Online banking

Leonardo.b · Guru Joined: 10 Oct 2020 Posts: 302

Almost any online bank requires a smartphone and a proprietary client.
I don't think an Apple or Google smartphone is a secure place to manage moneys.
How do you do?

szatox · Advocate Joined: 27 Aug 2013 Posts: 3188

Dunno, my on-line access works just fine in a web browser with a spoofed user agent, and SMS confirmations do not require the phone to be very smart either.
Some other people I know (with a different bank) still use one-time passwords from scratch cards like 20 years ago. However, that bank also charges absurd transaction fees like 20 years ago.

> I don't think an Apple or Google smartphone is a secure place to manage moneys.
Your bank is not a secure place to manage money either. I don't care which bank is it. With AML laws in place your money in a bank is not really your money anymore, since the bank can just refuse to process a transaction or block your access.

Also, if you pay with a card, it's not your money either: it's not you, "the owner", making a payment; its the shop asking for your money and the bank honoring it. This system is just backwards.

Leonardo.b · Guru Joined: 10 Oct 2020 Posts: 302

I hope we won't evolve to a model similar to China, where payments are performed using messaging app.

Here in Italy cash is the preferred payment method, but European regulation are pushing to incentivate card payments.
I don't know about finance regulations, but I don't know any reliable alternative to banks.

Goverp · Advocate Joined: 07 Mar 2007 Posts: 2023

A friend of mine who is a security expert reckons the safest place to do online banking is from your bank's app on your smartphone. That's because it won't (or maybe shouldn't) be running Javascript in a web browser, which is what you'd be using on a PC. Also, your phone is probably unlocked by fingerprint, and your bank's app will also use fingerprints. I don't rate unlocking by face in the same league, though if the phone unlocks by face and the app by fingerprint, that probably counts as two-factor authentication in itself.
_________________
Greybeard

szatox · Advocate Joined: 27 Aug 2013 Posts: 3188

Spanik · l33t Joined: 12 Dec 2003 Posts: 963 Location: Belgium

Goverp · Advocate Joined: 07 Mar 2007 Posts: 2023

szatox · Advocate Joined: 27 Aug 2013 Posts: 3188

> 1
Fair point, I'll give you that one.

> 2. Is it? I think that statement needs justifying.
> 3. How compromised? People selling fingers, like religious relics? Anyway, I have 7 backups, without taking my socks off.
Hand me a glass, please.
I just got 5 of your 7 backups, thank you.

> 4. AFAIK, the scan is solely stored (or rather, some one-way encryption of certain significant features of the scan) on your phone.
Yes, yes, a JPEG is definitely one-way, but it's not encryption, even if you crank the compression up to 11.
For all intents and purposes it is a scan. Discarding the canvas and transforming pixels into a geometric mesh of significant features does not make it "not a scan"; it's just a marketing mumbo-jumbo used to misdirect attention from substance to the brand new form.

> 5. Pardon? What has this to do with fingerprints?
It's biometric data, and to make things worse we tend to leave a trail of those literally everywhere we go.
How can it be exploited? I don't know. In what ways will it be exploitable in 20 years? I don't know either, but I wouldn't assume you'll get an option to un-register yourself from whoever gets access to those things once we figure it out.

> 6. AFAIK, readers take precautions against fake or dead fingers.
You sure? Manufacturers not taking precautions, part 1581: https://youtu.be/q-qN-zC0ylk?t=49
Maybe in some top-security facilities... Maybe.

> The bad guys will also ask you nicely for your password/Yubikey/whatever token you use
At least I get to keep my fingers. A yubikey is much easier to replace than a finger.

Anyway, going back to banking... I heard there is a growing alternative economy around monero. Which is not perfect, because it _requires_ the internet, but if it could actually be used for buying stuff rather than just holding onto your savings until a greater fool appears, it would be an interesting option.
The critical part is that crypto must be decentralized and independent of banks; if CBDC replaces the other payment methods, we're screwed.

NeddySeagoon · Posted: Sun Dec 17, 2023 12:56 pm Post subject:

Being an old fart, my fingerprints have faded to the point where my phone won't detect them.
Thats a feature of old fingers.

My bank is pushing the long discredited OTP over SMS or their own smartphone app.
They still support TOTP with a card reader, which is my personal preference.

Trusting a smartphone and/or app is dumb. As yet, there is no real separation between the phone operating system and everything else.
That's on the horizon, so you could soon have Android for the phone and Linux for the useful stuff.

I suspect that some of this 'security' is just window dressing too.
Is your bank going to tell you if millions of accounts were compromised because of a bug in their app?
I suspect that it will be hushed up and they will take the hit.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

pa4wdh · l33t Joined: 16 Dec 2005 Posts: 815

Ralphred · Guru Joined: 31 Dec 2013 Posts: 510

mrbassie · l33t Joined: 31 May 2013 Posts: 795 Location: over here

Spanik · l33t Joined: 12 Dec 2003 Posts: 963 Location: Belgium

sitquietly · Posted: Tue Dec 19, 2023 4:57 am Post subject: Re: Online banking

djdunn · l33t Joined: 26 Dec 2004 Posts: 810

smartphone or website, the android app is kinda different, but website works all the same and usually has more features
_________________
“Music is a moral law. It gives a soul to the Universe, wings to the mind, flight to the imagination, a charm to sadness, gaiety and life to everything. It is the essence of order, and leads to all that is good and just and beautiful.”

― Plato