What is the safest technical setup for online banking ?

nyermen

Long thread I’ve only just come onto - I would add that I agree, smartphones generally safe.

Avoid:

- Unknown smartphone makers (there have been cases of cheap phones coming with malware).  Apple, Samsung, etc are fine as long as official software (no jailbreak on apple, no root on samsung, etc).
- Same pin code for banking app as for phone (in case overseen and then stolen).
- Poor authentication methods for devices - four digit codes, pattern or face recognition on android (is it any better now?), etc.

I’d also make sure your mobile provider has decent security, so sim swap fraud can’t happen easily.  Eg I think EE require a copy of ID in store, that is then copied and sent to head office for verification and only they can approve the swap.

One thing I would note, is the ability (eg. Apple) for one time passwords to be shared between devices through sharing - this could be a risk, if someone intercepts one device they might have the full picture even if split devices.

Ergates

Monanore said:

Just a thought.  

Those of you who understand these complicated things - and remember you are disagreeing amongst yourselves - just look back at all the comments and reflect on what a mess we have got in to  with online banking as a society, just for the sake of so-called 'convenience'.   

And think of all those not technically minded who have to navigate this minefield without proper defined instructions and guidance - as with everything these days nobody bothers to write user instructions any more, expecting people to rely on the rubbish on the internet.

Seems to me we'd be better off without it.

I don't see anything in here that represents a "mess" or a "minefield".

Moreover, by what stretch of the imagination is online banking only a "so called" convenience.  Being able to do all my banking from home is, very obviously, more convenient that having to go into a physical branch (that is mainly open when I'm at work).

If nobody writes user instructions then what, exactly, are you reading on the internet?   And why does being on the internet make it rubbish?  Do you believe the act of printing something out somehow improves the quality of the information?  How does that work?

danco

booneruk said:

You'd get onto the bank and tell them you have lost access to a trusted device, and get onto your SIM provider to report it lost also. You'd then get hold of a new phone and go through the bank's system to register the new device/number as trusted.

Alternatively, ditch SMS where possible and move to authenticator app (I believe this is where some things are moving naturally anyway - it's more secure). That way you can store backups of the seeds used for the number generation and install onto a new device yourself if required. If you didn't store backups of the seeds and you loose your device, you'd also need to go through the bank's process to register a new trusted device.

I believe banks are using in-app authorisation more and more too. When I buy something online with my Halifax card, I get prompted to go into the app and authorise it. No SMS = much safer (no one's going to spy the SMS preview or be able to hijack my SMS traffic via SIM swapping). This is another reason why banking apps are superior to browser based access.

I do ditch SMS whenever possible. Unfortunately it is still frequently not possible to do that.

Of course I see the other points about telling people and getting a new number registered, but that can take a long time. Still, that seems to be what is needed.

danco

booneruk said:

I've been saying from the start - get a modern phone, use its biometric features like fingerprint, keep it up to date and run the bank's app. There, you are secure enough and it's simple enough for all.

Secure against others getting into your account, and simple. But not all that simple if you lose the phone (or it's stolen)

Rob5342

booneruk said:

Online banking is great, and I'm glad its here to stay. I don't think I've set foot in a physical bank for over 10 years, and haven't done regularly for more than 20. How many hours of queuing has that saved on its own?

I find it odd that people regard Internet banking as a modern invention. I started banking online with Lloyd's 25 years ago and have never been inside a branch since. I was an early adopter but even the least technical members of my family have been banking online for at least 15 years. 

Rob5342

Monanore said:

And think of all those not technically minded who have to navigate this minefield without proper defined instructions and guidance - as with everything these days nobody bothers to write user instructions any more, expecting people to rely on the rubbish on the internet.

Seems to me we'd be better off without it.

Banks often give very good instructions om how to use their services, have a look at Lloyd's for example:

https://www.lloydsbank.com/help-guidance/everyday-banking.html

booneruk

Rob5342 said:

booneruk said:

Online banking is great, and I'm glad its here to stay. I don't think I've set foot in a physical bank for over 10 years, and haven't done regularly for more than 20. How many hours of queuing has that saved on its own?

I find it odd that people regard Internet banking as a modern invention. I started banking online with Lloyd's 25 years ago and have never been inside a branch since. I was an early adopter but even the least technical members of my family have been banking online for at least 15 years. 

I signed up with Smile bank in 1999! It was hardly the refined experience you get today, but it was great being able to shift money between current and savings accounts and keep an eye on day to day spending. In all the years since I've been solely online banking and haven't had a single issue - aside from the type of occasional technical glitch the bank's end that gets plastered all over the news and twitter. I have backup accounts to avoid any pain with those.