websites will use a cookie that you would need to make sure you delete before you finish up. They range from a few minutes to a few hours and there is ways to extend that in a code editor that thankfully most banks take precautions against.
With a valid cookie a malicious user can go back to your session from the browser history. 
Most banking sites have a tick box to say you are on a shared computer- make sure you use it!!

Shakin_Steve

400ixl said:

friolento said:

booneruk said:

libra10 said:

Is using facial recognition to access the apps safer than inserting password?

of course.. no one could "guess" your face. Personally I'd use fingerprint though.

On more recent iPhones, you either use FaceID or passcode. No fingerprint.

Why do you prefer fingerprint?

The majority of the world do not use iPhones which allows fingerprint recognition for many.

Its harder to involuntary get someone's fingerprint than to just point their phone at their face. Although to be honest if you are in that situation you are pretty buggered anyway.

PIN / password is the weakest of the 3 as that can be observed and then used on a pickpocketed phone. Face is next as they could just point it at you to unlock, fingerprint the hardest as they have to physically interact.

If your fingerprint/faceID fail, it asks for the code you set up when you set the app up or the phone passcode, can't remember which. So the phone reverts to the weakest of the three. Try it on your iPhone by covering your face.

Zanderman

Outeast1000 said:

Outeast1000 said:

I have always used a public PC with inPrivate  browsing to check my bank balance and transactions . Now i use my own  Android 12 Smartphone to do it 

My question is how safe is it to use my smartphone to do it ? is it 100% safe to do it ?

I do not have a bank app on my phone because if it is lost or stolen how do I access my bank account then ? 

Using an app makes your banking much more secure, so if it's security you're after but you're banking with a website on a phone you're really missing a trick.

And as for what if your phone is stolen, just go back to a computer as you did before, until you get a new phone.

Nasqueron

GeoffTF said:

sausage_time said:

If anything bad were to happen I'd expect more sympathy from the bank if you were using their own app on a supported device versus web on a public PC.

Banks typically say that the requirement for running their app is Android 8 or above. Android 8 has not received any security updates for years. I recently saw a security comparison for the banks' apps. Some of them did not look at all good. If your account was hacked, I expect that the bank would say would say that it was your fault, not theirs.

If the bank says the minimum is say Android 8 and you use that, then the bank cannot start penalising you for it - if they are concerned they could just bump it up to say 10 or 11. I know this is MSE but you really should not be using a phone on an OS that is 6 revisions behind, Android or iOS, you can get a functional smartphone with full android (not Go) for about £100 - do that every 3-4 years and you'll be fine for most security requirements. 

GeoffTF

Nasqueron said:

If the bank says the minimum is say Android 8 and you use that, then the bank cannot start penalising you for it - if they are concerned they could just bump it up to say 10 or 11.

If you do use Android 8 and money goes missing from your account, the bank will likely say that you must have given your account details away. You can tell them that you did not do that and must have been hacked, but there have been reported cases where the bank said that is impossible. If the bank admits there is a vulnerability, it will get lots of fraudulent claims. You have a problem. Using Android 8 is not a good idea, but you could have the same scenario with later versions too. Most Android phones do not get security updates for long, even if Google still supports the OS.

I use Linux Mint on my desktop. Both Android and Mint run on Linux. I get updates every day. Android gets updates once a month at best. Adding a banking app to my phone would allow another way into my account.

Nasqueron

GeoffTF said:

Nasqueron said:

If the bank says the minimum is say Android 8 and you use that, then the bank cannot start penalising you for it - if they are concerned they could just bump it up to say 10 or 11.

If you do use Android 8 and money goes missing from your account, the bank will likely say that you must have given your account details away. You can tell them that you did not do that and must have been hacked, but there have been reported cases where the bank said that is impossible. If the bank admits there is a vulnerability, it will get lots of fraudulent claims. You have a problem. Using Android 8 is not a good idea, but you could have the same scenario with later versions too. Most Android phones do not get security updates for long, even if Google still supports the OS.

I use Linux Mint on my desktop. Both Android and Mint run on Linux. I get updates every day. Android gets updates once a month at best. Adding a banking app to my phone would allow another way into my account.

End of the day, the idea a bank app was hacked to steal from a customer, where the hacker has no idea what the customer has in there, is essentially impossible, they target the weakest link (the user) or are high end trying to steal from the banks directly. Having an old, weak, OS is a problem, same as giving passwords away or falling for scams. However, the FOS would not allow a bank to argue that the phone was compromised if it was using the OS software the bank stated was allowed without other evidence. 

I don't know why you want to focus on Android, iOS is no different, same with Windows, patches and feature drops are routinely done when ready to go, vulnerabilities are quickly fixed and pushed. You compare it to Linux which is not the same model at all - if you want to compare apples and apples, look at custom ROMs for phones that have similar support.

If someone buys a dirt cheap phone from a no-name brand, they get the dirt cheap support and/or your details given to the CCP. If you pay a premium, whether for an Apple device, or the higher end Android devices, you get the equivalent premium support - Samsung is doing 5 years of security/4 for OS and launched a 7 year program for devices like the s24, Google are doing 7 years now from the 8 onwards and the 6a and above get "at least" 5 years, Fairphone do 5 years of OS and 8 years security and is a bit more of a less wallet hitting offering.

GeoffTF

Nasqueron said:

However, the FOS would not allow a bank to argue that the phone was compromised if it was using the OS software the bank stated was allowed without other evidence.

My point is that the bank does not have to argue that. They just have to argue that you have given your log in details away. It would be up to you to prove that the phone had been compromised. That would be expensive, unless you happen to be an IT security expert.

TheBanker

GeoffTF said:

Nasqueron said:

However, the FOS would not allow a bank to argue that the phone was compromised if it was using the OS software the bank stated was allowed without other evidence.

My point is that the bank does not have to argue that. They just have to argue that you have given your log in details away. It would be up to you to prove that the phone had been compromised. That would be expensive, unless you happen to be an IT security expert.

The bank can argue that the customer gave their details away, but the FOS will make a decision based on evidence, not arguments. This will not just include evidence of the specific log-in used, but also the device used, any two factor authentication applied, the nature of the transaction and a range of other factors. Even where the customer did give their details out, FOS will not automatically decline their complaint; they will look at whether the customer was scammed into doing this, and whether the bank's transaction monitoring should have blocked it.

Outeast1000

Outeast1000 said:

I have always used a public PC with inPrivate  browsing to check my bank balance and transactions . Now i use my own  Android 12 Smartphone to do it 

My question is how safe is it to use my smartphone to do it ? is it 100% safe to do it ?

Also I should have mentioned when I used a public PC I used to get a text with a passcode sent to my  original phone not my smartphone to log in to my account . Now with my smartphone I do not get a text sent to my phone or the phone I used when I was using a public PC     . Now I enter my username ;  password and pin and I am logged in straight away