Curses, Symantec. Won't someone think of the poor penguins?
My online bank has recently made the irritatingly dumb decision to change login verification from a more to a less secure procedure. Thank goodness there's no bad people online...
They brush off my protestations, & naively try to bluff me that sending SMS codes as 2FA is a great thing. When i point out the well-known hazard of SIM-porting, they act like they've never heard of it before, & merely repeat their vacuous assertions that this is a marvellous leap forward.
I began compiling a short-list of potential alternative, more enlightened, online banks. It truly shocked me that a large proportion of potential candidates had to be culled immediately for also only using SMS as 2FA; it's exasperating. One interesting candidate offers SMS 2FA, but also a better alternative of a soft-token for the important 2FA step. This appealed to me... right up til i discovered this annoyance/disappointment:
Sigh, it ain't easy being
The search goes on.
@Catweazle Thanks... but afaik [i might be wrong], a potential customer can't simply tell her prospective new bank what 2FA she IS going to use... it has to be the user accepting whatever 2FA that bank offers... otherwise it won't work ... .
The main point of my whingie post was to moan about the narrow-minded thinking of Symantec that lead them to not provide a variant for Nixers.
@guigirl, Linux is a good OS, but not in the availability of certain software, one of the reasons why I'm back in Windows. Although it requires that you remove the bad habit of too many telemetries beforehand to use it, in the appearance of soft leaves Linux at ground level, FOSS included.
Precisely in official applications like this, the developers are oriented to what the market demands and this are the main OS in use, a Linux distro unfortunately is not.
I'm back in Windows
@Catweazle I can no longer talk to you -- you're now dead to me.
Seriously though, of course you're right regarding comparative software availability, at least for narrow niche commercial things like this one.
change login verification from a more to a less secure procedure.
What did they use before that was more secure?
I agree that sending auth codes over SMS is not very secure, but maybe they're right that it's at least better than just using passwords. After all someone would need to get your login/password and spoof your SIM at the same time to get access.
I would never accept installing any crapware "security" software on my system to log in to my bank. We've seen plenty of examples on this forum how these things (IBM Trusteer for instance) will cause lots of issues with Vivaldi because it doesn't recognise it.
Thankfully in Norway the banks have cooperated and created BankID which is used for most anything requiring secure login and payment here.
Of course, this requires to connect your public ID# (SSN) with the system but it's a requirement to get a bank account anyway so not a big deal. It also requires you to install an app on your phone supporting 2FA (usually from your network provider or the bank itself).
Catweazle last edited by Catweazle
@Pathduck , I hate 2FA with SMS, because its not secure and a privacy lack. In my Bank they use personalized coordenate cards with random codes ("To confirm your Log-In, enter the code you find at c 6 in your card"). Simple and secure.
@guigirl , this is why I always recommend to people not to remove Windows, when they want to switch to Linux, that they continue to use it in dual boot. Anyway it is advantageous to have 2 OS on the PC, although one of them is not used.
PD Can you use the Symantecthing with Wine?
Pathduck last edited by Pathduck
@Catweazle Of course BankID doesn't use SMS, as it's not secure enough. But still better than just a password.
BankID 2FA uses a push notification (encrypted) on your phone you have to verify with a PIN. You can also use an ID code "calculator" or even a system of codes on paper cards, but then you'd need to carry that with you everywhere. People carry their phone with them everywhere anyway so much more convenient.
I don't really see how 2FA to a phone is a "privacy problem" - you give your bank lots of personal information to create an account, so how is giving them your phone number as well an issue?
Catweazle last edited by Catweazle
@Pathduck , it is not because of the bank, of course they knows all my data, it is because it is much easier to intercept a mobile phone than a PC, which allows greater security measures than a mobile controlled by Gargle or Apple, apart from mobile phones they are simpler to steal or lose and you are thus without access to the bank.
The other day I saw in a documentary how a ethical hacker took seconds to access the reporter's mobile phone from his PC, having all his data in the screen.
For this same reason I do not use the mobile for banking or official things, at home from the PC and where I can have this card even glued to the monitor without problems, since no one else, apart from a woman has access.
Hey thanks mucho bigly peeps, i really appreciate your interesting remarks. I hope to properly reply later on [ie, this is really just a wimpy placeholder post atm], coz right at the moment my super-urgent priorities are:
- Make cup of tea
- Make post-dinner pudding
- Next episode of my latest binge-streaming infatuation; New Amsterdam.
@guigirl , take advantage
it is much easier to intercept a mobile phone than a PC, which allows greater security measures than a mobile controlled by Gargle or Apple, apart from mobile phones they are simpler to steal or lose and you are thus without access to the bank.
Yes, but this is primarily a security issue, not about privacy. Of course your personal data is only as secure as the system it's kept on. Losing a mobile is a huge problem, but I think most people are willing to accept that risk for the convenience it provides. As with anything it's a matter of finding a balance between security and convenience, and most will choose on the convenience end of the scale.
In a system like BankID, even if your phone is stolen and they're able to bypass the system lock, they still need to know the PIN to verify the 2FA token code. As well as the date-of-birth, but that's relatively easy to find for a dedicated attacker. A random phone thief on the street would not bother with all that.
If the only alternative a bank provides is card-based codes, you will inevitably see people carrying their code cards with them in their wallets/purses, and those will get stolen and then it's Game Over
@Pathduck , true, but at least I never will use a mobile for important things. I use the mobile for what it is, communicate me with my contacts.
What did they use before that was more secure?
Firstly i should mention that they are justifying their change on the basis that they wanted to improve security on their mobile banking app on Apple & Android phones. I never have, & never ever ever will, use/d any phone-based finance app, so the following is my deduction rather than my knowledge... i intuited by their words chosen to explain their decision that their older mobile apps might not have had any 2FA at all, in which case arguably now having SMS-2FA is an improvement. However [& this is the part that i find silly + aggravating], in making this mobile banking change, they opted to dump their previous pc-based online banking schema, & instead use the same [new] schema for both online AND mobile. Dagnabbit.
The now-dumped online 2FA that i liked was IMO quite innovative, & not one i'd encountered at any of my prior online banks. When i applied originally for online banking, part of the setting-up included me needing to choose a specific combination of optional on-screen icons, to be "mine" thereafter. The subsequent login process for years thence, til now, was that i'd open my online banking portal in the browser, enter my ID & password, then once accepted, a new page would appear with a range of icons in a grid [different positions every login]. I needed to click my subset of icons [amongst the larger icon matrix], in the right sequence, in a limited time.
Initially i had been sceptical but rapidly warmed to the idea years back, as IMO it seemed like it offered me benefits including; immune to phone SIM-porting, resistant to key loggers, & it was kinda fun singing my little Beatles song mnemonic to myself each time to remind me of the right icons & sequence. Alas, now it's gone.
maybe they're right that it's at least better than just using passwords
Indeed it is. However for me, as explained, it is a net degradation not improvement, despite being a net improvement for mobile banking customers.
someone would need to get your login/password and spoof your SIM at the same time to get access
Yes, i know, i agree. And yet... it is far from uncommon to read of personal horror stories, where victims have reported the awful cascade of woe that befell them when they became targets... their phones that beeped a strange SMS after midnight on a Fri or Sat night, advising that their SIM-change is in progress, followed soon after by losing control of their phone account, indeed even their phone, followed finally by discovering their bank was cleaned out.
It's also not uncommon to read reports of internet security researchers coming across unsecured database dumps either in the "bright" web, or otherwise the dark web, where lazy / incompetent / corrupt 3rd-parties to whom financial institutions had outsourced aspects of their database management & maintenance, in the ever-expanding quest to cut costs. From those data, miscreants gain either enough info to immediately drain accounts, or otherwise sufficient info to perform identity-theft & then to drain the accounts.
I hate 2FA with SMS
Ditto. The bank i used before my current one, was HSBC, & they sent me a hard-token to generate a revolving PIN to enter into the subsidiary login screen [once i'd gotten thru' the initial ID + Password screen]. Some of the other shortlist candidates now offer hard-tokens, so i need to revisit them... trouble is, i had initially rejected each of them for other unrelated reasons ... grumble ... life is such a bloody compromise.
recommend to people not to remove Windows, when they want to switch to Linux
I do still have access to win10, actually two of them, via my two win10 VMs on my Linux tower, so your idea is actually one i was already considering yesterday, anyway. Fundamentally & instinctively i abhor the concept of having to rely on any VM for any "mission critical" function, & most of all when those VMs are windoze. Hence, whilst i can't yet rule that option out, i still intend to first exhaust all viable possibilities that would not need reliance on something so undesirably retrograde.
it is because it is much easier to intercept a mobile phone than a PC, which allows greater security measures than a mobile controlled by Gargle or Apple, apart from mobile phones they are simpler to steal or lose and you are thus without access to the bank
Ditto ditto ditto.
without problems, since no one else, apart from a woman has access
Yeah, ya might wanna watch out there ... we're nothing but trouble, y'know!
Losing a mobile is a huge problem, but I think most people are willing to accept that risk for the convenience it provides
Not me, i decided years ago that a mobile phone, for me, is not ever gonna get used for any financial access or transactions. I do it all, 100%, on my pc.
communicate me with my contacts
...and my hearing aids... & my pace-maker... & my bionic leg... & my mechatronic exoskeleton... & my
@guigirl , OK, Windoz 10 by default is not a privacy glory (though more so than G and Android, because MS makes money selling Software, it doesn't need to sell Userdata).
But there are good options to turn it into a private OS and an obedient and fast little lamb, also for this there are excellent apps that I have always used on a new PC.
I haff to use windoze for my online banking. All of my banks / financial institutions require and add on which is only available on Win / Mac with chrome or FF (luckily it now works with Vivaldi).
It seems to support a gazillion of bank$ and financial institution$ around the world.
Because of the hundred different flavours of Linux (I do like flavour ) they won't support the Penguin Group.
So Yeah, keep windoze, have some good security software and update regularly!
I also agree that a banking app for a phone is, well, totally counterintuitive to me. (Mainly 'cause I don't have a mobile phone and I have a profound distrust of third party apps written for my banks.)
On our trusty tablets we use the banks websites but I usually stick to a computer.
I did have MS Authenticor for a while on my antique iPad2 but thankfully it is just an expensive papreweight now. I could never get to it on time to enter the authentication.
There seem to be flaws with every system... sad, in this day and age.
Pathduck last edited by Pathduck
Do they even explain what the add-on does? What does it actually check? How does the site check you're actually running it? Have you tried using the bank without it installed?
Apparently, the best way was and is to do things personally the bank itself or through an ATM, this is what I do most of the time.
Have you tried using the bank without it installed?
I get there and can do banking but with warning messages that Trusteer is not running. So yes, the bank knows if it is running. How it works, I am not enough of a developer to analyze the extension.
Several years back I had a friend at IBM look into it. All he could tell me was that it was a valid app but could not tell me how it worked.
Apparently IBM has the Trusteer company up for sale, so I don't know if I'll keep it.
@greybeard Well, IBM is not exactly known as a competent security company. But they have both feet firmly lodged in the big banks already, so it's a small matter for them to convince the bank execs to pay lotsa $$$ for offering Trusteer for "free" to their customers.
I've never heard of any banks here in Norway forcing their customers to use a specific security software. I think it would be unheard of - it's the bank's responsibility to protect online banking, not the customer.
There are some banks here offering a "recommended" security solution for "free" to customers - i.e. one year free license. One major pain for those of us responsible for in-family tech support:
Family: "The bank said we should install Norton so we did and now everything is really slow, and now it's saying they need money, what do we do?"
Me: "But I already helped you install F-Secure last year and you're still paying a license for that!"