Insecurity of phone banking

Discussions about serious topics, for serious people
IvanV
Stummy Beige
Posts: 3112
Joined: Mon May 17, 2021 11:12 am

Insecurity of phone banking

Post by IvanV » Fri Dec 13, 2024 12:43 pm

Phone snatcher took £21,000 from banking apps (BBC News Article)

The victim says that his banking apps were both face id and password protected, and he can't work out how the thief got in. I think it has been shown that face id can be broken with a photo of the subject. And probably a password reset got past the password, as you can when you are also into the email system for the reset. It makes me grateful my office has forced me to have pin protection on my emails on my phone. With your phone, the thief probably has the second factor to undermine any 2-factor verification.

I have an acquaintance who is an IT security expert. He has a higher degree in it. He's one of these people who can demonstrate how insecure a client's computer system is by showing them how quickly and easily he broke into it, and found and got into all the really sensitive stuff. He tells me that having a banking app on your mobile phone is just inherently insecure and you shouldn't do it. Taking his advice, I don't. But it doesn't seem to be well known, as so many people do it. They probably think that if it is available, it ought to be safe enough. But my acquaintance says it isn't.

That doesn't mean that plain banking is secure either. Twice someone has managed to carry out several client-absent just-under-£10k transactions using my payment card number to drain large sums of money. The two incidents added up to over £100k. In my case, the bank gave it all back very quickly and without argument, as they were quite clearly failing to confirm obviously suspicious transactions and let them carry on until it became, very, very obvious they shouldn't. The policeman who talked to me about the second, larger, incident was quite rude about the bank, and said it was the largest case he'd seen all year. But he also said that as all the transactions involved moving money through several other financial institutions, my bank would get the money back off the next company in the chain, and someone else would be left holding the loss. It doesn't help that when the bank does attempt to contact me, as it did in relation to a later third attempted theft, it had several features that made it sound just like a scam call. Fortunately, after I'd put the phone down, I called them to check. And that meant that when I did have a scam call of just that kind a couple of days ago, with similar features, I had to phone the bank again to confirm.

User avatar
lpm
Junior Mod
Posts: 6457
Joined: Mon Nov 11, 2019 1:05 pm

Re: Insecurity of phone banking

Post by lpm » Fri Dec 13, 2024 1:04 pm

No reason to go to the inconvenience of not having a phone app. The banks are liable and stolen money is refunded.
⭐ Awarded gold star 4 November 2021

IvanV
Stummy Beige
Posts: 3112
Joined: Mon May 17, 2021 11:12 am

Re: Insecurity of phone banking

Post by IvanV » Fri Dec 13, 2024 1:40 pm

lpm wrote:
Fri Dec 13, 2024 1:04 pm
No reason to go to the inconvenience of not having a phone app. The banks are liable and stolen money is refunded.
The article quoted says the victim has had £14,000 of the £21,000 refunded straightforwardly. But the other £7,000 was taken in a different way from another bank, who are still arguing about it. We do hear quite often of banks arguing the toss, and finding excuses not to pay, just like insurance companies.

My own thefts were not without consequence. My bank reduced the transaction limit on my card and on-line from £10k to £1.5k for 5 years. That was occasionally a nuisance. Larger purchases, transfers to savings accounts, became hard work. But I was also quite grateful, as it reduced the level of peril I might feel. Even though it was actually to save the bank from itself.

User avatar
Stranger Mouse
Stummy Beige
Posts: 2775
Joined: Sat Dec 21, 2019 1:23 pm

Re: Insecurity of phone banking

Post by Stranger Mouse » Fri Dec 13, 2024 1:47 pm

Has anyone got any more info on the insecurity of banking apps? I use an app on iPhone and always got the impression it was reasonably safe
I’ve decided I should be on the pardon list if that’s still in the works

User avatar
shpalman
Princess POW
Posts: 8504
Joined: Mon Nov 11, 2019 12:53 pm
Location: One step beyond
Contact:

Re: Insecurity of phone banking

Post by shpalman » Fri Dec 13, 2024 1:55 pm

IvanV wrote:
Fri Dec 13, 2024 12:43 pm
... an IT security expert... tells me that having a banking app on your mobile phone is just inherently insecure and you shouldn't do it.
Experts in things always say stuff like that.

I note that Google Pay doesn't trust the phone if it's only been unlocked by Face ID, and asks for my fingerprint before I can use it to pay.

Similarly, my banking app asks for extra verification on doing anything sensitive, and indeed my banking app is the second authentication factor for anything I do via the browser on my PC.
having that swing is a necessary but not sufficient condition for it meaning a thing
@shpalman@mastodon.me.uk
@shpalman.bsky.social / bsky.app/profile/chrastina.net
threads.net/@dannychrastina

User avatar
Stranger Mouse
Stummy Beige
Posts: 2775
Joined: Sat Dec 21, 2019 1:23 pm

Re: Insecurity of phone banking

Post by Stranger Mouse » Fri Dec 13, 2024 3:18 pm

shpalman wrote:
Fri Dec 13, 2024 1:55 pm
IvanV wrote:
Fri Dec 13, 2024 12:43 pm
... an IT security expert... tells me that having a banking app on your mobile phone is just inherently insecure and you shouldn't do it.
Experts in things always say stuff like that.

I note that Google Pay doesn't trust the phone if it's only been unlocked by Face ID, and asks for my fingerprint before I can use it to pay.

Similarly, my banking app asks for extra verification on doing anything sensitive, and indeed my banking app is the second authentication factor for anything I do via the browser on my PC.
I always prefer using fingerprint as default. I’m sure it’s not perfect but I haven’t seen any scary videos about fingerprint security issues like I have facial recognition where two people in the same ethnic group get told they’re identical
I’ve decided I should be on the pardon list if that’s still in the works

Lew Dolby
Catbabel
Posts: 692
Joined: Mon Nov 11, 2019 12:59 pm
Location: Shropshire - Welsh Borders

Re: Insecurity of phone banking

Post by Lew Dolby » Fri Dec 13, 2024 3:36 pm

Personally, wouldn't use an app for something like bank acccess.

We bank online but our bank (Co-op) recommends not even having he bank website bookmarked and always type in the site name in full each time we want to access it.
If you bring your kids up to think for themselves, you can't complain when they do.

Beaker
Stargoon
Posts: 101
Joined: Tue Nov 12, 2019 5:28 pm

Re: Insecurity of phone banking

Post by Beaker » Fri Dec 13, 2024 3:50 pm

My banking app requires additional biometric to set up a new payee. It needs live video image of my face in an evenly lit space, so I would be surprised if it was easy to fool with a photo.

User avatar
Trinucleus
Dorkwood
Posts: 1064
Joined: Mon Nov 11, 2019 6:45 pm

Re: Insecurity of phone banking

Post by Trinucleus » Fri Dec 13, 2024 5:06 pm

lpm wrote:
Fri Dec 13, 2024 1:04 pm
No reason to go to the inconvenience of not having a phone app. The banks are liable and stolen money is refunded.
Don't forget the inconvenience of the people behind you in the supermarket queue while waiting for you to find and activate the loyalty app, then close that and open the banking app to pay.... compared to the ten seconds it takes to pay by contactless card

User avatar
dyqik
Princess POW
Posts: 8173
Joined: Wed Sep 25, 2019 4:19 pm
Location: Masshole
Contact:

Re: Insecurity of phone banking

Post by dyqik » Fri Dec 13, 2024 5:35 pm

Trinucleus wrote:
Fri Dec 13, 2024 5:06 pm
lpm wrote:
Fri Dec 13, 2024 1:04 pm
No reason to go to the inconvenience of not having a phone app. The banks are liable and stolen money is refunded.
Don't forget the inconvenience of the people behind you in the supermarket queue while waiting for you to find and activate the loyalty app, then close that and open the banking app to pay.... compared to the ten seconds it takes to pay by contactless card
That's got nothing to do with this, and is down to basic incompetence.

philbo
Clardic Fug
Posts: 176
Joined: Sun Feb 23, 2020 11:06 am

Re: Insecurity of phone banking

Post by philbo » Fri Dec 13, 2024 6:38 pm

Stranger Mouse wrote:
Fri Dec 13, 2024 3:18 pm
I always prefer using fingerprint as default. I’m sure it’s not perfect but I haven’t seen any scary videos about fingerprint security issues like I have facial recognition where two people in the same ethnic group get told they’re identical
There was a *very* good Mythbusters (at least ten years ago) where they fooled a bunch those fingerprint readers who claimed only to work when the correct (and real) finger was present. Haven't seen anything recent regarding the tech being much better, though. It's the same principles only much quicker & less flaky hardware.

So many face recognition apps similarly claim not to work from a photo, but fail. I don't use face recognition, ever, because it's simply not robust enough.

Banking app needs FP + PIN to authorise a new payee, so I'm keeping the two factors, but if I were to lose my phone, I think I'd be contacting the bank without

monkey
After Pie
Posts: 2027
Joined: Wed Nov 13, 2019 5:10 pm

Re: Insecurity of phone banking

Post by monkey » Fri Dec 13, 2024 7:23 pm

philbo wrote:
Fri Dec 13, 2024 6:38 pm
There was a *very* good Mythbusters (at least ten years ago) where they fooled a bunch those fingerprint readers who claimed only to work when the correct (and real) finger was present. Haven't seen anything recent regarding the tech being much better, though. It's the same principles only much quicker & less flaky hardware.
I can't remember if I saw the Mythbusers do it or not, but the one I saw involved gummy bears. You get to eat the evidence after! And I don't think it would work on all types of scanner. I imagine the technology has got better in the last 10 years or so too. Even if it's just better resolution it would be better at detecting a fake.

But stealing your fingerprint to make a fake finger as well as your phone/computer seems like a pretty unlikely crime. I imagine any thief would *really* want to get access to *your* stuff to go to that trouble. I assume that none of us here are that important, I'm not.

Edit: Someone might force you to unlock you phone/app, e.g. a mugger, but that tool works the same for any type of lock.

User avatar
Fishnut
After Pie
Posts: 2548
Joined: Mon Nov 11, 2019 1:15 pm
Location: UK

Re: Insecurity of phone banking

Post by Fishnut » Fri Dec 13, 2024 7:27 pm

My fingerprint stops working properly if I've been gardening too much and have f.cked up my hands. I'm pretty comfortable using my phone for banking with fingerprint. It requires verification whenever I want to do anything atypical, such as setting up a new payee, and that's a password.
it's okay to say "I don't know"

philbo
Clardic Fug
Posts: 176
Joined: Sun Feb 23, 2020 11:06 am

Re: Insecurity of phone banking

Post by philbo » Fri Dec 13, 2024 8:38 pm

monkey wrote:
Fri Dec 13, 2024 7:23 pm
philbo wrote:
Fri Dec 13, 2024 6:38 pm
There was a *very* good Mythbusters (at least ten years ago) where they fooled a bunch those fingerprint readers who claimed only to work when the correct (and real) finger was present. Haven't seen anything recent regarding the tech being much better, though. It's the same principles only much quicker & less flaky hardware.
I can't remember if I saw the Mythbusers do it or not, but the one I saw involved gummy bears. You get to eat the evidence after! And I don't think it would work on all types of scanner. I imagine the technology has got better in the last 10 years or so too. Even if it's just better resolution it would be better at detecting a fake.
Gelatin (from gummy bears or wherever) makes a fake print that pretty much no reader can tell from an actual finger: the variation in properties between fingers makes it very difficult to exclude materials that have very similar properties.

Last I looked (three years ago), there were no new fingerprint ideas, just refinements to what was there when I was working with fingerprints 20 years ago. Better resolution, much faster, obvs.. the software probably tries to discern fakes, but I don't what it could do to prevent a read from a fake print

User avatar
dyqik
Princess POW
Posts: 8173
Joined: Wed Sep 25, 2019 4:19 pm
Location: Masshole
Contact:

Re: Insecurity of phone banking

Post by dyqik » Sat Dec 14, 2024 2:41 am

None of these systems are supposed to be absolutely secure on their own. The idea is that they provide one layer of security that prevents, or makes difficult, one form of attack.

Passwords are one layer - a good password requires so many attempts that the attempt to break in is obvious - just as someone trying a million different keys in your front door would be obvious.

Biometrics of one kind or another are a different kind of password/key, with the advantage that the user doesn't know the exact form of the key, and so can't divulge it (you don't know what features in your face or fingerprint that the software is looking for.

2FA is a different kind of key, that requires a device registered to the cellphone network or other similar actively connected token authority - which will disappear if you report the device stolen or lost.

The net result is the that risk to banks from taking on the liability of break ins is small. And that means that they can cover things.

User avatar
Grumble
Light of Blast
Posts: 5180
Joined: Mon Nov 11, 2019 1:03 pm

Re: Insecurity of phone banking

Post by Grumble » Sat Dec 14, 2024 8:56 am

The guys who really want to have good security, the credit card thieves selling details on the dark web, use 3FA. I assume the banks have decided that the extra level of inconvenience wouldn’t help their bottom line.
where once I used to scintillate
now I sin till ten past three

User avatar
Sciolus
Dorkwood
Posts: 1420
Joined: Mon Nov 11, 2019 6:42 pm

Re: Insecurity of phone banking

Post by Sciolus » Sat Dec 14, 2024 9:55 am

lpm wrote:
Fri Dec 13, 2024 1:04 pm
No reason to go to the inconvenience of not having a phone app. The banks are liable and stolen money is refunded.
... by their customers. I would rather banks didn't spend my money giving it to crooks through sh.tty security practices but spent it on giving me a decent service and maybe some interest.

Also, when you give money to crooks, they don't just spend it on a nice new telly, they use it to fund larger crimes.

I don't let my phone anywhere near my bank account.

User avatar
bjn
Stummy Beige
Posts: 3126
Joined: Wed Sep 25, 2019 4:58 pm
Location: London

Re: Insecurity of phone banking

Post by bjn » Sat Dec 14, 2024 11:46 am

Unfortunately my bank insists on using a banking app on my phone to verify my login on a web browser.

User avatar
nekomatic
Dorkwood
Posts: 1514
Joined: Mon Nov 11, 2019 3:04 pm

Re: Insecurity of phone banking

Post by nekomatic » Sat Dec 14, 2024 12:51 pm

It would be good to find out how this exploit worked - presumably not using a photo or a fake fingerprint, since the phone seems to have been snatched opportunistically - but I’m guessing it involved the phone being unlocked when snatched and kept unlocked so the thief could see password reset emails or texts, so if you had a means to remotely lock your phone you’d want to do that as fast as possible. On iPhones everyone in your ‘family’ should appear in the Find My app, and you can set their devices as ‘lost’ there.
Move-a… side, and let the mango through… let the mango through

User avatar
shpalman
Princess POW
Posts: 8504
Joined: Mon Nov 11, 2019 12:53 pm
Location: One step beyond
Contact:

Re: Insecurity of phone banking

Post by shpalman » Sat Dec 14, 2024 1:25 pm

My phone recently gained the feature to detect being "snatched" and lock itself.
having that swing is a necessary but not sufficient condition for it meaning a thing
@shpalman@mastodon.me.uk
@shpalman.bsky.social / bsky.app/profile/chrastina.net
threads.net/@dannychrastina

User avatar
Martin Y
Stummy Beige
Posts: 3239
Joined: Mon Nov 11, 2019 1:08 pm

Re: Insecurity of phone banking

Post by Martin Y » Sat Dec 14, 2024 3:06 pm

shpalman wrote:
Sat Dec 14, 2024 1:25 pm
My phone recently gained the feature to detect being "snatched" and lock itself.
That's rather a neat idea. Not much inconvenience from a false trigger I guess, you just unlock it again.

IvanV
Stummy Beige
Posts: 3112
Joined: Mon May 17, 2021 11:12 am

Re: Insecurity of phone banking

Post by IvanV » Sun Dec 15, 2024 3:10 pm

shpalman wrote:
Sat Dec 14, 2024 1:25 pm
My phone recently gained the feature to detect being "snatched" and lock itself.
What does it actually detect? Acceleration? It associates some pattern of acceleration with being snatched?

Fingerprints are a problem for older people. Neither my wife nor I use them, as they would be a problem. And we aren't even at retirement age yet, and my wife is several years younger. My wife's are just too worn. I'm not sure why she has worn hers out. Mine not so badly worn, but I have very numerous secondary creases, which in combination with the fingerprint wear seems to be an issue. The secondary creases tend to change over relatively short time periods, indeed even with the weather. I wonder if cycling might be the cause.

User avatar
shpalman
Princess POW
Posts: 8504
Joined: Mon Nov 11, 2019 12:53 pm
Location: One step beyond
Contact:

Re: Insecurity of phone banking

Post by shpalman » Sun Dec 15, 2024 3:16 pm

IvanV wrote:
Sun Dec 15, 2024 3:10 pm
shpalman wrote:
Sat Dec 14, 2024 1:25 pm
My phone recently gained the feature to detect being "snatched" and lock itself.
What does it actually detect? Acceleration? It associates some pattern of acceleration with being snatched?
https://blog.google/products/android/an ... rotection/
having that swing is a necessary but not sufficient condition for it meaning a thing
@shpalman@mastodon.me.uk
@shpalman.bsky.social / bsky.app/profile/chrastina.net
threads.net/@dannychrastina

User avatar
headshot
Dorkwood
Posts: 1534
Joined: Tue Nov 12, 2019 9:40 am

Re: Insecurity of phone banking

Post by headshot » Mon Dec 16, 2024 9:13 am


User avatar
shpalman
Princess POW
Posts: 8504
Joined: Mon Nov 11, 2019 12:53 pm
Location: One step beyond
Contact:

Re: Insecurity of phone banking

Post by shpalman » Fri Dec 20, 2024 11:24 am

shpalman wrote:
Fri Dec 13, 2024 1:55 pm
IvanV wrote:
Fri Dec 13, 2024 12:43 pm
... an IT security expert... tells me that having a banking app on your mobile phone is just inherently insecure and you shouldn't do it.
Experts in things always say stuff like that.
For example: https://x.com/LNuzhna/status/1869697908200898954
Nature just published a piece on why probability doesn't exist.
Lee Cronin said many times chemical reactions are not real.
Your genetics professor probably confessed to you before that there are no genes.
Biologists still disagree on whether cell types are even real.
And we already discussed how there is no such thing as aging.

This summarizes one of my favorite parts of doing science - the longer you stare at your cherished concept, the more it disintegrates and becomes non-existent. Seems to be a universal feeling - struggle to describe reality with words and numbers - experienced by many across fields.
So "IT security expert says IT thing is insecure" falls right into that.
having that swing is a necessary but not sufficient condition for it meaning a thing
@shpalman@mastodon.me.uk
@shpalman.bsky.social / bsky.app/profile/chrastina.net
threads.net/@dannychrastina

Post Reply