AF62 wrote:Lootman wrote:I don't think any method that uses a phone can be secure given how easy it is to lose or break a phone, because they can be hacked and because a signal isn't always available. I won't use a phone app for any financial business on principle.
And bear in mind that all this rigmarole is being implemented for the benefit of the financial institutions and not for the customers. That's why some institutions don't care how difficult and awkward it is for us to jump through all these hoops. I just think it is overkill.
You really think an encrypted smartphone only accessible through a biometric key is less secure than what millions of people do - a password scribbled in a notebook or set to the name of the family dog!
My phone has fingerprint protection but I would assume that the average phone thief/hacker would be able to get around that. For me that feature is more about other people not being able to casually use my phone if I set it down at work or home. More generally I do not consider phones to be a safe device precisely because they can easily fall into the wrong hands.
You may be correct that your solution is technically more secure. But surely it is a matter of being 99.9% secure rather than 99.8% secure. For someone to commit fraud on my account they'd need my userid and password on the bank's website AND the userid and password of my email account AND whatever questions the bank asks about first car, pet's name etc. That's a lot of hurdles.
The tradeoff is between security and usability. I've had to abort a few transactions because I didn't have a signal (in the countryside or overseas). In that situation I am effectively being cut off from online commerce or banking because of "security". So where possible my business is going to go to an institution that doesn't require me to cart a second piece of hardware around and rely on there being a reliable signal.