What is the safest technical setup for online banking ?

danco

Then I still don't understand. I'm most concerned about what happens if I lose access to the phone that has a phone number. For many banking actions the suggested answer, which works, is to have tha pp on a second phone or tablet and use that. But occasionally one gets SMS messages to that phone number in order to authenticate. What should one do to prevent problems if one doesn't have the phone

booneruk

You'd get onto the bank and tell them you have lost access to a trusted device, and get onto your SIM provider to report it lost also. You'd then get hold of a new phone and go through the bank's system to register the new device/number as trusted.

Alternatively, ditch SMS where possible and move to authenticator app (I believe this is where some things are moving naturally anyway - it's more secure). That way you can store backups of the seeds used for the number generation and install onto a new device yourself if required. If you didn't store backups of the seeds and you loose your device, you'd also need to go through the bank's process to register a new trusted device.

I believe banks are using in-app authorisation more and more too. When I buy something online with my Halifax card, I get prompted to go into the app and authorise it. No SMS = much safer (no one's going to spy the SMS preview or be able to hijack my SMS traffic via SIM swapping). This is another reason why banking apps are superior to browser based access.

flaneurs_lobster

sausage_time said:

flaneurs_lobster said:

GeoffTF said:

flaneurs_lobster said:

sausage_time said:

danco said:

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

Not sure I understand.  The SMS is sent to one device* - a phone tied to a SIM card.  The point @flaneurs_lobster
 was making that this could be manually copied to an app or login asking for it on another device.

*In theory you can view SMS messages on a web browser too.  For Android phones this can be https://messages.google.com/web for example.  But you need the original SIM device to be "paired" with the browser.  Apple probably have something similar.

Yes, exactly right.

Windows machines have MS Phone Link pre-installed, lets you read SMS messages (and pretty much everything else) on a paired phone (certainly Android - dunno about Apple).

That defeats the object of 2FA, which is the ensure that you need to have two different devices to make the transaction, which ensures that a hacker has to gain access to both devices in order to make a fraudulent transaction.

No it doesn't - the second device has to be physically present too. It's linked to the first (in this example by Bluetooth). The first device is just being used as a second screen (and it makes it easier to cut'n'paste codes).

That's not the case for reading SMS via https://messages.google.com/web on Android.  But the devices do need to be adjacent for initial pairing (via scanning a QR code).  

In which case that does sound like a way to circumvent/nullify 2FA to me, albeit at the behest of the account holder. Is the link persistent? Are the devices linked forever?

sausage_time

flaneurs_lobster said:

sausage_time said:

flaneurs_lobster said:

GeoffTF said:

flaneurs_lobster said:

sausage_time said:

danco said:

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

Not sure I understand.  The SMS is sent to one device* - a phone tied to a SIM card.  The point @flaneurs_lobster
 was making that this could be manually copied to an app or login asking for it on another device.

*In theory you can view SMS messages on a web browser too.  For Android phones this can be https://messages.google.com/web for example.  But you need the original SIM device to be "paired" with the browser.  Apple probably have something similar.

Yes, exactly right.

Windows machines have MS Phone Link pre-installed, lets you read SMS messages (and pretty much everything else) on a paired phone (certainly Android - dunno about Apple).

That defeats the object of 2FA, which is the ensure that you need to have two different devices to make the transaction, which ensures that a hacker has to gain access to both devices in order to make a fraudulent transaction.

No it doesn't - the second device has to be physically present too. It's linked to the first (in this example by Bluetooth). The first device is just being used as a second screen (and it makes it easier to cut'n'paste codes).

That's not the case for reading SMS via https://messages.google.com/web on Android.  But the devices do need to be adjacent for initial pairing (via scanning a QR code).  

In which case that does sound like a way to circumvent/nullify 2FA to me, albeit at the behest of the account holder. Is the link persistent? Are the devices linked forever?

I don't really see the risk.  I'm linking my phone (in my posession, unlocked) with another device I trust (my laptop, unlocked at the time of linking).  I think the link times out after some weeks, but I use it all the time (to copy 2FA codes mainly from sites that still insist on using SMS).  My laptop is always secured when I'm not using it.

GeoffTF

danco said:

Then I still don't understand. I'm most concerned about what happens if I lose access to the phone that has a phone number. For many banking actions the suggested answer, which works, is to have tha pp on a second phone or tablet and use that. But occasionally one gets SMS messages to that phone number in order to authenticate. What should one do to prevent problems if one doesn't have the phone

You tell the bank that your phone has been lost or stolen. You also tell your network provider, who can send you a new SIM and move your phone number onto it. You then have to tell your bank that you have recovered the phone number. I say "tell", but you may be able to do some (or perhaps all) of this online.

GeoffTF

sausage_time said:

flaneurs_lobster said:

sausage_time said:

flaneurs_lobster said:

GeoffTF said:

flaneurs_lobster said:

sausage_time said:

danco said:

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

Not sure I understand.  The SMS is sent to one device* - a phone tied to a SIM card.  The point @flaneurs_lobster
 was making that this could be manually copied to an app or login asking for it on another device.

*In theory you can view SMS messages on a web browser too.  For Android phones this can be https://messages.google.com/web for example.  But you need the original SIM device to be "paired" with the browser.  Apple probably have something similar.

Yes, exactly right.

Windows machines have MS Phone Link pre-installed, lets you read SMS messages (and pretty much everything else) on a paired phone (certainly Android - dunno about Apple).

That defeats the object of 2FA, which is the ensure that you need to have two different devices to make the transaction, which ensures that a hacker has to gain access to both devices in order to make a fraudulent transaction.

No it doesn't - the second device has to be physically present too. It's linked to the first (in this example by Bluetooth). The first device is just being used as a second screen (and it makes it easier to cut'n'paste codes).

That's not the case for reading SMS via https://messages.google.com/web on Android.  But the devices do need to be adjacent for initial pairing (via scanning a QR code).  

In which case that does sound like a way to circumvent/nullify 2FA to me, albeit at the behest of the account holder. Is the link persistent? Are the devices linked forever?

I don't really see the risk.  I'm linking my phone (in my posession, unlocked) with another device I trust (my laptop, unlocked at the time of linking).  I think the link times out after some weeks, but I use it all the time (to copy 2FA codes mainly from sites that still insist on using SMS).  My laptop is always secured when I'm not using it.

The risk is that a hacker will gain control of your laptop and gain access to your financial accounts. Normally, that would not be too serious because he would not be able to intercept the security codes sent by the bank to a separate device. If you have linked the two devices, however, the hacker would be able to pick up the security codes and can do anything he wants with your accounts.

sausage_time

GeoffTF said:

sausage_time said:

flaneurs_lobster said:

sausage_time said:

flaneurs_lobster said:

GeoffTF said:

flaneurs_lobster said:

sausage_time said:

danco said:

flaneurs_lobster said:

If SMS codes are required then they are sent to your existing phone and copied into the banking app/website on the second device.

I think that's the crucial point that I wasn't aware of. That the SMS code will also be available in the app on EVERY device. 

Not sure I understand.  The SMS is sent to one device* - a phone tied to a SIM card.  The point @flaneurs_lobster
 was making that this could be manually copied to an app or login asking for it on another device.

*In theory you can view SMS messages on a web browser too.  For Android phones this can be https://messages.google.com/web for example.  But you need the original SIM device to be "paired" with the browser.  Apple probably have something similar.

Yes, exactly right.

Windows machines have MS Phone Link pre-installed, lets you read SMS messages (and pretty much everything else) on a paired phone (certainly Android - dunno about Apple).

That defeats the object of 2FA, which is the ensure that you need to have two different devices to make the transaction, which ensures that a hacker has to gain access to both devices in order to make a fraudulent transaction.

No it doesn't - the second device has to be physically present too. It's linked to the first (in this example by Bluetooth). The first device is just being used as a second screen (and it makes it easier to cut'n'paste codes).

That's not the case for reading SMS via https://messages.google.com/web on Android.  But the devices do need to be adjacent for initial pairing (via scanning a QR code).  

In which case that does sound like a way to circumvent/nullify 2FA to me, albeit at the behest of the account holder. Is the link persistent? Are the devices linked forever?

I don't really see the risk.  I'm linking my phone (in my posession, unlocked) with another device I trust (my laptop, unlocked at the time of linking).  I think the link times out after some weeks, but I use it all the time (to copy 2FA codes mainly from sites that still insist on using SMS).  My laptop is always secured when I'm not using it.

The risk is that a hacker will gain control of your laptop and gain access to your financial accounts. Normally, that would not be too serious because he would not be able to intercept the security codes sent by the bank to a separate device. If you have linked the two devices, however, the hacker would be able to pick up the security codes and can do anything he wants with your accounts.

Fair point - but no worse than using a browser or laptop OS based authenticator (I don't do these things BTW).

And in case of hacking I'd see the SMS on my phone and can take immediate steps (unpair, log out laptop browser session, phone financial institution, etc).

Hopefully most sites will drop SMS 2FA in time.  I always choose phone based app authentication wherever possible.

Monanore

Just a thought.  

Those of you who understand these complicated things - and remember you are disagreeing amongst yourselves - just look back at all the comments and reflect on what a mess we have got in to  with online banking as a society, just for the sake of so-called 'convenience'.   

And think of all those not technically minded who have to navigate this minefield without proper defined instructions and guidance - as with everything these days nobody bothers to write user instructions any more, expecting people to rely on the rubbish on the internet.

Seems to me we'd be better off without it.

booneruk

I've been saying from the start - get a modern phone, use its biometric features like fingerprint, keep it up to date and run the bank's app. There, you are secure enough and it's simple enough for all.

Online banking is great, and I'm glad its here to stay. I don't think I've set foot in a physical bank for over 10 years, and haven't done regularly for more than 20. How many hours of queuing has that saved on its own?

DasTechniker

Monanore said:

Just a thought.  

Those of you who understand these complicated things - and remember you are disagreeing amongst yourselves - just look back at all the comments and reflect on what a mess we have got in to  with online banking as a society, just for the sake of so-called 'convenience'.   

And think of all those not technically minded who have to navigate this minefield without proper defined instructions and guidance - as with everything these days nobody bothers to write user instructions any more, expecting people to rely on the rubbish on the internet.

Seems to me we'd be better off without it.

Yes, In essence I agree with Monanore. Online banking is convenient, but it has also opened up a completely new form of fraud and robbery. Progress is also the opportunity for thieves and conmen.