We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
We're aware that dates on the Forum are not currently showing correctly. Please bear with us while we get this fixed, and see Site feedback for updates.

What is the safest technical setup for online banking ?

1457910

Comments

  • Zanderman
    Zanderman Posts: 4,812 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    GeoffTF said:
    Zanderman said:
    A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.
    Who do you think is more technically competent, Google, Mozilla, Apple or your bank? Open source browsers are scrutinised by countless other eyes too. Enormous effort is put into browser security. Independent assessments usually find lots of security issues with banking apps.
    GeoffTF said:
    Zanderman said:
    A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.
    Who do you think is more technically competent, Google, Mozilla, Apple or your bank? Open source browsers are scrutinised by countless other eyes too. Enormous effort is put into browser security. Independent assessments usually find lots of security issues with banking apps.
    But browsers can have extensions added. Banking apps can't. Banking apps are designed for one purpose only. Browsers are multifunctional and expandable. I would trust a banking app over a browser anyday.
  • Zanderman
    Zanderman Posts: 4,812 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    edited 29 November 2024 pm30 4:01PM
    Rob5342 said:
    GeoffTF said:
    Zanderman said:
    A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.
    Who do you think is more technically competent, Google, Mozilla, Apple or your bank? Open source browsers are scrutinised by countless other eyes too. Enormous effort is put into browser security. Independent assessments usually find lots of security issues with banking apps.
    Exactly, banks are hardly at the forefront of technology like the companies you mention are. Look at how hopelessly old fashioned Nationwide are for example. 
    Nationwide's approach and their app is criticised for functionality and look.  Do you actually know anything about whether it is secure? Because security is the issue, not the interface. They're not the same thing at all. Are Nationwide somehow lacking security or do you just find them old fashioned?  
  • TMSG
    TMSG Posts: 204 Forumite
    Fourth Anniversary 100 Posts Name Dropper
    If I take the OP's query at face value re "safest setup" then I'd say:
    1. a modern Linux w/ regular updates (but no rolling distro)
    2. immutable install
    3. on a LUKS-encrypted HD/SSD partition with a really strong password

    I have such a system up and running (I can use the same Linux base as a mutable system via dual-booting) and it's been rock-solid. I trust this setup more than the apps on the phone (not because I think they're inherently less safe but because the phone is a lot more "mobile" than a home PC).

    Alas, as many others have remarked, installing Linux, especially with the constraints I listed, is not for the fainthearted.

    OTOH, someone on a Windows system could create something like this in a virtual machine (ie a Virtual Box VM). This is a much more forgiving environment than having to install a new system on bare metal and would offer almost the same security. In fact the immutable part would be trivial as a VM can be configured as such. And if the Windows installation is itself fully encrypted (as many are these days) then there's no need for a separate encryption for the Linux files.
  • GeoffTF
    GeoffTF Posts: 1,681 Forumite
    1,000 Posts Third Anniversary Photogenic Name Dropper
    edited 29 November 2024 pm30 4:42PM
    Zanderman said:
    GeoffTF said:
    Zanderman said:
    A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.
    Who do you think is more technically competent, Google, Mozilla, Apple or your bank? Open source browsers are scrutinised by countless other eyes too. Enormous effort is put into browser security. Independent assessments usually find lots of security issues with banking apps.
    GeoffTF said:
    Zanderman said:
    A banking app - designed by and for a bank - will by definition be more secure than a generic browser app not made for or by a bank.
    Who do you think is more technically competent, Google, Mozilla, Apple or your bank? Open source browsers are scrutinised by countless other eyes too. Enormous effort is put into browser security. Independent assessments usually find lots of security issues with banking apps.
    But browsers can have extensions added. Banking apps can't. Banking apps are designed for one purpose only. Browsers are multifunctional and expandable. I would trust a banking app over a browser anyday.
    If you read the link that I gave on sandboxing browsers, you would know that nowadays extensions run in a hardware isolated partition, where they can do no harm. On Linux, you can additionally run the whole browser in a hardware isolated container.
  • booneruk
    booneruk Posts: 591 Forumite
    Sixth Anniversary 500 Posts Name Dropper
    edited 29 November 2024 pm30 4:50PM
    GeoffTF said:

    If you read the link that I gave on sandboxing browsers, you would know that nowadays extensions run in a hardware isolated partition, where they can do no harm. On Linux, you can additionally run the whole browser in a hardware isolated container.

    As far as I understand it, some of the T&Cs you agree to when installing browser extensions include things like "This extension can read and write your browsing data". If adblockers couldn't filter IP address requested against known advert hosts, read the page HTML and intercept javascript, how would they work?

    Does sandboxing stop adblocker extensions? I don't think it does.

    From https://support.google.com/chrome_webstore/answer/186213?hl=en#zippy=,high-alert



    Edit - we're getting way off topic now!

    I'll say it again. Android 14 phone - a secured out of the box system with years of updates ahead. Use the bank developed apps from the vetted app store and biometrics to scupper shoulder surfers, oh and apply a short screen lock timeout - that would be my advice on the way to go.

  • GeoffTF
    GeoffTF Posts: 1,681 Forumite
    1,000 Posts Third Anniversary Photogenic Name Dropper
    booneruk said:
    GeoffTF said:

    If you read the link that I gave on sandboxing browsers, you would know that nowadays extensions run in a hardware isolated partition, where they can do no harm. On Linux, you can additionally run the whole browser in a hardware isolated container.

    As far as I understand it, some of the T&Cs you agree to when installing browser extensions include things like "This extension can read and write your browsing data". If adblockers couldn't filter IP address requested against known advert hosts, read the page HTML and intercept javascript, how would they work?

    Does sandboxing stop adblocker extensions? I don't think it does.

    From https://support.google.com/chrome_webstore/answer/186213?hl=en#zippy=,high-alert



    Edit - we're getting way off topic now!

    I'll say it again. Android 14 phone - a secured out of the box system with years of updates ahead. Use the bank developed apps from the vetted app store and biometrics to scupper shoulder surfers, oh and apply a short screen lock timeout - that would be my advice on the way to go.
    The point here is that you have control. You do not have to install extensions, and if you do, you do not have to grant them permissions.
  • M25
    M25 Posts: 309 Forumite
    100 Posts Second Anniversary Name Dropper Photogenic
    Monanore said:
    Those of us who avoid online banking may soon have no choice but to use it.  Given the current threat landscape, what is the safest set-up ? 

    I'd love to hear your ideas.
    Threat landscape? CIA talk.

    Simple, use a mobile that has the latest security updates. 

    Always have 2 x current accounts with different banks as a backup.

    Don't give your passwords out. Have very complicated passwords. If you don't know them off-hand then not much chance of anyone else guessing.

    Don't send money to strangers as the rest of the forum members and Martin have to pay the bill.

    Don't answer your door (email, telephone etc) to strangers.


    The threat has been the same since the first cave had a door fitted. That door was mainly to keep the heat in but they realised about 400 years later it's also pretty good for security.

    Have more doors.

  • danco said:
    I am concerned about having two phone numbers if I follow the interesting advice about keeping one at home. It's not only banks that send 2FA codes by text messages. For instance, my NHS login requires a code, as does the regular security check on my email account. Some sites will allow more than one phone number but many won't.

    Also, there is a cost in having a second phone number (in addition to the cost of the phone itself). One should pay for security, but I wonder what's the best way to go. Especially as some checks require sending a YES/NO message to a short number, and it seems many cheap providers don't allow that.
    The second stay-at-home device doesn't need a second SIM, as others have said there are advantages to using a tablet rather than a phone, the device will operate on your existing broadband.

    If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.
  • Zanderman
    Zanderman Posts: 4,812 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    GeoffTF said:
    booneruk said:
    GeoffTF said:

    If you read the link that I gave on sandboxing browsers, you would know that nowadays extensions run in a hardware isolated partition, where they can do no harm. On Linux, you can additionally run the whole browser in a hardware isolated container.

    As far as I understand it, some of the T&Cs you agree to when installing browser extensions include things like "This extension can read and write your browsing data". If adblockers couldn't filter IP address requested against known advert hosts, read the page HTML and intercept javascript, how would they work?

    Does sandboxing stop adblocker extensions? I don't think it does.

    From https://support.google.com/chrome_webstore/answer/186213?hl=en#zippy=,high-alert



    Edit - we're getting way off topic now!

    I'll say it again. Android 14 phone - a secured out of the box system with years of updates ahead. Use the bank developed apps from the vetted app store and biometrics to scupper shoulder surfers, oh and apply a short screen lock timeout - that would be my advice on the way to go.
    The point here is that you have control. You do not have to install extensions, and if you do, you do not have to grant them permissions.
    Ok, getting weary of the argument now. But...

    Surely the point is, in reality, that people do install browser extensions, and do give permissions (not least as without those permissions the extensions often won't do what they're designed to do. It's what people do. Yes they have a choice, but they often make the wrong one, in security terms. 

    But there is no choice for banking apps. They are secure. You can't add things to them.  So you don't - because you can't.  So they are as secure as they were designed to be. Unlike a browser with extensions.
  • GeoffTF
    GeoffTF Posts: 1,681 Forumite
    1,000 Posts Third Anniversary Photogenic Name Dropper
    edited 30 November 2024 pm30 7:46PM
    Zanderman said:
    GeoffTF said:
    booneruk said:
    GeoffTF said:

    If you read the link that I gave on sandboxing browsers, you would know that nowadays extensions run in a hardware isolated partition, where they can do no harm. On Linux, you can additionally run the whole browser in a hardware isolated container.

    As far as I understand it, some of the T&Cs you agree to when installing browser extensions include things like "This extension can read and write your browsing data". If adblockers couldn't filter IP address requested against known advert hosts, read the page HTML and intercept javascript, how would they work?

    Does sandboxing stop adblocker extensions? I don't think it does.

    From https://support.google.com/chrome_webstore/answer/186213?hl=en#zippy=,high-alert



    Edit - we're getting way off topic now!

    I'll say it again. Android 14 phone - a secured out of the box system with years of updates ahead. Use the bank developed apps from the vetted app store and biometrics to scupper shoulder surfers, oh and apply a short screen lock timeout - that would be my advice on the way to go.
    The point here is that you have control. You do not have to install extensions, and if you do, you do not have to grant them permissions.
    Surely the point is, in reality, that people do install browser extensions, and do give permissions (not least as without those permissions the extensions often won't do what they're designed to do. It's what people do. Yes they have a choice, but they often make the wrong one, in security terms. 

    But there is no choice for banking apps. They are secure. You can't add things to them.  So you don't - because you can't.  So they are as secure as they were designed to be. Unlike a browser with extensions.
    Yes people do, They also give their money to scammers. They click on links in text messages and emails, visit dodgy web sites. They use phones and computers that have not had any security updates for years. They load dodgy applications. They do not use a virus checker on Windows. They use one easily guessed password for everything, and write it on a piece of paper that they carry with their phone. They download remote desktops for scammers, and give their authentication codes to anyone. The list goes on. Nonetheless, there are more sensible people who want to know how to make it as difficult as they reasonably can for criminals to get into their important financial accounts.
    Whether you use a browser or an app is mostly a red herring. If you have a separate device that you use as your only method of accessing your important financial accounts, and nothing else, and secure that device at home, you should be very safe. In that case, it does not matter too much whether you use a browser or an app. Even if your device is not secure, it is not likely to be compromised, because you are not doing any of the things that are likely let malware in. You are also minimising the chance that a criminal will be able to force you to give him access. Technical security just adds another layer of defence.
    I have a banking app on an old mobile phone that gets no security updates. I just use it for small in person transactions, and do not worry about it. I will not do that if I am dealing with £millions though. If a small mistake can lead to a large loss of money, I want good security, and everything on a big screen in front of me.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 348.4K Banking & Borrowing
  • 252.1K Reduce Debt & Boost Income
  • 452.4K Spending & Discounts
  • 240.9K Work, Benefits & Business
  • 617.3K Mortgages, Homes & Bills
  • 175.7K Life & Family
  • 254.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.