Donate to Remove ads

Got a credit Card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,BusyBumbleBee,88V8,Anonymous,6Tricia, for Donating to support the site

New security rules. Bank App or code via SMS text?

Seek assistance with technology
stevensfo
Lemon Slice
Posts: 681
Joined: November 5th, 2016, 8:43 am
Has thanked: 309 times
Been thanked: 146 times

New security rules. Bank App or code via SMS text?

#244354

Postby stevensfo » August 14th, 2019, 8:44 pm

Given the choice for complying with the extra security rules, is there any reason why I should download an app from my bank rather than have a code via SMS? I understand that the text message may incur a small charge, and the app will be free, albeit with an internet connection, but can I be sure that a bank app will not gather more info than necessary?


Steve

supremetwo
Lemon Slice
Posts: 779
Joined: November 8th, 2016, 2:20 am
Has thanked: 65 times
Been thanked: 113 times

Re: New security rules. Bank App or code via SMS text?

#244370

Postby supremetwo » August 14th, 2019, 10:34 pm

stevensfo wrote:Given the choice for complying with the extra security rules, is there any reason why I should download an app from my bank rather than have a code via SMS? I understand that the text message may incur a small charge, and the app will be free, albeit with an internet connection, but can I be sure that a bank app will not gather more info than necessary? Steve

AFAIK, there is no charge to receive a text message.
You then have to enter the code into whichever method you are using to connect to the provider and all of those need an internet connection.

As for privacy, here is an example:-
https://www.barclays.co.uk/ways-to-bank ... onditions/

The app uses cookies and similar technologies when you first register, and to check that it’s you when you’re using the app. By using the app, you accept how and when we use cookies – as set out below
Cookies also help us improve how the app works. We use cookies to collect information about how you use the app, for example which areas you use most often and if you receive any error messages. We can then can make the app better and be sure that the products and services we offer are right for you and other people. We may also use the cookies to help us provide more meaningful and relevant communications to you and to see if our ads are working – for example, we can check if you downloaded our app in response to an ad
We need these cookies for the app to work – if you don’t want them, you’ll have to delete the app


Thus little different from computer-based.

Infrasonic
Lemon Quarter
Posts: 1529
Joined: November 4th, 2016, 2:25 pm
Has thanked: 206 times
Been thanked: 261 times

Re: New security rules. Bank App or code via SMS text?

#244382

Postby Infrasonic » August 14th, 2019, 11:11 pm

The advantage of browser based access is you can have control over cookies. For instance with my main bank account I block all the third party cookie cr*p like Facebook, Twitter et al that would otherwise be allowed and only whitelist the cookies that are essential for account access and functionality.
With the proprietary apps that user control disappears.
SMS has its own well catalogued security weaknesses, so it's a subjective assessment for the user to make wrt to security v privacy.

Garless
2 Lemon pips
Posts: 145
Joined: November 5th, 2016, 9:38 pm
Has thanked: 36 times
Been thanked: 3 times

Re: New security rules. Bank App or code via SMS text?

#244384

Postby Garless » August 14th, 2019, 11:15 pm

stevensfo wrote:Given the choice for complying with the extra security rules, is there any reason why I should download an app from my bank rather than have a code via SMS? I understand that the text message may incur a small charge, and the app will be free, albeit with an internet connection, but can I be sure that a bank app will not gather more info than necessary?


Steve



Will you always be in an area with a good mobile signal? My home is in an intermittent not spot so an app via wifi is more reliable.

Julian
Lemon Slice
Posts: 563
Joined: November 4th, 2016, 9:58 am
Has thanked: 125 times
Been thanked: 177 times

Re: New security rules. Bank App or code via SMS text?

#244452

Postby Julian » August 15th, 2019, 10:41 am

Personally I prefer to use banking apps on my iPad now.

On the SMS thing be careful not to get complacent and let your guard down. Still be very careful that you are talking to the real banking site. It is still possible for a fake site to act as man in the middle where it also asks you for the code just SMS-ed to your phone and then presents that to the real banking site to get access. e.g. in in this Google presentation (https://www.fastcompany.com/90387855/we ... ealed-why#) Google reported that 24% of the most targeted phishing attacks that it analysed still succeeded even with SMS authorisation enabled.

As well as remembering passwords another benefit of a good password manager is that it checks the URL on whatever site you are visiting. I use Lastpass and even when I go directly to one of my sensitive sites if I don't see a notification icon from my password manager telling me that it has credentials stored for the site, i.e. it recognises the URL, I wouldn't go further without careful investigation. (Occasionally banks etc do make changes to the URL of their login page so adjustments to the stored URL are sometimes necessary.) For people who don't trust password managers it might even be worth considering installing one anyway with nonsense passwords in simply to be able to see the "I recognise this URL" notifications when visiting your sensitive sites; in my view you really can't be too careful.

Enabling SMS authentication is still way better than not doing so, it's going to protect you against any site that is only passively collecting user names and passwords rather than actively trying to get access to the account in real time, but be aware that it is not 100% foolproof. It's a jungle out there!

- Julian

ReformedCharacter
Lemon Slice
Posts: 893
Joined: November 4th, 2016, 11:12 am
Has thanked: 432 times
Been thanked: 215 times

Re: New security rules. Bank App or code via SMS text?

#244470

Postby ReformedCharacter » August 15th, 2019, 11:28 am

Am I going to have to use a mobile phone I wonder. I don't like them. I have one that I take in the car in case I need to call the AA, I also use it to WhatsApp a friend abroad. I suppose that makes me a bit unusual but there we are. There's always plenty in the news about bank related fraud but how much is caused by compromised user name \ password \ extra information? I probably resent the assumption that everyone has or wants to use a mobile phone. I must be feeling a bit of an old grumpy today :)

RC

Alaric
Lemon Quarter
Posts: 3330
Joined: November 5th, 2016, 9:05 am
Has thanked: 11 times
Been thanked: 673 times

Re: New security rules. Bank App or code via SMS text?

#244477

Postby Alaric » August 15th, 2019, 11:39 am

ReformedCharacter wrote: I probably resent the assumption that everyone has or wants to use a mobile phone.


I believe some banks would read out a message on your landline. But if a bank insists on a security measure that you don't want or cannot use, changing banks remains an option and if enough people do it, those in the bank responsible for maintaining market share might even take notice and make the security policies more flexible.

Julian
Lemon Slice
Posts: 563
Joined: November 4th, 2016, 9:58 am
Has thanked: 125 times
Been thanked: 177 times

Re: New security rules. Bank App or code via SMS text?

#244485

Postby Julian » August 15th, 2019, 11:50 am

ReformedCharacter wrote:Am I going to have to use a mobile phone I wonder. I don't like them. I have one that I take in the car in case I need to call the AA, I also use it to WhatsApp a friend abroad. I suppose that makes me a bit unusual but there we are. There's always plenty in the news about bank related fraud but how much is caused by compromised user name \ password \ extra information? I probably resent the assumption that everyone has or wants to use a mobile phone. I must be feeling a bit of an old grumpy today :)

RC

I confess that I don't like the SMS thing. It's a total pain when I'm out of the country in an expensive roaming area so I either have all comms switched off (I mostly use my phone to read Kindle books and listen to music) or I've switched to a local (other country) SIM hence have a different phone number.

I'm usually abroad when I file my HMRC annual SA100 tax return and HMRC ostensibly uses an SMS scheme which caused me real hassle in the past with panicked SIM swaps and turning on the comms to get the SMS with the code while I was trying to log on but it is now possible on the HMRC site to say that you don't have access to your phone (or phone number in my case) during log on at which point, although this isn't made clear in the initial "I can't get the code" link, the site will allow you to enter a code generated by Google Authenticator instead (you have to set up Google Authenticator to generate HMRC codes which I have done).

Does anyone have any thoughts regarding the relative security of those two approaches, SMS-ed code vs Google Authenticator code? I would have though that both are pretty much identical in that they are still subject to man in the middle attacks but pretty robust otherwise with GA maybe having a slight advantage since the code is only valid in theory for 30 seconds although to overcome time sync issues I suspect it allows a good few seconds either side of the time window, maybe even 30 seconds either side, but that's still better than the 10 minute or so window to use an SMS code. Personally I prefer the Google Authenticator approach for convenience and I hope banks evolve along the same path as HMRC and start offering GA codes as an alternative SFA method.

- Julian

BobbyD
Lemon Quarter
Posts: 4617
Joined: January 22nd, 2017, 2:29 pm
Has thanked: 66 times
Been thanked: 217 times

Re: New security rules. Bank App or code via SMS text?

#244489

Postby BobbyD » August 15th, 2019, 11:56 am

stevensfo wrote:Given the choice for complying with the extra security rules, is there any reason why I should download an app from my bank rather than have a code via SMS? I understand that the text message may incur a small charge, and the app will be free, albeit with an internet connection, but can I be sure that a bank app will not gather more info than necessary?


Steve


SMS is not secure, in fact it falls foul of one of the most prevalent methods of consumer bank fraud.

What is SIM swapping?
SIM swap is a genuine service which allows you to keep your existing phone number and change between different SIM sizes or phone providers.

Fraudsters sometimes take advantage of this
It's becoming increasingly common amongst fraudsters as it can provide them with the ability to utilise your mobile phone number.

This helps them benefit from all the functionality and services your number provides, such as receiving and making phone calls, receiving and sending SMS messages as well as using any provisioned data allowance.



- https://personal.natwest.com/personal/f ... scams.html

The banking app should require not just that you can access your phone, but that you can also satisfy the log on requirements set up for your bank account.

Oh, and if you leave your phone unlocked or have the contents of texts displayed on the lock screen then they are even less secure...

madhatter
2 Lemon pips
Posts: 234
Joined: November 12th, 2016, 9:25 pm
Has thanked: 264 times
Been thanked: 85 times

Re: New security rules. Bank App or code via SMS text?

#244520

Postby madhatter » August 15th, 2019, 1:05 pm

My Barclays Bank app lets me use the fingerprint reader to validate access. They are not the only ones to do that.

BobbyD
Lemon Quarter
Posts: 4617
Joined: January 22nd, 2017, 2:29 pm
Has thanked: 66 times
Been thanked: 217 times

Re: New security rules. Bank App or code via SMS text?

#244551

Postby BobbyD » August 15th, 2019, 3:58 pm

madhatter wrote:My Barclays Bank app lets me use the fingerprint reader to validate access. They are not the only ones to do that.


So do my HSBC, Nationwide, BOS and Tesco Apps.

pochisoldi
Lemon Slice
Posts: 497
Joined: November 4th, 2016, 11:33 am
Has thanked: 9 times
Been thanked: 246 times

Re: New security rules. Bank App or code via SMS text?

#244580

Postby pochisoldi » August 15th, 2019, 6:02 pm

The Barclays app allows you to use phone+app+5 digit pin to get a one time code in the same way as you would do with a card reader+debit card+4 digit pin.

Neither of those two methods require any form of connectivity to get the one time code.

(Note that an unregistered or deregistered app won't pass muster even with a correct pin code).

I can't wait to see how these shenanigans work out - in many cases they may allow fraud to slip through the net as people check their accounts less often because they CBA with the logging in faff.

PochiSoldi

ReformedCharacter
Lemon Slice
Posts: 893
Joined: November 4th, 2016, 11:12 am
Has thanked: 432 times
Been thanked: 215 times

Re: New security rules. Bank App or code via SMS text?

#244590

Postby ReformedCharacter » August 15th, 2019, 6:58 pm

Alaric wrote:
But if a bank insists on a security measure that you don't want or cannot use, changing banks remains an option and if enough people do it, those in the bank responsible for maintaining market share might even take notice and make the security policies more flexible.

That would be a odd outcome for me, I only opened an account with my current bank because they offered 'dial-up' banking back in 1989, some time before the www.

RC

Laughton
Lemon Pip
Posts: 87
Joined: November 6th, 2016, 2:15 pm
Been thanked: 13 times

Re: New security rules. Bank App or code via SMS text?

#244599

Postby Laughton » August 15th, 2019, 7:37 pm

I'm a bit confused about what the problem is with security or otherwise of the SMS system/arrangement.

For example, I'm online making a purchase from a site that I know or that at least has the https at the beginning or I'm making a payment via my online bank and either of these then require me to enter a code sent to my mobile phone by SMS.

If, as has been suggested, some fraudster intercepts and send me a spoof code which I then enter on the website then my transaction will be refused (because it's the incorrect code). OK, that's going to be a pain but how would I lose money and if I don't where is the benefit and therefore the incentive to the criminal?

wickham
Lemon Slice
Posts: 315
Joined: November 6th, 2016, 8:13 am
Has thanked: 27 times
Been thanked: 24 times

Re: New security rules. Bank App or code via SMS text?

#244612

Postby wickham » August 15th, 2019, 8:08 pm

The Co-op bank has just sent me a similar letter, but I don't use a mobile phone. The letter offers an email with a code instead, which should be OK unless the email is delayed.

Other institutions offer a landline telephone call to give you a code number, but I have an odd situation where my internet gets cut off when the call comes through, so I can't enter the code and by the time the internet has reconnected, the code is out of time.

Alaric
Lemon Quarter
Posts: 3330
Joined: November 5th, 2016, 9:05 am
Has thanked: 11 times
Been thanked: 673 times

Re: New security rules. Bank App or code via SMS text?

#244617

Postby Alaric » August 15th, 2019, 8:32 pm

wickham wrote: but I have an odd situation where my internet gets cut off when the call comes through, so I can't enter the code and by the time the internet has reconnected, the code is out of time.


If that's happening, you likely have a wiring fault somewhere, possibly inside your house. If they aren't the same organisation and possibly even if they are, getting it fixed can be a nightmare as the provider of the telephone line will blame the internet service provider and vice versa. Openreach may be able to fix the problem, but you aren't allowed to talk to them directly.

TedSwippet
Lemon Slice
Posts: 358
Joined: November 4th, 2016, 12:57 pm
Has thanked: 46 times
Been thanked: 123 times

Re: New security rules. Bank App or code via SMS text?

#244638

Postby TedSwippet » August 15th, 2019, 10:14 pm

wickham wrote:... but I have an odd situation where my internet gets cut off when the call comes through, so I can't enter the code and by the time the internet has reconnected, the code is out of time.

I've seen this happen with faulty or mis-connected (or absent!) DSL filters. Maybe check this first?

Julian
Lemon Slice
Posts: 563
Joined: November 4th, 2016, 9:58 am
Has thanked: 125 times
Been thanked: 177 times

Re: New security rules. Bank App or code via SMS text?

#244655

Postby Julian » August 15th, 2019, 11:24 pm

Laughton wrote:I'm a bit confused about what the problem is with security or otherwise of the SMS system/arrangement.

For example, I'm online making a purchase from a site that I know or that at least has the https at the beginning or I'm making a payment via my online bank and either of these then require me to enter a code sent to my mobile phone by SMS.

If, as has been suggested, some fraudster intercepts and send me a spoof code which I then enter on the website then my transaction will be refused (because it's the incorrect code). OK, that's going to be a pain but how would I lose money and if I don't where is the benefit and therefore the incentive to the criminal?

Your last paragraph is not what I was suggesting. As I understand it the potential liability I was talking about is when a phishing attack tricks you into visiting a fraudster site posing as your bank. Just like most phishing sites it tricks you into entering your user ID and password but, whereas most sites then simply save them these ones actually go and immediately present them to your real banking site. That then triggers your bank to SMS you a code by which time the fraudster site is now impersonating the “please enter the code we just sent you” page at which point you enter a code that is probably still valid for quite a few extra minutes and the fraudulent site then presents that valid code to your real banking account and the phisher is in. At that point the fraudulent site that you’re still interacting with probably tries to decoy you by making it look as if it is slow and waiting for the server for a minute or so and then coming back with a “sorry, we are experiencing a problem, please try again in a few minutes. if the problem persists please contact us on xxxx” or some other plausible message that might stop you thinking you’ve been hacked for at least the 5 minutes it takes a fraudster to do whatever they want to do with your account.

The sort of phishing operation described above is more sophisticated and more hands-on than a more basic phishing site, e.g. as soon as an account is breached there probably needs to be a human to exploit the access in real time so it can’t all be automated, which is why it is more of a risk if you’re unlucky enough to be spearphished rather than general mass phishing but still I think worth being aware of the possibility and being very sure that you are genuinely talking directly to your banking site.

- Julian

UncleEbenezer
Lemon Quarter
Posts: 3637
Joined: November 4th, 2016, 8:17 pm
Has thanked: 410 times
Been thanked: 615 times

Re: New security rules. Bank App or code via SMS text?

#244657

Postby UncleEbenezer » August 15th, 2019, 11:39 pm

Laughton wrote:I'm a bit confused about what the problem is with security or otherwise of the SMS system/arrangement.

For example, I'm online making a purchase from a site that I know or that at least has the https at the beginning or I'm making a payment via my online bank and either of these then require me to enter a code sent to my mobile phone by SMS.

If, as has been suggested, some fraudster intercepts and send me a spoof code which I then enter on the website then my transaction will be refused (because it's the incorrect code). OK, that's going to be a pain but how would I lose money and if I don't where is the benefit and therefore the incentive to the criminal?

The SMS issue is when someone else gets the SMS messages - typically by hijacking your phone number. You never asked for the SMS message - it's them not you that used the "forgot password" facility on your bank account. Of course you'll find out: the problem is what happens in the meantime, while you aren't thinking about either the phone or the account!

Oh, and don't be fooled by "https". That protects (encrypts) data between you and the site, but it doesn't tell you who you are dealing with - who is running the site. Serious ecommerce sites use enhanced certificates that do verify them, and are indicated in some browsers by displaying their name alongside the padlock. If unsure, look for more information - check the cert (clicking the padlock does that in most browsers), check the domain with whois (and be very suspicious if it's recently registered), and google it for any reports of Bad Things.

Julian
Lemon Slice
Posts: 563
Joined: November 4th, 2016, 9:58 am
Has thanked: 125 times
Been thanked: 177 times

Re: New security rules. Bank App or code via SMS text?

#244730

Postby Julian » August 16th, 2019, 10:58 am

Now that a few of us have highlighted the potential issues with SMS codes are there any issues that should be highlighted with banking apps?

The obvious one that springs into my mind is that malware somehow gets into a banking app and then you're doomed but I assume that as long as no one is stupid enough to download such an app from an unauthorised source and always sticks to the Apple App Store, the Google Play Store or the Microsoft Windows Store that is pretty unlikely to be an issue. I would hope that Apple, Google & Microsoft are particularly careful when vetting such sensitive apps but maybe I'm wrong. At the very least I would hope they would screen out any attempts for a look-alike (phishing) app to get into their respective app stores so if one is downloading a NatWest banking app for instance then one could be confident that it really was submitted by NatWest. I wonder if the app store companies might even have some liability were they to let some malevolent banking app through that was able to plausibly pose as say the NatWest banking app. Similarly I wonder whether NatWest would have some liability were it to have its development group compromised such that a malicious update was pushed directly from NatWest or if there was some glaring but avoidable security flaw discovered in the app that criminals subsequently exploited. (I'm using NatWest as an example simply because that's my most-frequently-used banking app.)

Did I read at some point in the past about the possibility of hijacking a session in progress and somehow intercepting a per-session authentication key and taking over the session from another location or am I imagining that? Even if I'm not I would assume such an exploit would require a man in the middle so perhaps only a possibility on a WiFi connection (or wired Ethernet) as opposed to mobile data unless you're a target of specific interest and someone like GCHQ has compromised a cell tower. The other possibility would be traffic sniffing if the traffic encryption is weak enough such that the sniffed packets could be decrypted to extract the required key. I would hope that no active exploits of this type exist in any of the big banking apps.

I'd be interested in people's take, and in particular any concerns, regarding the mobile app alternative (I'm assuming set up to be protected by a good bio-metric authentication such as a best-in-class fingerprint scanner or FaceID).

- Julian


Return to “Computers, TVs & Phones”

Who is online

Users browsing this forum: No registered users and 3 guests