Best banking security

[JerryMungo]

Off the back of this article https://iol.co.za/news/south-africa...-nedbank-offers-just-r20000-goodwill-gesture/

I was thinking about practical steps to take and to recommend my elderly mother takes to secure your banking ecosystem.

One of the most absurd developments of our time is how we carry our life savings in our pocket wherever we go. Not only that, but we use the same device we game with, browse the web with, post to social media with, message with, etc. to control and access our life savings.

I’ve been thinking of a banking ecosystem that separates your banking life from your everyday life.. Tell us your thoughts and suggestions, criticism etc.

So 1. Primarily I want a dedicated phone for my banking app. Literally nothing else installed on it, a dedicated email account separate from my main account that isn’t used anywhere else. Biometrics and 2fa enabled in the banking app for authentication. This phone will be powered off for most of its life. It can travel with me in the car glove box but remain powered off until I need it. It can be any OS provided it’s getting security updates, preferably a relatively inexpensive Samsung Android or iOS device.

2. Web based banking login requires 2fa via the banking app so access from another device requires the primary device to be powered on and logged into the banking app.

I hear you say… but that’s inconvenient… and I remind you that in the 80s we had to go INTO the bank to access money and we survived just fine… and people couldn’t access your money from the other side of the world.

I also hear you say “but an extra phone!? That’s expensive!”… but you don’t have to buy an expensive phone and how much exactly do you spend on security? With the evolution of threats it seems security is worth spending a bit more on.

You could also have your primary phone stolen while unlocked and banking won’t be your biggest worry. If your banking phone is stolen, chances are it’ll be powered off and secure. You also have plausible deniability if under duress, you can unlock your phone for a criminal and hand it to them and they can see you don’t have any banking apps. At worst they can withdraw cash to your daily withdrawal limit or steal your credit card and use it - something easier to cover with insurance.

I’ll update this thread as it develops but I’m going to try implement this in the next month.

 

[The_Ogre]

Plausible deniability for not having a banking app on your primary phone in this day and age will get you stabbed or shot, but I suppose it's worth a shot.

You have to act and look the part though.
Phone not a Mobicel or some k@k PEP phone? Fail
Not getting out of a taxi or third class train carriage? Fail
Not holding a can of Score (even if empty)? Fail

When I'm done being broke, I'm opening a Capitec account and dropping a few bucks into that and download the app. Then I will rename my main banking app to "The Bible" and an appropriate icon.

But this thing you want to try of walking around with a phone with no banking app? Not for me

 

[B-1]

My recommendations are usually.

Never action cold calls/emails/WA/Telegrams requests.
Say OK thank you for alerting me I'll go and sort it out immediately, and then phone the bank via the number on their web site and find out if its real. This breaks the majority of the scams and they will try and keep you on the line as long as possible and get you in a state of panic where you dont think clearly so just hang up.

Same with "promotions" ask for the information then go to the site or call the company they claim to represent and see if it is indeed real.

Keep a spending account like a virtual bank and only pay a certain amount over for day to day banking. Make sure you disable any credit and overdrafts.

Keep your main account details separate and do the old school monthly banking on that.

 

[JerryMungo]

Plausible deniability for not having a banking app on your primary phone in this day and age will get you stabbed or shot, but I suppose it's worth a shot.

You have to act and look the part though.
Phone not a Mobicel or some k@k PEP phone? Fail
Not getting out of a taxi or third class train carriage? Fail
Not holding a can of Score (even if empty)? Fail

When I'm done being broke, I'm opening a Capitec account and dropping a few bucks into that and download the app. Then I will rename my main banking app to "The Bible" and an appropriate icon.

But this thing you want to try of walking around with a phone with no banking app? Not for me

That’s still not going to help your mom with a compromised phone. Forget the street crowd, there’s the remote scammers.

 

[JerryMungo]

My recommendations are usually.

Never action cold calls/emails/WA/Telegrams requests.
Say OK thank you for alerting me I'll go and sort it out immediately, and then phone the bank via the number on their web site and find out if its real. This breaks the majority of the scams and they will try and keep you on the line as long as possible and get you in a state of panic where you dont think clearly so just hang up.

Same with "promotions" ask for the information then go to the site or call the company they claim to represent and see if it is indeed real.

Keep a spending account like a virtual bank and only pay a certain amount over for day to day banking. Make sure you disable any credit and overdrafts.

Keep your main account details separate and do the old school monthly banking on that.

Not a bad idea to keep the basic transactional stuff on your main phone and keep the rest seperate.

 

[Mike Hoxbig]

Nah just look after your phone, don't install crap and don't press buttons on dodgy websites. Besides, on Android you can create an isolated environment for exactly this kind of thing...

 

[Smiggles]

Your money should be at a proper lisp and not your bank.

 

[chrisc]

My banking app shows only one of my accounts, and there is never more than R20k in there

The other 3 accounts are not visible on the banking app and can only be accessed from home, using a computer and there several keystrokes to reveal them, incl a selfie

This is Capitec Bank

 

[JerryMungo]

Nah just look after your phone, don't install crap and don't press buttons on dodgy websites. Besides, on Android you can create an isolated environment for exactly this kind of thing...

That’ll work for known threats.
We’ve become lazy.

 

[deweyzeph]

Just stop answering calls from unknown numbers. My elderly mother is under strict instructions to never answer a phone call on her smartphone from an unknown number or a number not in her phonebook. She has almost been scammed a few times.

 

[JerryMungo]

Just stop answering calls from unknown numbers. My elderly mother is under strict instructions to never answer a phone call on her smartphone from an unknown number or a number not in her phonebook. She has almost been scammed a few times.

If only that were the only vector.

 

[deweyzeph]

If only that were the only vector.

I would argue that, at least for elderly victims, it is the main vector.

 

[Koos Custodiet]

One of the most absurd developments of our time is how we carry our life savings in our pocket wherever we go. Not only that, but we use the same device we game with, browse the web with, post to social media with, message with, etc. to control and access our life savings.

Tyme was doing well, with a website and 2FA via an SMS.

Then they canned it all and are now insisting on you using their app. For security, apparently. Must be their security 'cos it sure ain't mine.

Fsckwits.

 

[Mike Hoxbig]

Tyme was doing well, with a website and 2FA via an SMS.

Then they canned it all and are now insisting on you using their app. For security, apparently. Must be their security 'cos it sure ain't mine.

Fsckwits.

All banks are doing this, and it is actually for security. It may not affect vigilant people like us, but many people are technologically incompetent and it's not their fault. If they get taken for however many thousands, it becomes a hot mess in terms of who's liable for what because ultimately it's the bank's infrastructure that enabled it. It's why sim-swap is still a thing.

By pushing approvals to the app, no customer can claim they were victims because of the bank's security. The only way would be an inside job, and in that case the bank will fully reimburse them, and the idiot who decided to try their luck is immediately flagged, fired, charged and will never get another job in the financial sector...

 

[JerryMungo]

Tyme was doing well, with a website and 2FA via an SMS.

Then they canned it all and are now insisting on you using their app. For security, apparently. Must be their security 'cos it sure ain't mine.

Fsckwits.

SMS is waaaaay insecure lol.

 

[JerryMungo]

All banks are doing this, and it is actually for security. It may not affect vigilant people like us, but many people are technologically incompetent and it's not their fault. If they get taken for however many thousands, it becomes a hot mess in terms of who's liable for what because ultimately it's the bank's infrastructure that enabled it. It's why sim-swap is still a thing.

By pushing approvals to the app, no customer can claim they were victims because of the bank's security. The only way would be an inside job, and in that case the bank will fully reimburse them, and the idiot who decided to try their luck is immediately flagged, fired, charged and will never get another job in the financial sector...

The gotcha with the app is these social engineering fundis are just getting people to approve stuff by claiming to be with the bank and creating panic.