Jump to content
monkie

Totally unrelated...What I do in the "real world"

Recommended Posts

monkie    173

Hi all,

I wrote a blog today in my real world life. It's about password sharing and personal cyber security. It's amusing and has a photo of me looking like death at km 88 of 90...

 

https://www.linkedin.com/pulse/password-sharing-why-sucks-chris-monk

 

I hope it gives you half a giggle and you might learn something (or might not, comments below :p)

 

Monkie

  • Like 1

Share this post


Link to post
Share on other sites
Peter    1,611

Wow Chris.  Great article.

But they will still trap heaps of people and get those details even if it's legit.  

 

Share this post


Link to post
Share on other sites
Ironnerd    338

Thanks for the article. I am looking at moving my mortgage to another bank through a Mortgage Broker. They sent me a link to bankstatements.com.au. You put in your username and password for your bank and they retrieve your statements. I had a read of the FAQ, security set up and did a Google search everything seemed OK so I used the site. The security claim is that as everything is encrypted no one, not even them, can get your password.

After reading your article I have just changed my online banking password. Thanks for the info.

Share this post


Link to post
Share on other sites
Mjainoz    1,046
On 2017-4-26 at 10:14 PM, monkie said:

Hi all,

I wrote a blog today in my real world life. It's about password sharing and personal cyber security. It's amusing and has a photo of me looking like death at km 88 of 90...

 

https://www.linkedin.com/pulse/password-sharing-why-sucks-chris-monk

 

I hope it gives you half a giggle and you might learn something (or might not, comments below :p)

 

Monkie

Nice

I had a weird one the other day.  HSBC US sent me an email saying their was a suspected fraud on my account (this was not a surprise as I have a few $ in an account and a debit card attached and it had just rejected at a vendor).  However the weird thing was this email took me to another page and asked me to log on. While I knew this was probably a real email from HSBC, it just looked suspect so I rang them and said I am never going to put my details in on a web page that is selected off an email link.  Especially with all the truncated (tiny) web page addresses on say twitter, on a phone it's hard to see what site you are really on at the best of times...

Share this post


Link to post
Share on other sites
TenPints    769

For discussion's sake...

There's always a balance between security and business moving forward. The disruptors are the companies that will help change things for the best for consumers across Australia; break the norm!

If the only way for this company to offer this service (and perhaps challenge in some way the big banks' monopoly) is in this access method, then they should not necessarily be the only ones challenged on this, because their options are very limited. The options are to: offer a service that consumers may want and challenge the mainstream banks whilst not aligning to the norms of good security practice, or not exist as a business at all because they cannot do it any other way.

The challenge should firstly be on the regulators (APRA, ASIC) to protect the consumer and to drive forward open banking and in so doing disassemble the collusion and protectionism that banks in Australia enjoy. Secondly, the banks could be challenged to actually provide such a read-only access role into consumers' accounts.

Let's also not assume the banks are a-ok in their approach to security, and also don't forget they campaigned themselves not to become subject to the new data breach notification requirements as they are "special". I'd prefer not to give the banks themselves access to my accounts, but I'm a bit stuck there as well if I want to use their services :wink3:

 

  • Like 1

Share this post


Link to post
Share on other sites
XCOM!    170
1 hour ago, TenPints said:

The challenge should firstly be on the regulators (APRA, ASIC) to protect the consumer and to drive forward open banking and in so doing disassemble the collusion and protectionism that banks in Australia enjoy.

HA! - Now THAT'S funny.

Until recently I worked in the business of providing consumer protection from banks, and got to know all too well how ASIC is not only completely ineffective in this role, but is actually systemically compromised by its incestuous staffing relationship with the banks, and its total complicity in the banks' obvious subversion of consumer protection legislation.

Share this post


Link to post
Share on other sites
TenPints    769
1 hour ago, XCOM! said:

HA! - Now THAT'S funny.

Until recently I worked in the business of providing consumer protection from banks, and got to know all too well how ASIC is not only completely ineffective in this role, but is actually systemically compromised by its incestuous staffing relationship with the banks, and its total complicity in the banks' obvious subversion of consumer protection legislation.

LoL! I did say "should", and that's because I've met with APRA a few times...

Share this post


Link to post
Share on other sites
A2K    595

Isn't 2 factor authentication a good way to make sure no one will try and move money out of your account even if they had access to it? A quick code sent via SMS to your mobile phone that has to be entered on the website before the transaction will be approved.

Share this post


Link to post
Share on other sites
monkie    173
On 2017-5-3 at 8:40 AM, TenPints said:

If the only way for this company to offer this service (and perhaps challenge in some way the big banks' monopoly) is in this access method, then they should not necessarily be the only ones challenged on this, because their options are very limited.

Totally correct. As I pointed out in the blog post I am not wanting to have a pop at Zipmoney. They are trying to do their best. They did then tell me I could email them the bank statements but they didn't make this obvious on the site. There has to be an effective way of sharing my banking data with third parties when I wish to do so but this implementation is hugely problematic and encourages behaviour that gets people robbed. 

As an aside, they've invite me in to have a chat with their team which I'll be doing when back from getting married in the UK.

5 hours ago, A2K said:

Isn't 2 factor authentication a good way to make sure no one will try and move money out of your account even if they had access to it? A quick code sent via SMS to your mobile phone that has to be entered on the website before the transaction will be approved.

Yes. 2FA is a great idea and you should enable it wherever you can. However it's not a solution to this problem for two reasons.

1) Your banking data is very valuable to the wrong people. Think about how much information about you is stored in there... you don't want that being sold on the dark web. What if I happened to like something a little off mainstream in the bedroom and had several transactions identifying that in my bank account? There's a real opportunity for blackmail there.

2) Sim swap fraud is a real thing. It happens all the time. This is where a criminal will get access to your online banking and will then take advantage of the fact that your mobile provider is nowhere near as secure as your bank in terms of security checks. They use things like your address and your date of birth to verify your identity. For most people with a web "presence" that info is basically common knowledge. So a criminal would phone your mobile provider (dead easy to work out if you visited my phishing site (see article) from your mobile device and pretend to be you. They use a sob story of "I'm stranded and I've lost my phone, please transfer my account to this new sim card" and then your text messages go to them on a new phone. 

3) Have you ever phoned your bank to change your 2FA number? They use name, DoB, address and then details about accounts and recent transactions to verify your identity. If I had access to your online banking then I have those recent transaction details sitting in front of me. 

So yes. 2FA is a good thing and makes the job harder, but if I had your online banking username and password I reckon I could get your money out.

The people who do this stuff are smart. Criminals, but smart. We should do everything we can to frustrate them.

:)

Monkie

  • Like 2

Share this post


Link to post
Share on other sites
FatPom    2,321

I put food on the family table by assesing contractual risk with technology suppliers and managing the ongoing relationship, all day, every day.

  At home we live in the technology stone age.  I like it that way :wink3:

 

Share this post


Link to post
Share on other sites
Mjainoz    1,046
25 minutes ago, FatPom said:

 

  At home we live in the technology stone age.  I like it that way :wink3:

 

I thought you'd moved on from Campag ....

 

:)

 

  • Like 1

Share this post


Link to post
Share on other sites
FatPom    2,321
10 minutes ago, Mjainoz said:

I thought you'd moved on from Campag ....

 

:)

 

Nope, still rockin it on two of my road bikes. I do have Ultegra on my P3 but I feel dirty on the inside. :lol:

  • Like 1

Share this post


Link to post
Share on other sites
Rog    1,552

2 factor authentication via SMS is also unsafe. You'd ideally want to use some like Authy (https://authy.com/). 

Interestingly this just came out in Germany https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/

In January, thieves exploited SS7 weaknesses to bypass two-factor authentication banks used to prevent unauthorized withdrawals from online accounts, the German-based newspaper Süddeutsche Zeitung reported. Specifically, the attackers used SS7 to redirect the text messages the banks used to send one-time passwords. Instead of being delivered to the phones of designated account holders, the text messages were diverted to numbers controlled by the attackers. The attackers then used the mTANs—short for "mobile transaction authentication numbers"—to transfer money out of the accounts.

Edited by Rog

Share this post


Link to post
Share on other sites
XCOM!    170
11 hours ago, monkie said:

They did then tell me I could email them the bank statements but they didn't make this obvious on the site.

Did you actually try that?

At my last job I likewise refused to allow the online access to bank statements requested by a loan application.

The person handling the application suggested that we could email copies of statements, but they were rejected by their approvals dept because anything digital can be manipulated.

It was then suggested we get them stamped at the bank to verify as authentic and email, but they were rejected again by their approvals dept.

At that point we offered to POST stamped copies of statements, and the approvals dept flatly refused to accept anything other than online access to the accounts - that's their policy, take it or leave it - so we left it.

However, as more and more lenders set policies that demand this type of access (e.g. via companies such as Proviso) it will be harder to avoid, and the 'trust us' assurances that the authentication is an encrypted pass-through and not a store&action is similar to the same "we don't store your details" assurances given with creditcard purchases... the process is too opaque to warrant trust.

Share this post


Link to post
Share on other sites
A2K    595

Good discussion. So can someone summarise the Do's and Don'ts of online banking, loan applications etc? We're probably never gonna be 100% 'safe' with this stuff but we should make it as hard as possible for the c*&nts to steal our money.

Share this post


Link to post
Share on other sites
TenPints    769
17 hours ago, monkie said:

As an aside, they've invite me in to have a chat with their team which I'll be doing when back from getting married in the UK.

Do you know which incubator they used? I'm a mentor for the Stone & Chalk Fintech incubator, and am due to meet with the CEO and lead on security once I'm back from the UK (fly there on Monday)...and congratulation on the marriage.

Share this post


Link to post
Share on other sites
monkie    173
9 hours ago, A2K said:

Good discussion. So can someone summarise the Do's and Don'ts of online banking, loan applications etc? We're probably never gonna be 100% 'safe' with this stuff but we should make it as hard as possible for the c*&nts to steal our money.

1) Get a password manager

2) Don't put your online banking details in anywhere that you haven't checked is the right place by looking for the company name in green in your browser bar.

3) Get a password manager

Share this post


Link to post
Share on other sites
monkie    173
5 hours ago, TenPints said:

Do you know which incubator they used? I'm a mentor for the Stone & Chalk Fintech incubator, and am due to meet with the CEO and lead on security once I'm back from the UK (fly there on Monday)...and congratulation on the marriage.

Thank you!

No I don't know much about their history. I'm not sure if they incubated... I'll ask.

Share this post


Link to post
Share on other sites
FatPom    2,321
6 minutes ago, monkie said:

1) Get a password manager

2) Don't put your online banking details in anywhere that you haven't checked is the right place by looking for the company name in green in your browser bar.

3) Get a password manager

Interesting thread!  Was the shift away from token key generated passwords to mobile/app done for security or convenience? The old method of  having a keypad supplied by the bank and generating a one time code still seems more secure than the app.  Even if a crim had  the password for the internet sign on, how could they intercept a one time passcode generated to the keycard?

Like I say, I'm old school. I just returned my new debit card because it had wirelles transfer capability :lol:

Share this post


Link to post
Share on other sites
monkie    173
15 minutes ago, FatPom said:

Interesting thread!  Was the shift away from token key generated passwords to mobile/app done for security or convenience? The old method of  having a keypad supplied by the bank and generating a one time code still seems more secure than the app.  Even if a crim had  the password for the internet sign on, how could they intercept a one time passcode generated to the keycard?

Like I say, I'm old school. I just returned my new debit card because it had wirelles transfer capability :lol:

Love it! I like terrifying my clients by scanning their cards with my phone and showing them their most recent transactions... but hey. Security and Convenience have always been at odds. I did a presentation on it at a global payments forum... as soon as we move on from bartering then fraud came in. Counterfeiting is the "second oldest profession", google Coin Clipping to see!

And yes, we totally moved on from card readers because they ruined the value of online banking! The point of online banking is that I can do it from anywhere. If I have to have a bunch of stuff and things (a different bit of stuff and thing for each bank) with me then I can only do it from my study!

Share this post


Link to post
Share on other sites
FatPom    2,321
9 minutes ago, monkie said:

Love it! I like terrifying my clients by scanning their cards with my phone and showing them their most recent transactions... but hey. Security and Convenience have always been at odds. I did a presentation on it at a global payments forum... as soon as we move on from bartering then fraud came in. Counterfeiting is the "second oldest profession", google Coin Clipping to see!

And yes, we totally moved on from card readers because they ruined the value of online banking! The point of online banking is that I can do it from anywhere. If I have to have a bunch of stuff and things (a different bit of stuff and thing for each bank) with me then I can only do it from my study!

Well I only need the keycard, which is very small but it rarely leaves the house.  I don't mind a bit of clunkiness for added security.  Mrs FP's bank issues wireless debit card but she does not have the option of sending them back.

Share this post


Link to post
Share on other sites
monkie    173

I have spent the last 3 years not being in the same place for more than 5 weeks due to work... hence I don't want to carry card readers around with me... my backpack is heavy enough already! The most secure thing would be to go back to bartering... but that seems like a right faff. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×