Author Topic: Don't bank online  (Read 40731 times)

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9495
    • View Profile
Re: Don't bank online
« Reply #30 on: January 27, 2023, 05:11:20 PM »
That's a scary one given that, at least as reported by the victim, he seems to have taken basic precautions.

This brings me back to the method my neighbors use when traveling. They bring a debit card that they fund with just the amount they think they will need on the trip and use only that card. They may carry a backup card with their passport for emergencies, I don't know. The point being that the only card they pull out during a trip is one with a max downside of say $5000.

I think you could use a similar method on the phone - a bank account you use for depositing checks and so forth that has the app on the phone, and then you clear that account periodically into your main account.

The only practical way to deposit checks for me is on the phone. I could mail them in, but that worries me even more as there are so many fail points. My mother-in-law had two checks sent to one of her children get intercepted and cashed. We have almost no theft in our neighborhood, but we have had a couple mailbox breakins.

So other than moving to a place where in-person banking is still possible, what are the options?

rcjordan

  • I'm consulting the authorities on the subject
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 16638
  • Debbie says...
    • View Profile
Re: Don't bank online
« Reply #31 on: February 27, 2023, 12:38:54 AM »
I strongly recommend that you remove all banking apps from your phones and use a stay-at-home desktop for online banking.  Just this week I was reading a security report that said thieves are targeting phones then *immediately* submitting an account recovery.  The 2-factor authorization is sent to the phone --which they have.  That locks out the owner. Then they start going through the banking apps.

A woman who got locked out of her Apple account minutes after her iPhone was stolen and had $10,000 taken from her bank account says Apple was 'not helpful at all'

https://finance.yahoo.com/news/woman-got-locked-her-apple-163000848.html

+
/r roughly covered the way the account recovery method works when stolen

In the typical case when a phone is stolen (and they have the iPhone passcode), they attempt to disable find my iPhone, but that requires the Apple ID Password. Instead, you can reset the Apple ID Password (WITHOUT HAVING THE APPLE ID PASSWORD) and from there do anything you want. The user will not be able to sign into their Apple ID anymore to report the phone as stolen, and the thief will have your Apple Id, Device, and Phone #, which unlocks most of your world even if you have 2FA turned on.

You can try it yourself, go to Settings > Click your iCloud Account > Password & Security > Change Password.

Even with 2FA enabled for your Apple ID, you can reset the password from here. And for everyone saying just don't type in your passcode in public, there are plenty of times that FaceID and TouchID fail a few times and you have no choice but to enter the passcode.

Q: apple lets you disable their ability to recover your lost password by generating recovery keys that you print out and store safely, at which point they lose the ability to recover your account. Wouldn't that stop unauthorized access?

You can still reset the Apple ID password with only the phone's passcode, having a recovery key in place doesn't help at all. Even if you have a recovery key a new one can be generated without having to enter the Apple ID password.

Q: Any solution?

Not really.

At a minimum you should not use iCloud Keychain and use a 3rd party password manager.

Once they have access to your account you should expect for your other Apple devices to be locked down and rendered completely unusable. You will not be able to use those devices at all if FindMy iPhone/iPad/Mac is enabled.

You should have a backup of all your important documents, photos, and videos backed up to a 3rd party (and not just time machine) you should also expect to never have access to your @icloud.com email again.

« Last Edit: February 27, 2023, 02:52:38 AM by rcjordan »

Travoli

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1243
    • View Profile
Re: Don't bank online
« Reply #32 on: February 27, 2023, 08:32:36 PM »
I recommend NOT saving usernames or passwords (or face ID) for quick login to sensitive apps. Even if someone gets the phone, they'd still have a difficult time getting into bank accounts.

rcjordan

  • I'm consulting the authorities on the subject
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 16638
  • Debbie says...
    • View Profile
Re: Don't bank online
« Reply #33 on: March 10, 2023, 06:12:36 PM »
Xenomorph Android malware now steals data from 400 banks

https://www.bleepingcomputer.com/news/security/xenomorph-android-malware-now-steals-data-from-400-banks/

Xenomorph v3 is far more capable and mature than the previous versions, able to automatically steal data, including credentials, account balances, perform banking transactions, and finalize fund transfers.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9495
    • View Profile
Re: Don't bank online
« Reply #34 on: March 11, 2023, 02:57:52 AM »
Quote
I strongly recommend that you remove all banking apps from your phones

Good heads up. The reason I have banking apps is because there are now only two ways to deposit a check: the phone app or mailing it in via USPS.

But mostly this is for a few clients who pay by check and those deposits go to one account that has low activity and which we don't let build up. All the other apps could indeed go.

That should at least protect the main account (completely different bank) with our big cash savings and emergency funds right?

Rupert

  • Inner Core
  • Hero Member
  • *
  • Posts: 3375
  • George in a previous life.
    • View Profile
    • SuitsMen
Re: Don't bank online
« Reply #35 on: March 11, 2023, 07:21:21 AM »
Quote
This brings me back to the method my neighbors use when traveling. They bring a debit card that they fund with just the amount they think they will need on the trip and use only that card. They may carry a backup card with their passport for emergencies, I don't know. The point being that the only card they pull out during a trip is one with a max downside of say $5000.

I use revolut when travelling. That limits my exposure, AND gives me easy currency. I also carry Amex and Mastercard, but not on my phone. The only way to load revolut is from a home PC with all the widgets and passwords.

I suspect there are flaws in how I use it, as I also have 2 phones, one with wifi for when I can get it with (Usual phone) and one with a local sim for any calls. Last trip to the USA I lost both, at different times, (the problem there was having 2 on both occasions, habit has me checking for 1 phone, a dual sim would be better!)

Main Bank apps on the phone?... no way. Cheques can go to the post office in the UK. Still works.

Watching older folks deal with money in this digital age is scary.
... Make sure you live before you die.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9495
    • View Profile
Re: Don't bank online
« Reply #36 on: March 12, 2023, 12:43:19 AM »
>>revolut

Never heard of it and, like so many products, it's not immediately clear from the home page what exactly it is. It seems to be sort of a credit card, sort of a Venmo, with advantages for international travel (no currency conversion fees). Is that about right?

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9495
    • View Profile
Re: Don't bank online
« Reply #37 on: March 12, 2023, 12:45:59 AM »
The BBC describes it as, among many other things like crypto exchange, "A pre-paid debit card that enables cash machine withdrawals in 120 countries"
https://www.bbc.com/news/business-47768661

It sounds like that's your main use case. So if I follow, you use your desktop to transfer funds to Revolut and fund up the card, then you use that to pay when abroad. Am I getting close?

I'm particularly interested as I'm traveling to Switzerland and France at the end of April and it's been quite a while, so I've been wondering about the best way to pay for things but have not looked into it.

Rupert

  • Inner Core
  • Hero Member
  • *
  • Posts: 3375
  • George in a previous life.
    • View Profile
    • SuitsMen
Re: Don't bank online
« Reply #38 on: March 12, 2023, 09:49:26 AM »
Quote
you use your desktop to transfer funds to Revolut and fund up the card, then you use that to pay when abroad. Am I getting close?

yup, it a bank, without the protection of a bank we are used to in the UK. Another is Monzo...
... Make sure you live before you die.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9495
    • View Profile
Re: Don't bank online
« Reply #39 on: March 12, 2023, 03:21:49 PM »
>> protection

Yeah, in reading up on it, I realized that I had heard of it, but only in the context of depositors getting incorrectly flagged for fraud, having their accounts locked, and taking months to resolve it. For some people, especially some younger people with not much money looking for low fees, they were using it as their only or primary account and so this was a real hardship because they had $7000 locked up and that was all their savings. So they were defaulting on rent and other things.

I'm not worried about that. But the no-fee/low-fee currency exchange and limited access to ATMs and so forth looks very handy.

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9495
    • View Profile
Re: Don't bank online
« Reply #40 on: March 12, 2023, 04:26:31 PM »
Back to the original thread about online banking safety....

One thing that drives me crazy is that no bank I have seen so far offers good two-factor auth. They typically use SMS, which is vulnerable through SIMjacking and if they have another method it is either voice call (also subject to SIMjacking obviously) or via their banking app, which get back to the question of whether you should have banking apps on your phone.

See
https://2fa.directory/us/#banking

Compare that to email
https://2fa.directory/us/#email

Or for an even starker contrast, compare it to the Security category where SMS is rarely even offered but hardware and software 2FA is ubiquitous
https://2fa.directory/us/#security

rcjordan

  • I'm consulting the authorities on the subject
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 16638
  • Debbie says...
    • View Profile
Re: Don't bank online
« Reply #41 on: March 12, 2023, 07:05:54 PM »
>offers good two-factor auth

Yeah, over the last few months several security articles have said "most banking software is still in the early 2000s."

rcjordan

  • I'm consulting the authorities on the subject
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 16638
  • Debbie says...
    • View Profile
Re: Don't bank online
« Reply #42 on: March 12, 2023, 07:10:03 PM »
+

Keep in mind that until relatively recently banks would not even report that they had been compromised due to bad PR.


7 data breach reporting rules banks need to understand | American Banker

https://www.americanbanker.com/list/7-data-breach-reporting-rules-banks-need-to-understand

rcjordan

  • I'm consulting the authorities on the subject
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 16638
  • Debbie says...
    • View Profile
Re: Don't bank online
« Reply #43 on: November 17, 2023, 01:43:32 AM »
World’s Biggest Bank ICBC Forced to Trade Via USB Stick After Russia-Linked Hack - Bloomberg

https://www.bloomberg.com/news/articles/2023-11-10/world-s-biggest-bank-forced-to-trade-via-usb-stick-after-hack

ergophobe

  • Inner Core
  • Hero Member
  • *
  • Posts: 9495
    • View Profile
Re: Don't bank online
« Reply #44 on: November 17, 2023, 03:28:51 AM »
And everyone knows how insecure USB is. If it were a movie, they would have pre-hacked the USB stick and had Brad Pitt on the inside to put it in play at just the right moment