The Core

UK banks hit by major IT glitches
https://www.which.co.uk/news/2019/03/revealed-uk-banks-hit-by-major-it-glitches-every-day/

EU: This Bank Had the Worst Password Policy We've Ever Seen
https://www.vice.com/en_us/article/kz4jjv/this-bank-had-the-worst-password-policy-weve-ever-seen

TL;DR:  A European bank makes customers pay to change their passwords, and suggests they Google their password to check if it is secure.

Scammers drain bank accounts using AnyDesk and SIM-swapping
https://www.bleepingcomputer.com/news/security/scammers-drain-bank-accounts-using-anydesk-and-sim-swapping/

People who would download AnyDesk and let a stranger access their computer should not be banking online, I'll grant that.

A friend who is very non-tech-savvy called me about something he thought might be fishy. I don't remember what scam it was, but it's the kind of thing everyone here would recognize immediately.

I ask him a few questions about password security. The answers are frightening. So I asked him
- do you bank online? No
- do you get email notices from your bank? No
- do you do paperless statements? No
- do you get text alerts? No

I said, "Okay, keep it that way." As far as his bank is concerned, he has a physical address and a landline.

All of us can be hacked by a determined foe, of course, but some people really should not do anything confidential or financial online. He hardly even shops online, and I told him that was probably a good thing.

But then, there are some people who set themselves up as experts and they say things like

Quote"Insert it on Google: if it returns less than 10 results it means it's a good password."

PS - "asdf" plus my four-digit birthdate returns 8 results. I guess it's a secure password. Whew! I was thinking I might have to use my eight-digit birthdate and I hate doing all that typing.

Password tip:  Local or regional places or geo-features make for memorable passwords, particularly if they a hyper-local and not on maps.  Example: A local intersection has been called 'Dog Corner' since before I was born.   Add a string of significant-to-you digits and it is easily memorized. 

Asdf Pond is right around the corner ;-)

UK: £200m lost to bank transfer fraud - Only a third of losses were reimbursed despite new bank code

https://www.which.co.uk/news/2020/09/over-200m-lost-to-bank-transfer-fraud-in-the-first-half-of-2020/

This one was apparently more automated.

"used emulators to mimic the phones of more than 16,000 customers whose mobile bank accounts had been compromised."

A Massive Fraud Operation Stole Millions From Online Bank Accounts | WIRED
https://www.wired.com/story/massive-fraud-operation-stole-millions-online-bank-accounts/

Column: If this is how banks prevent fraud, we're in trouble - Los Angeles Times
https://www.latimes.com/business/story/2021-03-09/column-pandemic-bank-fraud

My bank has messed up their authentication system, frankly. Auth is by SMS only, and now internet-based text message services don't work for some reason (Ring Central, Google Voice, etc). Since I do not have cell service without having to drive somewhere, I can no longer authenticate from home.

I called and, after answering a battery of questions, they sent me a one-time code. But, again, they send it via SMS which I cannot receive. So they asked me a bunch more security questions, and they let me in.

Of all the questions asked, only one would be difficult to find through public records. You don't have to a state-sponsored hacker to get a list of streets I used to live on and universities I've gone to.

Kinda scary....

A Banking App Has Been Suddenly Closing Accounts, Sometimes Not Returning Customers' Money — ProPublica
https://www.propublica.org/article/chime

QuoteFor all of Chime's Silicon Valley tech patina, one thing it's not is an actual bank. Like others in its category, Chime is a digital interface that hands over the actual banking to, in this instance, two regional institutions, The Bancorp Bank and Stride Bank. Chime customers interact with the Chime app, but Bancorp and Stride, both of which are FDIC-insured, hold their money.

Since Chime is not a bank, that leaves it in a regulatory no man's land

PS - Marrero's story reminds me... back in the late 1970s, my brother's bank messed up three times. One time they bounced a check they shouldn't have. I forget the other two. But they admitted they were wrong and canceled the charges, but of course offered no other compensation for the hassle.

So one day he gets his statement and sees they've screwed up a fourth time, but this time accidentally crediting his account for an extra $30. He went down to the bank and took out all his money. They contacted him and demanded the $30 back. He said, "I'm sorry, those are three $10 service charges for the mistakes you made."

The person said, "I'm sorry, we don't pay service charges TO customers." My brother insisted they do, they insisted they don't. He said, "Well, I guess I'll just see your lawyers in small claims court then." Never heard from them again.

Cybercriminals took advantage of Work From Home to target financial services companies, says Financial Stability Board report • The Register

https://www.theregister.com/2021/07/14/financial_stability_board_pandemic_report/

US Senate Banking Chair Asks CFPB How It Plans to Address Risks of Chime and Other Banking Apps — ProPublica

https://www.propublica.org/article/senate-banking-chair-asks-cfpb-how-it-plans-to-address-risks-of-chime-and-other-banking-apps#1096604

Britain is the world capital of bank fraud

"enabled partially by Britain's instant electronic transfers"

https://boingboing.net/2021/10/14/britain-is-the-world-capital-of-bank-fraud.html

^{New wrinkle:}

Fraud: 'I had £18,000 stolen after my drink was spiked' - BBC News
https://www.bbc.com/news/business-59494524

>Fraud: 'I had £18,000 stolen after my drink was spiked' - BBC News

Had me wondering how it was done. For me, there's a pass phrase in the app where you enter 3 characters of it. 3 incorrect entries and you're locked out. Guess the banks in question don't have that protection.

With that out the way, the rest sounds trivial.

Hypothesis: His apps are using Touch ID or Face ID, no code required. Since he's drugged, the criminals have access to both. That's both how they get into the phone and into the accounts. iPhones only require reauth with the code if the system has rebooted or the cookie (or whatever it is in the app world) has expired.

Makes one think about the issue with having a single system for both opening the phone and opening a financial app. If you're drugged, if effectively circumvents and 2FA. Pause for thought

>Hypothesis

Debbie says 'Bingo!'  His biometrics could still be available.

This thread also relates to the recent craptop thread and why my devices that leave the house are loaded with select sites and bookmarks.  I also switch browsers on those devices so there won't be any possibility of syncing.

I do no banking online. No NFC payments either.

I don't use biometric access, just old fashioned PIN.  Plus I have not been in a bar or party drinking since pre covid.

>Hypothesis

Yes.

Old: Drug them and harvest organs.
New: Drug them and steal crypto.

Another one;

Man stole $23K using ex's phone through facial recognition while she slept
https://nypost.com/2021/12/13/man-steals-23k-using-exs-phone-through-facial-recognition-report/

>>Don't bank online

I would gloss that last one as "Don't date a con artist."

Hacker steals Sydney man's life savings after simjacking
https://www.9news.com.au/national/optus-sim-swap-hack-robs-sydney-man-of-life-savings/4e1dcac8-a6e7-4030-a4a0-b18c87bbb019

^{Plaid is the 3rd-party engine behind a lot of online fintech.}

Plaid is an evil nightmare product from Security Hell
https://drewdevault.com/2022/02/19/Plaid-is-an-evil-nightmare-product.html

New Xenomorph Android malware targets customers of 56 banks
https://www.bleepingcomputer.com/news/security/new-xenomorph-android-malware-targets-customers-of-56-banks/

US financial institutions reported nearly $1.2 billion on likely ransomware-related payments last year, most commonly in response to breaches originating with Russian criminal groups, according to the Treasury Department. - Bloomberg

https://www.bloomberg.com/news/articles/2022-11-01/us-banks-spent-1-billion-on-ransomware-payments-in-2021-treasury-says

Mobile phone fraud: 'They stole £22,500 using my banking app' - BBC News

https://www.bbc.co.uk/news/business-64240140

That's a scary one given that, at least as reported by the victim, he seems to have taken basic precautions.

This brings me back to the method my neighbors use when traveling. They bring a debit card that they fund with just the amount they think they will need on the trip and use only that card. They may carry a backup card with their passport for emergencies, I don't know. The point being that the only card they pull out during a trip is one with a max downside of say $5000.

I think you could use a similar method on the phone - a bank account you use for depositing checks and so forth that has the app on the phone, and then you clear that account periodically into your main account.

The only practical way to deposit checks for me is on the phone. I could mail them in, but that worries me even more as there are so many fail points. My mother-in-law had two checks sent to one of her children get intercepted and cashed. We have almost no theft in our neighborhood, but we have had a couple mailbox breakins.

So other than moving to a place where in-person banking is still possible, what are the options?

I strongly recommend that you remove all banking apps from your phones and use a stay-at-home desktop for online banking.  Just this week I was reading a security report that said thieves are targeting phones then *immediately* submitting an account recovery.  The 2-factor authorization is sent to the phone --which they have.  That locks out the owner. Then they start going through the banking apps.

A woman who got locked out of her Apple account minutes after her iPhone was stolen and had $10,000 taken from her bank account says Apple was 'not helpful at all'

https://finance.yahoo.com/news/woman-got-locked-her-apple-163000848.html

+
/r roughly covered the way the account recovery method works when stolen

In the typical case when a phone is stolen (and they have the iPhone passcode), they attempt to disable find my iPhone, but that requires the Apple ID Password. Instead, you can reset the Apple ID Password (WITHOUT HAVING THE APPLE ID PASSWORD) and from there do anything you want. The user will not be able to sign into their Apple ID anymore to report the phone as stolen, and the thief will have your Apple Id, Device, and Phone #, which unlocks most of your world even if you have 2FA turned on.

You can try it yourself, go to Settings > Click your iCloud Account > Password & Security > Change Password.

Even with 2FA enabled for your Apple ID, you can reset the password from here. And for everyone saying just don't type in your passcode in public, there are plenty of times that FaceID and TouchID fail a few times and you have no choice but to enter the passcode.

Q: apple lets you disable their ability to recover your lost password by generating recovery keys that you print out and store safely, at which point they lose the ability to recover your account. Wouldn't that stop unauthorized access?

You can still reset the Apple ID password with only the phone's passcode, having a recovery key in place doesn't help at all. Even if you have a recovery key a new one can be generated without having to enter the Apple ID password.

Q: Any solution?

Not really.

At a minimum you should not use iCloud Keychain and use a 3rd party password manager.

Once they have access to your account you should expect for your other Apple devices to be locked down and rendered completely unusable. You will not be able to use those devices at all if FindMy iPhone/iPad/Mac is enabled.

You should have a backup of all your important documents, photos, and videos backed up to a 3rd party (and not just time machine) you should also expect to never have access to your @icloud.com email again.

I recommend NOT saving usernames or passwords (or face ID) for quick login to sensitive apps. Even if someone gets the phone, they'd still have a difficult time getting into bank accounts.

Xenomorph Android malware now steals data from 400 banks

https://www.bleepingcomputer.com/news/security/xenomorph-android-malware-now-steals-data-from-400-banks/

Xenomorph v3 is far more capable and mature than the previous versions, able to automatically steal data, including credentials, account balances, perform banking transactions, and finalize fund transfers.

QuoteI strongly recommend that you remove all banking apps from your phones

Good heads up. The reason I have banking apps is because there are now only two ways to deposit a check: the phone app or mailing it in via USPS.

But mostly this is for a few clients who pay by check and those deposits go to one account that has low activity and which we don't let build up. All the other apps could indeed go.

That should at least protect the main account (completely different bank) with our big cash savings and emergency funds right?

QuoteThis brings me back to the method my neighbors use when traveling. They bring a debit card that they fund with just the amount they think they will need on the trip and use only that card. They may carry a backup card with their passport for emergencies, I don't know. The point being that the only card they pull out during a trip is one with a max downside of say $5000.

I use revolut when travelling. That limits my exposure, AND gives me easy currency. I also carry Amex and Mastercard, but not on my phone. The only way to load revolut is from a home PC with all the widgets and passwords.

I suspect there are flaws in how I use it, as I also have 2 phones, one with wifi for when I can get it with (Usual phone) and one with a local sim for any calls. Last trip to the USA I lost both, at different times, (the problem there was having 2 on both occasions, habit has me checking for 1 phone, a dual sim would be better!)

Main Bank apps on the phone?... no way. Cheques can go to the post office in the UK. Still works.

Watching older folks deal with money in this digital age is scary.

>>revolut

Never heard of it and, like so many products, it's not immediately clear from the home page what exactly it is. It seems to be sort of a credit card, sort of a Venmo, with advantages for international travel (no currency conversion fees). Is that about right?

The BBC describes it as, among many other things like crypto exchange, "A pre-paid debit card that enables cash machine withdrawals in 120 countries"
https://www.bbc.com/news/business-47768661

It sounds like that's your main use case. So if I follow, you use your desktop to transfer funds to Revolut and fund up the card, then you use that to pay when abroad. Am I getting close?

I'm particularly interested as I'm traveling to Switzerland and France at the end of April and it's been quite a while, so I've been wondering about the best way to pay for things but have not looked into it.

Quoteyou use your desktop to transfer funds to Revolut and fund up the card, then you use that to pay when abroad. Am I getting close?

yup, it a bank, without the protection of a bank we are used to in the UK. Another is Monzo...

>> protection

Yeah, in reading up on it, I realized that I had heard of it, but only in the context of depositors getting incorrectly flagged for fraud, having their accounts locked, and taking months to resolve it. For some people, especially some younger people with not much money looking for low fees, they were using it as their only or primary account and so this was a real hardship because they had $7000 locked up and that was all their savings. So they were defaulting on rent and other things.

I'm not worried about that. But the no-fee/low-fee currency exchange and limited access to ATMs and so forth looks very handy.

Back to the original thread about online banking safety....

One thing that drives me crazy is that no bank I have seen so far offers good two-factor auth. They typically use SMS, which is vulnerable through SIMjacking and if they have another method it is either voice call (also subject to SIMjacking obviously) or via their banking app, which get back to the question of whether you should have banking apps on your phone.

See
https://2fa.directory/us/#banking

Compare that to email
https://2fa.directory/us/#email

Or for an even starker contrast, compare it to the Security category where SMS is rarely even offered but hardware and software 2FA is ubiquitous
https://2fa.directory/us/#security

>offers good two-factor auth

Yeah, over the last few months several security articles have said "most banking software is still in the early 2000s."

+

Keep in mind that until relatively recently banks would not even report that they had been compromised due to bad PR.


7 data breach reporting rules banks need to understand | American Banker

https://www.americanbanker.com/list/7-data-breach-reporting-rules-banks-need-to-understand

World's Biggest Bank ICBC Forced to Trade Via USB Stick After Russia-Linked Hack - Bloomberg

https://www.bloomberg.com/news/articles/2023-11-10/world-s-biggest-bank-forced-to-trade-via-usb-stick-after-hack

And everyone knows how insecure USB is. If it were a movie, they would have pre-hacked the USB stick and had Brad Pitt on the inside to put it in play at just the right moment

https://www.consumeraffairs.com/news/more-people-losing-money-on-cash-apps-than-ever-before-012524.html

More people losing money on cash apps than ever before


One of Louise's friends works the the State Employee Credit Union.  About 2 weeks ago, she told Louise not to bank online as they were being deluged daily with customers being defrauded/scammed by cash apps --all of them, but Venmo was currently the worst.  Printed check hijacking was also a daily problem.

>>customers being defrauded/scammed by cash apps

I think you mean "with" or "via" cash apps. There is a different between banking online or using a cash app being unsafe because hackers are intercepting transactions and people are not savvy enough to verify that they are sending money to the right person.

To some extent, you can extend this logic to "Don't use the phone" because lots of elderly, lonely people are defrauded by scammers who use the phone for their scams.

>> Printed check hijacking

And there's the rub. Printed checks are not safe either unless you take measures to protect yourself, namely doing something to ensure chain of custody and having some sort of insurance.

Cleveland postal worker warns against using blue mailboxes due to ongoing theft issues
https://www.cleveland19.com/2023/07/11/cleveland-postal-worker-warns-against-using-blue-mailboxes-due-ongoing-theft-issues/

Those blue USPS mailboxes? Don't leave your mail in them, postal inspector says
https://www.almanacnews.com/2023/08/03/those-blue-usps-mailboxes-dont-leave-your-mail-in-them-postal-inspector-says/

To some extent all of the Another Online Banking Scam articles are like the self-driving car crash articles.

First ever iOS trojan discovered — and it's stealing Face ID data to break into bank accounts

https://www.tomsguide.com/computing/malware-adware/first-ever-ios-trojan-discovered-and-its-stealing-face-id-data-to-break-into-bank-accounts

What you need to know about the dangerous Android banking trojan that's been ported to iPhone

Good heads up. But it appears that if you don't install TestFlight and you don't make an MDM profile and give someone access, you're still safe.

https://www.latimes.com/business/story/2024-08-08/zelle-scams-prompt-federal-probe

Zelle scams prompt federal probe of bank efforts to protect customers - Los Angeles Times


https://www.c-span.org/video/?535795-1/scams-zelle-digital-payments-platform

Scams on Zelle Digital Payments Platform | C-SPAN.org

QuoteA J.D. Power survey this year found that 3% of the people who'd used Zelle said they had lost money to scammers, which was less than the average for peer-to-peer money transfer services such as Venmo, CashApp and PayPal.

Interesting that Zelle makes headlines for fraud levels that are lower than Venmo or Paypal.

>Zelle makes headlines for fraud levels that are lower than Venmo or Paypal

AND gets a congressional investigation.  The first squawking/posturing I saw was by Sen. Eliz Warren. 

I thought the article provided a good overview of the major players.

Is it because Zelle is considered part of the "banking" system whereas Venmo is thought of as just a... completely nefarious online payments app with one of the worst histories of privacy violations of any app in history?

It's weird though... I frequently see alarmist headlines about Zelle. When I tell people that Venmo had all of Biden's payments publicly online and might have theirs too, they seem a) ignorant and b) completely unconcerned.

>Is it because Zelle is considered part of the "banking" system

Yes. It as seen as 'official' (and therefore secure) since it is offered/promoted by the banks. Someone mentioned to me that they thought it would be covered by the FDIC deposit insurance.

https://www.pnc.com/en/personal-banking/banking/online-and-mobile-banking/zelle.html

Well, it can't be covered by the FDIC anymore than a stack of hundred dollar bills can or a fraudulent check can.

People who think it should be covered by the FDIC either don't understand what the FDIC does, what Zelle is or both.

But it raises an interesting point. People maybe have a higher level of trust because it's at the bank, not some separate service. Zelle at my bank has big notices that say something pointing out that this is like giving someone cash and you should only do this if you have verified the identity and you would be comfortable giving this much cash to the person.

Personally, I like Zelle. As far as technical infrastructure, it seems fairly secure AFAIK, it allows free and instant transfers, has excellent privacy protection compared to Venmo (which I flat out refuse to touch). In our neighborhood, because of distance to the stores, people are constantly picking up a few things at the grocery store for us and vice-versa and Zelle is the default payment method for that.

BTW, when I say, "seems fairly secure" I mean that it is essentially as secure as my bank login, which could be better (banks seem stuck on SMS second factor) and it doesn't increase my attack surface by adding a service in addition to my bank. If they can get into my bank, then Zelle is the least of my worries (since it has fairly low daily cap, which means they can't empty the account quickly using it).

https://www.zdnet.com/article/have-you-ever-used-cash-app-you-might-be-eligible-for-a-2500-settlement-payout/

Have you ever used Cash App? You might be eligible for a $2,500 settlement payout | ZDNET

https://www.aljazeera.com/economy/2024/12/20/us-consumer-watchdog-sues-big-banks-over-widespread-fraud-on-zelle-app?traffic_source=rss

US consumer watchdog sues big banks over 'widespread' fraud on Zelle app  | Al Jazeera

I'm not convinced the banks are to blame on that...

QuoteBut in some cases, banks have resisted paying back customers who were tricked into making the payments themselves.

They tell you several times, "Do not send money to someone you do not know. Are you sure you want to continue?" We gave $1000 to a friend via Zelle recently and that was enough to trigger an alarm and we got a voice call from a live person who asked us to verbally authenticate (phone number on the account, name of my first dog*, all the usual stuff) before they release the money.

*Tip: I treat these security questions like passwords or nearly and either use random strings or something that makes no sense like,

Q: Make and model of first car
A: Disneyland

Corollary: If you must bank online, don't do it from a machine with an agentic browser

https://9to5google.com/2025/09/18/gemini-in-chrome/

https://www.digitalocean.com/resources/articles/agentic-browsers


"Gemini will always have you confirm the final step, like making the actual purchase. "

Always.