Curses, Symantec. Won't someone think of the poor penguins?
-
-
@guigirl, Linux is a good OS, but not in the availability of certain software, one of the reasons why I'm back in Windows. Although it requires that you remove the bad habit of too many telemetries beforehand to use it, in the appearance of soft leaves Linux at ground level, FOSS included.
Precisely in official applications like this, the developers are oriented to what the market demands and this are the main OS in use, a Linux distro unfortunately is not. -
@guigirl said in Curses, Symantec. Won't someone think of the poor penguins?:
change login verification from a more to a less secure procedure.
What did they use before that was more secure?
I agree that sending auth codes over SMS is not very secure, but maybe they're right that it's at least better than just using passwords. After all someone would need to get your login/password and spoof your SIM at the same time to get access.
I would never accept installing any crapware "security" software on my system to log in to my bank. We've seen plenty of examples on this forum how these things (IBM Trusteer for instance) will cause lots of issues with Vivaldi because it doesn't recognise it.
Thankfully in Norway the banks have cooperated and created BankID which is used for most anything requiring secure login and payment here.
Of course, this requires to connect your public ID# (SSN) with the system but it's a requirement to get a bank account anyway so not a big deal. It also requires you to install an app on your phone supporting 2FA (usually from your network provider or the bank itself).
-
@Pathduck , I hate 2FA with SMS, because its not secure and a privacy lack. In my Bank they use personalized coordenate cards with random codes ("To confirm your Log-In, enter the code you find at c 6 in your card"). Simple and secure.
@guigirl , this is why I always recommend to people not to remove Windows, when they want to switch to Linux, that they continue to use it in dual boot. Anyway it is advantageous to have 2 OS on the PC, although one of them is not used.
PD Can you use the Symantecthing with Wine?
-
@Catweazle Of course BankID doesn't use SMS, as it's not secure enough. But still better than just a password.
BankID 2FA uses a push notification (encrypted) on your phone you have to verify with a PIN. You can also use an ID code "calculator" or even a system of codes on paper cards, but then you'd need to carry that with you everywhere. People carry their phone with them everywhere anyway so much more convenient.
I don't really see how 2FA to a phone is a "privacy problem" - you give your bank lots of personal information to create an account, so how is giving them your phone number as well an issue?
-
@Pathduck , it is not because of the bank, of course they knows all my data, it is because it is much easier to intercept a mobile phone than a PC, which allows greater security measures than a mobile controlled by Gargle or Apple, apart from mobile phones they are simpler to steal or lose and you are thus without access to the bank.
The other day I saw in a documentary how a ethical hacker took seconds to access the reporter's mobile phone from his PC, having all his data in the screen.
For this same reason I do not use the mobile for banking or official things, at home from the PC and where I can have this card even glued to the monitor without problems, since no one else, apart from a woman has access. -
@guigirl , take advantage
-
@Catweazle said in Curses, Symantec. Won't someone think of the poor penguins?:
it is much easier to intercept a mobile phone than a PC, which allows greater security measures than a mobile controlled by Gargle or Apple, apart from mobile phones they are simpler to steal or lose and you are thus without access to the bank.
Yes, but this is primarily a security issue, not about privacy. Of course your personal data is only as secure as the system it's kept on. Losing a mobile is a huge problem, but I think most people are willing to accept that risk for the convenience it provides. As with anything it's a matter of finding a balance between security and convenience, and most will choose on the convenience end of the scale.
In a system like BankID, even if your phone is stolen and they're able to bypass the system lock, they still need to know the PIN to verify the 2FA token code. As well as the date-of-birth, but that's relatively easy to find for a dedicated attacker. A random phone thief on the street would not bother with all that.
If the only alternative a bank provides is card-based codes, you will inevitably see people carrying their code cards with them in their wallets/purses, and those will get stolen and then it's Game Over
-
@Pathduck , true, but at least I never will use a mobile for important things. I use the mobile for what it is, communicate me with my contacts.
-
@guigirl , OK, Windoz 10 by default is not a privacy glory (though more so than G and Android, because MS makes money selling Software, it doesn't need to sell Userdata).
But there are good options to turn it into a private OS and an obedient and fast little lamb, also for this there are excellent apps that I have always used on a new PC. -
I haff to use windoze for my online banking. All of my banks / financial institutions require and add on which is only available on Win / Mac with chrome or FF (luckily it now works with Vivaldi).
It seems to support a gazillion of bank$ and financial institution$ around the world.Because of the hundred different flavours of Linux (I do like flavour ) they won't support the Penguin Group.
So Yeah, keep windoze, have some good security software and update regularly!
I also agree that a banking app for a phone is, well, totally counterintuitive to me. (Mainly 'cause I don't have a mobile phone and I have a profound distrust of third party apps written for my banks.)
On our trusty tablets we use the banks websites but I usually stick to a computer.
I did have MS Authenticor for a while on my antique iPad2 but thankfully it is just an expensive papreweight now. I could never get to it on time to enter the authentication.
There seem to be flaws with every system... sad, in this day and age.
-
@greybeard Yeah, that Trusteer is the crapware I was talking about earlier. I would outright refuse to use any bank forcing me to install that kind of malware-in-disguise.
Do they even explain what the add-on does? What does it actually check? How does the site check you're actually running it? Have you tried using the bank without it installed?
-
Apparently, the best way was and is to do things personally the bank itself or through an ATM, this is what I do most of the time.
-
@Pathduck said in Curses, Symantec. Won't someone think of the poor penguins?:
Have you tried using the bank without it installed?
I get there and can do banking but with warning messages that Trusteer is not running. So yes, the bank knows if it is running. How it works, I am not enough of a developer to analyze the extension.
Several years back I had a friend at IBM look into it. All he could tell me was that it was a valid app but could not tell me how it worked.
Apparently IBM has the Trusteer company up for sale, so I don't know if I'll keep it. -
@greybeard Well, IBM is not exactly known as a competent security company. But they have both feet firmly lodged in the big banks already, so it's a small matter for them to convince the bank execs to pay lotsa $$$ for offering Trusteer for "free" to their customers.
I've never heard of any banks here in Norway forcing their customers to use a specific security software. I think it would be unheard of - it's the bank's responsibility to protect online banking, not the customer.
There are some banks here offering a "recommended" security solution for "free" to customers - i.e. one year free license. One major pain for those of us responsible for in-family tech support:
Family: "The bank said we should install Norton so we did and now everything is really slow, and now it's saying they need money, what do we do?"
Me: "But I already helped you install F-Secure last year and you're still paying a license for that!" -
@Pathduck said in Curses, Symantec. Won't someone think of the poor penguins?:
IBM... they have both feet firmly lodged in the big banks
Here the banks were all running OS/2 well, until close to 2010...
forcing their customers to use a specific security software
Well they say they "Recommend you use..." as they use the same system... As the consumer, if something happens to an account, one doesn't want be holding the muddy end of the stick.
-
@guigirl , YESSS and most of the money under the mattress
-
I personally don't use any business or institution that requires installation of Microsoft Windows or an Android app that relies on Google Play Services / is only available in the Play store.
The only way we can persuade institutions to support other platforms is to vote with our feet. It's an inconvenience at times but the alternative is to surrender and compromise your own principles and choice.
Years ago my bank recommended Trusteer and it brought my Losedows system to its knees and was almost-impossible to remove, whilst simultaneously never being clear on what exactly it did. I think it also clashed with the antivirus I was using at the time, and when faced with a choice of anything or Norton, anything else wins hands-down for me all day long.
I never have a problem with software availability on AOSP or various flavours of Linux. There's a tool to do everything I need. Anything that's not available I don't miss.
My bank uses SMS 2FA, and whilst it's more vulnerable than a proper 2FA app such as Aegis, I'm happy to use it as it's still more secure than no 2FA at all. As was pointed-out further along this thread, they'd have to get both your login credentials AND initiate a SIM swap on your phone. In short, you'd have to be targeted specifically - in which case getting-in to your online banking will only be part of your worries.
Another thought I've had, that may be of use: My bank also allows me to use a card reader as 2FA - you put one of your bank cards in it, enter your pin and the code on screen, and then type the code that the card-reader says back in to the web site. One solution might be to activate your bank account with a SIM card that you only use for that bank and nothing else, and always leave at home in a safe place - and then use your card/card-reader as your main form of 2FA. If the phone number is unique to your bank, it's less likely that a crook would get hold of it and try to initiate a SIM swap.
Regarding mobile apps, the latest updates of my bank's app won't work without Google Play Services, so I've stopped using it and now solely use the web site. Additionally, I noticed that Exodus Privacy gives their app a pretty terrible score for analytics, ads and trackers. Why a bank would include such security-risks in their own app is beyond me. There should be no third-party code in such a security-critical program.
IMHO nothing is worth the drop in security, privacy and freedom that you suffer by installing Microsoft Windows, Apple iOS or an Android build that still contains Google Mobile Services. A "security" solution that requires such things, requires you to lower your security.