Banking and security

Let’s use this topic to talk about the security of banks and financial services.

Logging the Mrs into Chase on her new phone and they want a pic of her passport and a video of her.

What the actual F??? If I’m bothered to log back in, it’ll genuinely be to just transfer out the cash and close the stupid account.

What a faff.

Monzo ask for a video. Think Starling also do.

The ID part is frustrating yes but I guess it’s all for protection.

Indeed. Revolut, Monzo, Starling all also asked for photo/ video so maybe they’re all levels of annoying.

Feels like bullshit security theatre to me. Call me old fashioned but give me a strong password and TOTP any day of the week.

Weird. Chase have never pulled the video crap on me. Just a selfie that tells me to smile.

I blame Monzo for this trend though. And I blame the Snapchat generation for Monzo deciding this is how it should be done.

But yes, it’s theatre. Makes you feel like it’s more secure, but it’s not. The theatre in this sense is trying to be fun and engaging too. Because that’s what social influencers love.

How so? If you need a video to log in surely nobody else will look like me to get in?

She is on android if I recall?
I actually do wonder if the iPhones ability to detect it’s a face or a photo better than most phones means iPhone doesn’t need a video but chase could have changed it after having faking issues with photos.
Tom did you have to use a video when you got your new iPhone?

Because, very simply, it’s no more secure than more convenient methods.

If you saw the number of account takeovers this stops you wouldn’t think it’s theatre

Stops them relative to what though?

It’s just 2FA doing its job, and any other version of it would equally thwart attempts.

I suppose in theory the 2 factors can both be stolen. Your face can’t*

*except in some movies

Not anymore!

Just a quick edit to add on to this, I do feel we’re heading towards a point where this sort of biometric security is going to just be so broken it can’t be relied upon as a secure factor anymore, and we’ll be back to TOTPs as the gold standard.

But passkeys are coming and I hope Monzo (and Chase and others) are willing to at that point ditch their theatric implementations of 2FA, for what is a far more boring but hugely more secure, and more convenient, method.

Something you are is not impervious to attack either, it’s just a different vector, it might be possible to physically steal it, but it can certainly be blackmailed and given willingly under duress. And of course as AI deepfake tech matures, it will be easier and more trivial to defraud.

Someone would desperately want my hundreds to do that

Probably cost them more than what they would gain access to

I do not see passkeys as the grand be all and end all, they are good and an improvement but thats it.

The ir scanner on the iphone would massively hinder that with deepfake videos given you cant just submit it to the camera.

I, 100% see why banks need video now and why its an improvement over the photos approach with the ease that people can get photos from social media. I think you could maybe get away with a photo on the iphone if the dev uses the IR scanner to try and ensure its not a photo though.
As much as video is a bit of a PITA for people its hopefully something needing to be done rarely.

I can handle FIDO keys and all the extra stuff but my folks 100% couldnt, in fact a lot of people I know cant handle TOTP as a system. Google and MS have made it easier with the push notifications at least to confirm.

Not yet, but I think they’re heading that way. They’re certainly intended to supersede 2FA anyway.

Indeed, and it would with a photo too. Banks aren’t using it (yet) though AFAIK, and the data is relatively meaningless to a human.

I think N26 use the IR scanner though. They scan a 3D image of your face these days (just like Apple’s FaceID onboarding) and verify it that way with the depth data. Like with this sort of biometric authentication though, I’m dubious about it. Mostly because how it all works on the bank’s end is a closed box that’s never explained. That’s always a barrier for trusting a system’s integrity.

Too often for my liking. It really ought to be a last resort sort of thing, say if you happen to get yourself locked out of the account. But not every new device sign in. The video is too much for me. Monzo have accessibility things in place for folks like me, and they’re better, but it’s still a lot. The Chase selfie is where my limit is for the frequency it has to be done.

I get it’s secure, but it wasn’t done this way for security. It was a marketing choice to appeal to the snap chat generation. The other banks are just copying it.

I had a lengthy. discussion about this approach several years back with Atom’s (at the time) tech VP, and they seemed to share my sentiment as well. And we’ve already seen it go wrong over at Starling precisely how we speculated it would inevitably happen.

As someone who at one time did work for a big bank building security theatre to appease the folks in charge who understood nothing about security, the way the biometrics are done by banks now remind me very much of how things came about at Barclays. So it feels more marketing driven to me, than just security alone.

I don’t doubt it’s security. It just isn’t necessarily anymore secure than other methods that I personally find more convenient.

What happened at Starling, must have missed that?

From 2018, so quite a while ago now.

Unpaywalled: https://archive.is/JfFk4

I will reply better later. Just having scran

The face is the one thing that fraudster’s can’t easily steal from you - nearly every other form of 2FA is liable to be breached either through social engineers or by phishing.