What is the safest technical setup for online banking ?

booneruk

Rob5342 said:

onomatopoeia99 said:

Monanore said:

VPN - is it safe to entrust money traffic to a 3rd party ?

You do not need a VPN. Anyone that claims you do is selling snake oil.  I could explain why you don't, but the explanation wouild be need to be very technical.

I think it's fairly simple to explain. A VPN just provides a secure "pipe" to some other place on the internet where your traffic all pops out and carries on as it would have done anyway. The same data will be travelling over the internet to your bank, just from a different place where it is relayed from/to you.   

Yep, which gives your bank a level of justification in classing your traffic as of potentially malicious intent

GeoffTF

born_again said:

GeoffTF said:

Monanore s

A mobile away from home is clearly more at risk than a dedicated PC securely locked away at home, particularly if it does not have security updates.

Why is it?
Excluding using public WiFi.

Your using a mobile signal which is exactly the same no matter where you are.

VPN. Who's to say that the supplier is not filtering info.

Your phone can be snatched. It is easily accessed if it unlocked, and given the right resources could be accessed if it is not. If you use the same device for receiving security codes, you do not have proper 2FA. Most phones do not get security updates for long. Mobile phones are less prone to malware than Windows, but are not immune. A highly secure PC that is only used for online banking should be malware proof. The only ways in will be the original OS download and updates. They should be free of nasties, but there is no absolute guarantee. I have already mentioned immutable Linux. Another approach is to install Linux in a micro SD card and boot from that card only when using online banking. A micro SD card can be easily hidden. That is likely to be more secure than storing your PC in a safe.

WiFi should not be an issue, because your communications with the bank are encrypted.

Rob5342

Monanore said:

VPN - is it safe to entrust money traffic to a 3rd party ?

The internet is essentially loads of 3rd parties all connected together, when you do anything online the data gets passed from one 3rd party to the next until it reaches it's destination. Anyone in the chain can see where the data originated and where it's going, but it's encrypted so they can't see what it is.

Online banking has risks but can be very useful too. Any decent banking app gives notifications when transcations are made so you can spot fraud very quickly and take action. You just need need to take sensible precautions, keep things in perspective and be aware of all risks. Keeping valuables in your house is a risk but it doesn't stop most people doing it. You could increase security by putting metal bars on your windows, but that's no help at all if someone distracts you while their friend walks in your open door.

Zanderman

Ergates said:

Monanore said:

Thanks everyone, all very interesting and helpful.

@Zanderman @Ergates -  I'd always assumed that a phone was less secure, could you help me understand why I'm wrong ?

The main reason is that it is harder to install things that don't come from the appropriate "store"  (Apple, or Play depending on the OS).  Apps on the stores are vetted.  This means it is hard to accidentally install malware on your phone.

You can do it, but you have to really go out of your way to do so.   It is also possible for external actors to hack a phone, but we're talking GCHQ level of capability - not some random fraudster.

The biometric security (fingerprint, face) that are used in most modern phone also offers a better level of protection than *most* people use for log in to their PC.

The obvious downside is that it's a lot easier to lose your phone (or have it stolen).  Which is inconvenient, but if you've used a biometric lock isn't too much of a security issue.   Unless they've also stolen your thumb or face.  And if they've done that then I suggest you have bigger things to worry about.

Also, on a PC or a Mac or even on a Linux system, you'd be accessing the bank website through a browser app. Chrome, Firefox, Safari, Edge, whatever browser you use. Browser apps aren't made by banks, and all have vulnerabilities to some extent. You're accessing the bank's systems through a non-bank app.

Banking apps, on a phone, are apps designed and made by each bank,  With security of the process their key concern. And, to an extent, their responsibility. They have no responsibility for the browser you'd be using on a PC.

A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.   

Of course, in both cases the app is running on an operating system not designed by the bank either - Windows or MacOS or a Linux or Chrome OS system on a desktop or laptop and Android or iOS on a phone or tablet.  You can never have a system entirely designed and secured by the bank. But you can have one that is designed and secured as much as possible by the bank - and for that you need a phone. 

Sarahspangles

Exodi said:

Why stop there? Why not have the terminal held in an underground bunker in a secret location, which can only be accessed by performing gymnastics over lazer beams after going through armed guards.

Would he have to wear the Catherine Zeta Jones catsuit?

Sarahspangles

It’s more about your personal behaviours than your technical set up.

My banking apps are on my tablet, which mostly stays home. That way I’m not banking in public, or when distracted.

As part of my morning routine I reconcile my bank and Visa accounts. It takes a couple of minutes. When OH’s card was cloned, we knew within 24 hours. This highlights that physical cards are still a weak spot.

I never use a debit card for online purchases. I prefer ApplePay which is linked to my Visa card, if not then Visa.

I opt in for multi-factor authentication e.g. text to phone wherever possible. My phone and tablet are biometric. I use strong unique passwords.

I always validate any potentially genuine contact about an account by looking at the account for a secure message or to find a number to call them.

friolento

GeoffTF said:

born_again said:

GeoffTF said:

Monanore s

A mobile away from home is clearly more at risk than a dedicated PC securely locked away at home, particularly if it does not have security updates.

Why is it?
Excluding using public WiFi.

Your using a mobile signal which is exactly the same no matter where you are.

VPN. Who's to say that the supplier is not filtering info.

Your phone can be snatched. It is easily accessed if it unlocked, and given the right resources could be accessed if it is not. If you use the same device for receiving security codes, you do not have proper 2FA. Most phones do not get security updates for long. Mobile phones are less prone to malware than Windows, but are not immune. A highly secure PC that is only used for online banking should be malware proof. The only ways in will be the original OS download and updates. They should be free of nasties, but there is no absolute guarantee. I have already mentioned immutable Linux. Another approach is to install Linux in a micro SD card and boot from that card only when using online banking. A micro SD card can be easily hidden. That is likely to be more secure than storing your PC in a safe.

WiFi should not be an issue, because your communications with the bank are encrypted.

No wonder non-IT people think online banking is way to complicated and difficult.

GeoffTF

Zanderman said:

A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.

Who do you think is more technically competent, Google, Mozilla, Apple or your bank? Open source browsers are scrutinised by countless other eyes too. Enormous effort is put into browser security. Independent assessments usually find lots of security issues with banking apps.

GeoffTF

friolento said:

GeoffTF said:

born_again said:

GeoffTF said:

Monanore s

A mobile away from home is clearly more at risk than a dedicated PC securely locked away at home, particularly if it does not have security updates.

Why is it?
Excluding using public WiFi.

Your using a mobile signal which is exactly the same no matter where you are.

VPN. Who's to say that the supplier is not filtering info.

Your phone can be snatched. It is easily accessed if it unlocked, and given the right resources could be accessed if it is not. If you use the same device for receiving security codes, you do not have proper 2FA. Most phones do not get security updates for long. Mobile phones are less prone to malware than Windows, but are not immune. A highly secure PC that is only used for online banking should be malware proof. The only ways in will be the original OS download and updates. They should be free of nasties, but there is no absolute guarantee. I have already mentioned immutable Linux. Another approach is to install Linux in a micro SD card and boot from that card only when using online banking. A micro SD card can be easily hidden. That is likely to be more secure than storing your PC in a safe.

WiFi should not be an issue, because your communications with the bank are encrypted.

No wonder non-IT people think online banking is way to complicated and difficult.

We have been asked what is the safest technical set up, and I have offered an answer. Security and convenience do not go together. If you want the ultimate in security, it is not going to be convenient. It is a mistake to kid oneself otherwise. It is much more common for people to give their money to scammers than it is for their phones to be hacked or for them to be forced to give access to their banking apps at knife point. Nonetheless, that is not what we have been asked.

Rob5342

GeoffTF said:

Zanderman said:

A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.

Who do you think is more technically competent, Google, Mozilla, Apple or your bank? Open source browsers are scrutinised by countless other eyes too. Enormous effort is put into browser security. Independent assessments usually find lots of security issues with banking apps.

Exactly, banks are hardly at the forefront of technology like the companies you mention are. Look at how hopelessly old fashioned Nationwide are for example.