What is the safest technical setup for online banking ?

danco

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

sausage_time

danco said:

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

Not sure I understand.  The SMS is sent to one device* - a phone tied to a SIM card.  The point @flaneurs_lobster
 was making that this could be manually copied to an app or login asking for it on another device.

*In theory you can view SMS messages on a web browser too.  For Android phones this can be https://messages.google.com/web for example.  But you need the original SIM device to be "paired" with the browser.  Apple probably have something similar.

flaneurs_lobster

sausage_time said:

danco said:

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

Not sure I understand.  The SMS is sent to one device* - a phone tied to a SIM card.  The point @flaneurs_lobster
 was making that this could be manually copied to an app or login asking for it on another device.

*In theory you can view SMS messages on a web browser too.  For Android phones this can be https://messages.google.com/web for example.  But you need the original SIM device to be "paired" with the browser.  Apple probably have something similar.

Yes, exactly right.

Windows machines have MS Phone Link pre-installed, lets you read SMS messages (and pretty much everything else) on a paired phone (certainly Android - dunno about Apple).

Xenon

The OP is over thinking this.....

penners324

Safest will be the banking app with fingerprint or faceid activated

GeoffTF

flaneurs_lobster said:

sausage_time said:

danco said:

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

Not sure I understand.  The SMS is sent to one device* - a phone tied to a SIM card.  The point @flaneurs_lobster
 was making that this could be manually copied to an app or login asking for it on another device.

*In theory you can view SMS messages on a web browser too.  For Android phones this can be https://messages.google.com/web for example.  But you need the original SIM device to be "paired" with the browser.  Apple probably have something similar.

Yes, exactly right.

Windows machines have MS Phone Link pre-installed, lets you read SMS messages (and pretty much everything else) on a paired phone (certainly Android - dunno about Apple).

That defeats the object of 2FA, which is the ensure that you need to have access to two different devices to make the transaction, which ensures that a hacker has to gain access to both devices in order to make a fraudulent transaction (or intercept the message in the case of SMS).

flaneurs_lobster

GeoffTF said:

flaneurs_lobster said:

sausage_time said:

danco said:

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

Not sure I understand.  The SMS is sent to one device* - a phone tied to a SIM card.  The point @flaneurs_lobster
 was making that this could be manually copied to an app or login asking for it on another device.

*In theory you can view SMS messages on a web browser too.  For Android phones this can be https://messages.google.com/web for example.  But you need the original SIM device to be "paired" with the browser.  Apple probably have something similar.

Yes, exactly right.

Windows machines have MS Phone Link pre-installed, lets you read SMS messages (and pretty much everything else) on a paired phone (certainly Android - dunno about Apple).

That defeats the object of 2FA, which is the ensure that you need to have two different devices to make the transaction, which ensures that a hacker has to gain access to both devices in order to make a fraudulent transaction.

No it doesn't - the second device has to be physically present too. It's linked to the first (in this example by Bluetooth). The first device is just being used as a second screen (and it makes it easier to cut'n'paste codes).

Rob5342

GeoffTF said:

flaneurs_lobster said:

sausage_time said:

danco said:

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

Not sure I understand.  The SMS is sent to one device* - a phone tied to a SIM card.  The point @flaneurs_lobster
 was making that this could be manually copied to an app or login asking for it on another device.

*In theory you can view SMS messages on a web browser too.  For Android phones this can be https://messages.google.com/web for example.  But you need the original SIM device to be "paired" with the browser.  Apple probably have something similar.

Yes, exactly right.

Windows machines have MS Phone Link pre-installed, lets you read SMS messages (and pretty much everything else) on a paired phone (certainly Android - dunno about Apple).

That defeats the object of 2FA, which is the ensure that you need to have access to two different devices to make the transaction, which ensures that a hacker has to gain access to both devices in order to make a fraudulent transaction (or intercept the message in the case of SMS).

2FA is to ensure that there are two factors involved, something you know (your password) and something you have (your laptop or phone) It would be a bit less secure if you had it linked but its still two factors. 

sausage_time

flaneurs_lobster said:

GeoffTF said:

flaneurs_lobster said:

sausage_time said:

danco said:

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

Not sure I understand.  The SMS is sent to one device* - a phone tied to a SIM card.  The point @flaneurs_lobster
 was making that this could be manually copied to an app or login asking for it on another device.

*In theory you can view SMS messages on a web browser too.  For Android phones this can be https://messages.google.com/web for example.  But you need the original SIM device to be "paired" with the browser.  Apple probably have something similar.

Yes, exactly right.

Windows machines have MS Phone Link pre-installed, lets you read SMS messages (and pretty much everything else) on a paired phone (certainly Android - dunno about Apple).

That defeats the object of 2FA, which is the ensure that you need to have two different devices to make the transaction, which ensures that a hacker has to gain access to both devices in order to make a fraudulent transaction.

No it doesn't - the second device has to be physically present too. It's linked to the first (in this example by Bluetooth). The first device is just being used as a second screen (and it makes it easier to cut'n'paste codes).

That's not the case for reading SMS via https://messages.google.com/web on Android.  But the devices do need to be adjacent for initial pairing (via scanning a QR code).  

Sarahspangles

flaneurs_lobster said:

Windows machines have MS Phone Link pre-installed, lets you read SMS messages (and pretty much everything else) on a paired phone (certainly Android - dunno about Apple).

Apple - IOS 18’s Continuity feature means that a passcode in an SMS sent to an iPhone will be presented on a Mac or iPad as an option you can pick in the dialogue box or from the bar above the keypad. It can also present some passcodes detected in emails.

If you have your phone with you and see an SMS arrive, and you haven’t just requested a passcode, then react. If you’re not someone who always has their phone on them then disable Continuity.

Knowing where your device is, is the modern version of knowing where your wallet is.