Banking and security

Just because you dislike having to do a video/say a phrase, doesn’t mean it’s a bad system.

I’m sure nobody likes it, but your personal reasons for not doing it are not common and clearly it helps prevent fraud.

2 Likes

Haven’t said it is, friend.

But your clear dislike for it comes up a lot, but more for personal reasons than security or anything else.

2 Likes

Oh sure. When those discussions come back around again I throw my view back out there like others do. I feel I’m pretty balanced though. I’m clear my reasons are more personal, and I make it clear the system they use is very much secure.

1 Like

And it’s usually down to people factors, right?

It’s not a criticism, but my parents (for example) would probably struggle with Yubikeys (they’d forget how to use them, then they’d lose them, then they’d use each others…). And all the social engineering and manipulation weaknesses are still there whatever you use.

That’s not an argument for no security. It’s just me saying again it’s really hard. Too hard.

3 Likes

Yup.

The reason this is quite more concerning than it normally would be is because of a change Apple made several years back to stop folks going to the Genius Bar because they got themselves locked out of their Apple ID. Which was a lot, and I don’t recall Apple’s security ever being so nefarious I’d think it was that easy to get locked out of.

2 Likes

It’s a very fine balance of keeping the baddies out, but not making it so tough that you can’t get to your own things.

1 Like

It’s always cost of humans too.

Company needs to improve margins, company looks at where there’s a human interaction and finds a way to bin it.

An unrelated example, but reminds me of locked pots. A good idea to add in the friction of asking support to unlock it but turned out to be unaffordable.

I do sometimes wonder if our economic model is pricing out helpful human interaction.

4 Likes

Pretty much.

Anything someone might need to remember will be forgotten or shared. Anything that someone needs to own might be lost or, again, shared.

Biometrics are promising because you can’t lose your face. But, also very limiting and pretty much always suspect to a fallback that relies on something you remember or something you have.

Then again I think of it like bike locks. Because my bike is at high risk of being stolen, I use two d-locks, even though this adds weight and inconvenience. But that’s my specific need, and 5 minutes with an angle grinder will get through then anyway. No perfect system, only one appropriate to your use case.

2 Likes

Yes. All that (plus having to carry a card reader, and find it + card which will be in a different place), vs just taping your yubikey on your phone (NFC) or touching it (USB). Can’t compare the two in terms of convenience IMHO.

Absolutely.

Sure you can. Establish security procedures that can’t be circumvented. Produce material that explains why you’ve done that. Teach kids in school (I try to do that).

I’m not disagreeing that the face thing is a good solution, as it strikes a good balance for the bank and the customer, but if you claim that you can’t force people to learn, isn’t that accepting that people will keep using password123 and sticking it on their monitors? Surely in every company nowadays, Monzo included, there is IT security training and sanctions for ignoring the security policies of the company? Same for people, except the sanction is you lose your money or data.

1 Like

For example?

Although I once heard a security expert say that you can’t replace it either.

The point he was making was that if your biometrics are compromised in the future, then that’s a much bigger deal than losing a key or someone knowing your password.

5 Likes

Very true, lots of fingerprints have already been leaked.

Face is harder, because FaceID takes a a 3D image, but a 3D printed mask can reportedly still overcome it. This is why it has to be kept on the device and not online, which then makes its use limited. Also, difficult to stop someone getting hold of an image of your face.

I think a large part of the equation comes down to what system exactly is underpinning your biometric security implementation. I think the actual integrity would differ quite significantly depending on that. But it’s the aspect no one really wants to share. Security through obscurity.

I presume with the bank, and hence the delay, it’s human processing. Someone looks at your video, judges that not only is it a real video of a real physical human, but that they resemble the photo on their ID too, and that it matches what’s already on the system.

I think all we really do is change the attack vector though. But the security standard of 2fa, in terms of entropy, is pretty standard, whichever you go with. But I think humans are more fallible than machines. Machines are just easier to trick consistently once you find the weak spot.

I feel so behind. what is TOTP? :no_mouth: :face_with_open_eyes_and_hand_over_mouth:

1 Like

Time based one time password. Similar to what your old bank card readers produced (well not quite, but similar idea) for you.

18 Likes

Does someone wanna start a security thread and move all this stuff over there? It’s one of my favourite discourse topics, and would love to keep discussing it, but the Chase thread probably isn’t the best place for it.

I went looking, and I’m surprised we don’t actually have a general discussion thread for this stuff yet.

3 Likes

Stand by…

(Temporarily closing thread to move stuff).

1 Like

And… We’re back!

1 Like