Ordering something off Amazon. And the bank insists that they can only authorise the payment via app on my phone.
I don’t want a bank app on my phone. Phones get lost. They’re not secure either.
UK bank demanded one for a debit card payment. Portuguese bank for a credit card one. Even though they’ve got my phone number on record and send me confirmation numbers for online payments for that. Still must have the app. Which doesn’t, by the way, work anyway.
Wise, now Wise still works with the SMS confirmation. So, I could put money into Wise, pay Amazon, confirm on SMS.
But this is insane, right?
A week ago I needed to pay to park in a car park. I proffered my debit card to the payment machine…. but there was no hole or sensor. “CASH OR APP” said the sign. Cash? WTF carries enough coins nowadays to pay for four hours parking? And “download and install an app on a smartphone in order to park here”. Sorry, NO, I’m on a schedule, and I’m not downloading YET ANOTHER piece of crap just for a one-off parking payment. WTF refuses to take debit cards?
So, got straight back in the van and drove off looking for somewhere else. If they don’t want my money, suits me.
My CC provider (HSBC) always offers the choice of confirm on app or SMS when I buy online.
Isn’t capitalism wonderful?
SMS is too easily hacked. There have been several cases of people getting phone numbers ported away from under them, and there are also well known vulnerabilities in the SS7 protocol that routes SMS messages. Both of these exploits have been used to hijack transactions. The banking apps don’t have the same vulnerabilities.
Some examples:
https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html
https://ieeexplore.ieee.org/document/9823291
https://www.eff.org/deeplinks/2024/07/eff-fcc-ss7-vulnerable-and-telecoms-must-acknowledge
– Isn’t capitalism wonderful?
Not sure how the online purchasing lark goes in North Korea but it’s bound to be great. Likewise with Cuba, apart from the slight inconvenience of not having any electricity.
@LeoTea got here before me. Was about to say the same thing: if you can, avoid doing anything by SMS confirmation, not just banking but other stuff like password resets for online services. Bank apps and authenticator apps are much more secure than SMS.
Just to agree with the others anyone relying on SMS messages to authenticate payments is a fool
Yep, phones can be lost but as.long as you are using a separate unique password for your banking app on a phone (preferably secured biometrically) and don’t wander around with it in public, open for all to view and oblivious to cameras and shoulder surfers it is by far the most secure way to authenticate transactions
Even in Portugal
SMS is too easily hacked.
Not if the SMS’s go to a number only used for receiving banking SMS’s they aren’t.
And like Tim, I don’t use banking apps. Inherently insecure. Any fone is. I wouldn’t dream of banking on one. Height of stupidity. You’re running an O/S the world & its brother are trying to hack. I use a desktop with a proper browser where I can read the source code of any site I visit.
And I’ve stopped using plastic now contactless payment’s non-optional. WTF thought that was a good idea? Thankfully I live in a country still uses cash.
To add to the above: Prepaid cards are useful when one has to use plastic, like unmanned road toll charges. One’s potential losses are limited to a trivial balance.
jgh
Ah, yes, the car parking app. It’s raining, I’m pushed for time, and I didn’t bring my reading glasses. And another password to remember.
Happy days!
Well, I might as well bitch about the bastards cancelling my cheque account. Since it was a nice simple non-electronic solution comprehensible even to me.
As for cash BiS, I make a point of using it whenever I can. I’m sure the turds are just slavering at the thought of forcing us to do everything over the internet!!!
And another password to remember.
I found a way around that one years ago. It’s simple algorithm turns the first 8 letters of whoever’s asking for the password into an alpha numeric password. If it’s less than 8 letters, just start at the beginning again. So you don’t have to remember any passwords at all, just the algorithm. Once you get used to doing it, you can do it virtually without thinking.
@bis
The security flaws with SMS are very severe – nobody needs physical access to your phone, nor do they need to fool you into downloading malware on your phone. To hijack your SMS they just need to know what the phone number is. There’s some logic to using a banking-only SIM card on a “clean” dumbphone, but only in so far as it makes you less vulnerable to the associated phone number getting discovered via a social engineering attack on you or someone you know. (“Oh hi Alice, I’m an old mate of Bob but my phone’s been nicked and I’ve lost most of my contacts! Couldn’t tell me how to get back in touch with Bob could you?” … might find your current personal number but not the one you use for banking.) If someone finds the number some other way, like a hack or leak from one other service you registered with using the same number, then you’re still screwed.
This kind of problem is a good reason to use a unique email address for each services you register with, but a unique SIM card for each service you use would be a pain for most of us – and doesn’t get around the fact the SMS itself is fundamentally insecure. Most people’s mental model of the security situation is that so long as they control the phone, control the SIM card, and are certain there’s no malware on the phone, then SMS is “safe”. This is false because the SMS can be hijacked. Authenticator apps have certain advantages – those that use a time-based one-time password (TOTP) don’t even send a message that can be intercepted, and an attacker knowing your phone number is now less of a security risk. There is a risk of malware on your phone being used to read the TOTP and send it to your attacker, but that kind of attack could also work against SMS.
Years ago my contact at my bank suggested I try their new banking app, so I gave it a go. It’s very convenient but I looked at the message traffic. It was/is using standard TLS like all secure web traffic, but the bank’s server was, perversely, negotiating a weak and deprecated crypto algorithm (RC4)!
I emailed my bank contact to explain this and he passed it on. I then had a discussion with their techies and they fixed their server settings. A nice outcome when in a lot of these cases companies shoot the messenger telling them of security failures with legal threats of ‘hacking’.
2-factor authentication via SMS is the bane of my life as there is no mobile coverage in the house so I’m quite happy to use the banking app for that.
My Austrian bank, bless, still uses a card reader and generated PIN for transactions.
I actually quite like the SMS method, but realise its dangers. I only do transaction online at the bittom of my nuclear bunker.
I also distrust phone apps. They have a tendency to remember passwords, if one is in a hurry and forgets to log off.
Otto: My bank still uses the card reader thing for browser logins. The banking app on the phone times out quite quickly – 4 minutes or so if it sees no activity, as does the browser session. I would expect any decent banking app to do that. I do have apps that effectively stay logged on but if I lost my phone, then that is all protected by the phone security processes – hardware and software. Both Android and iPhone are pretty good in that respect these days.
Of course if The State is after you then all bets are off, but they are pretty much proof against criminal activity if you are careful.
TG
Generally I agree with you on this, but there are a couple of hostages to fortune there :
“I would expect any decent banking app to do that”
And
“if you are careful”
So you don’t have to remember any passwords at all, just the algorithm. …… and based on the algorithm you have described, you also need to remember the length of the password, plus if you need a “special” character or not and if so which set of those “special” passwords are required. The most hostile password requirement I have been subjected to was on an insurance site that needed a minimum of 20 characters, upper case, lowercase, numeric, and a special character where at least two of the normal special character set are not allowed. Quite what risk they are mitigating with that excess mystifies me.
My last comment might have made marginally more sense if I had put @Bis in front of it and italicized the quote …..
I have eight UK parking apps on my phone, a pain in the arse to set up sometimes but once done works really well:
Arrive in car park, drive past machine to see which app is used, park, open app and check its put me in the correct car park, select vehicle, pay and off we go.
Alternatively: arrive in car park, get money out of glove box, walk to machine, pay, walk back to car, ticket in windscreen money in glove box and off we go. And don’t get me started on those effing counter intuitive keypads when you’re required to enter your registration.
As for mobile banking, since the introduction of facial recognition I wouldn’t do it any other way and two factor authentication works very well when needed.
TG,
2-factor authentication via SMS is the bane of my life as there is no mobile coverage in the house so I’m quite happy to use the banking app for that.
I’ve installed a wifi mesh (we have a sprawling bungalow and I also need to cover the wife’s studio) and we have phones with wifi calling which means we get SMS if needed.
It also meant I could drop BT and install the local fibre company (Wessex Internet) which not only halved my bill but I also get 5x data speed.
Thankfully I only park in supermarket car parks (and occasionally train stations) these days, so don’t have to bother with this sort of thing. Amazon only asks me for confirmation if it’s a very large and expensive item.
Otto: yes, both of those could be, but banking apps have been around for a while now, and the institutional knowledge to get it right is easily found. I am talking about UK/Europe. I would be more wary of banking apps from other parts of the world.
As for ‘careful’ I’m expecting that to be fairly universal,around here. Not so much elsewhere.
BiND: we do have WiFi calling but my wife is on O2 and they don’t do SMS over that! WiFi calling seems to be a bit of a dog’s breakfast between phones and operators. There doesn’t seem to be a proper 3GPP standard for it.
TG,
WiFi calling works very well over EE, probably because of the BT connection and the emergency services contract.
The system of having umpteen different car parking apps and a refusal to take cash is designed to make you use public transport – so, if possible, I walk.
@j77
“The system of having umpteen different car parking apps and a refusal to take cash is designed to make you use public transport”
I’m sorry but this is rubbish. Encouraging you to use public transport is a byproduct but it’s not the reason things have gone this way. Refusing to take cash is an obvious thing to do because it saves a lot of cash collection and handling expenses, risk of theft, fraudulent use of fake coins (and the cost of the anti-fraud systems that reject them) and so on. Not necessarily consumer friendly and definitely not for the privacy conscious consumer – but car park CCTV stuffs that up anyway. The business rationale is undeniable however. And the parking app guys would love it if every car park used the same app – namely their own. Since we don’t have such a clear market leader yet, the system is a mess. But it’s not a mess because someone launched a bunch of competing parking apps in order to drive consumers mad and force them onto public transport. Companies launched lots of competing apps because they each dreamed of becoming the market leader. And that’s before we get into discussing the e-ticketing app situation for public transport…
My understanding is that this is to prevent dictionary attacks, but since it is unlikely that someone is going to brute force a bank account in the way that it is possible to do with a local system unix password, it’s a bit idiotic.
I’ve been using a password manager for years, but that’s because I’m lazy and would otherwise just use the same password for everything. It’s set to generate long winded complex passwords that a human would struggle with including mixed case, special characters and numbers.
Downside is that if the password manager doesn’t save the password, your a bit stuck, but “Forgot my password” is usually the right answer there.
I’ve been using a password manager for years
So if someone hacks your password manager, they have all your passswords. So what’s the point of having passwords? The point of a password is it’s not on the device.
Convenience is always the enemy of security. Secure will never be convenient. That’s the point of it. It should set a task that only you can complete.
@bis
Security is layered. Anyone who can “hack your password manager” likely isn’t doing it by breaking the encryption. And however they do it, odds are someone with that sophistication can obtain your passwords another way anyway – keylogging malware for example. For most people a password manager is going to be more secure than having the passwords written in plain text somewhere, or limiting yourself to passwords you can memorise.
If anyone is really desperate for your passwords, there’s always the $5 wrench method – so there’s no such thing as perfect security, just a matter of making yourself secure enough to be comfortable against whatever your realistically likely threat model is. And if that’s a state-level threat then you’re probably screwed as soon as you started interacting with the banking or telephony system.
“It should set a task that only you can complete” is impossible to achieve, but “a task that anyone else who really wants to complete it would have to escalate things to such a level of inconvenience that it won’t be worth their while doing it” is the basic idea of it. As others have told you, “receiving an SMS message that was supposed to be sent to me” is sadly something that a tech-savvy criminal can do these days due to inherent basic security flaws in the phone system, rather than something vulnerable only to government agencies or someone bribing an inside man working in your telco.
A number of car parks locally being large concrete structures under another building have no cell service which makes trying to pay by app fun
@Anon
If you can tell me how someone can receive an SMS sent to me if they don’t know my fone number I’d be interested to learn how. Particularly as that fone number may not be for the country I may apparently be in.
Since we don’t have such a clear market leader yet, the system is a mess.
There’s *already* a universal payment system. PLASTIC BANK CARD.
@ Anon
Have you looked at who owns the car parks that (IMHO illegally) refuse to take cash?
@john77
They will have made an offer to treat on terms they define, so hardly illegal. You are not obliged to treat.
You have carparks refuse cash because so many others are content to comply. Like with so many things, their convenience becomes your inconvenience. It’s a game I prefer to sit out on.
bis, what is illegal is the refusal to accept legal tender for settlement of a debt.
A fee for parking your car on someone else’s property is not due until the service has been performed. You owe the owner of the car park £17 for having left your car on their property for 3 hours.
The owner of the car park is obliged to accept cash in settlement of the debt.
OK, this is not technically illegal to refuse cash settlement of a debt, but so doing does make the debt unenforceable.
The debt is, however, enforced by the yellow and black barrier that won’t go up until you spend 15 minutes fiddling with an app, and the line of irate compliant persons behind you. In any (in these parts much maligned) continental jurisdiction the person responsible for that barrier not rising is guilty of a criminal offense called “coercion” or similar.
T ó be clear, the only reason I have so many parking apps is because of the motorhome. Dorset has one app that covers all their car parks, of the rest IIRC they were/are for Cornwall, Northumberland, West Wales, 2 for Scotland, and I can’t remember the rest.
The average person shouldn’t need more than2 for their everyday life.
I doubt that’s true, BiG. The car park will display it’s T&C’s which will contain its conditions of trading.. By using the car park one’s accepting the T&C’s. The fact that no one reads them isn’t the car park’s fault.
But assholes. I rent a space in a pay multistorey, round the corner. I have a card gives me access & exit. There’s are notices prominently displayed says “Pay for your parking before collecting your vehicle” And two machines & an office with an attendant to do so. That will validate your ticket for exit. The notices are big enough & in two languages. But when I go to leave, there’ll be an asshole blocking the exit with their car whilst they pay. Sometimes 2 or 3. There is never a shortage of assholes.
@bis
Interestingly the country the phone is registered to, or is actually in, doesn’t change much. And the weakness is in the protocols underlying SMS itself, so not something you can fix by your choice of telco. Some of the links you’ve been provided with above tell you how SMS hijacking works at a technical level. Read through those articles and do some judicious searches on key words and phrases that pop up in them. I wouldn’t advise someone to use SMS for anything they want to keep private, but security codes for important services are an especially big no-no because they’re valuable enough for a criminal to actually bother intercepting the SMS. For the idle chitchat that most texts contain, it’s not worth it.
Encrypted services are much safer though note that you may need to turn end to end encryption on – Telegram claims to be encrypted but it isn’t by default and can’t be in group chats, some bank apps will send a message over WhatsApp and that actually is safer than SMS. Authenticator apps that don’t even send a signal at all, TOTP based for example, have nothing to intercept. Though as you’ve noted above there are still vulnerabilities, like if someone had physical possession of your phone and the ability to bypass biometric security, or the phone is in your possession but an adversary had managed to get malware on it.
Re “how can someone find my number”, you do make it trickier if you have very good security hygiene and only use that number for one purpose. Anyone who uses the same number across multiple services is vulnerable to a hack or leak from any one of them – all kinds of data dumps of personal information are floating around for sale, unfortunately. So if you use a lot of services then you need a lot of SIMs. This still doesn’t get you any further than security by obscurity – not much different to “send a security code to an email address that only I know” and keeping a bunch of different email addresses for different purposes. And the overwhelming majority of people are not going to keep separate SIM cards for every business they interact with, so in general it’s wiser for most people to assume that their phone number could be known to a potential attacker, even a common and garden variety fraudster.
Emails can also be intercepted, fwiw, but it’s generally very hard, and for a typical criminal it’s much easier to just steal someone’s credentials eg by a phishing attack. In the last decade the big email providers have added security that makes email interception much more difficult, to the point you’re talking more about government agencies than well-resourced criminals, but someone who self-hosts their own emails out of habit and hasn’t kept up with tech developments may be much more vulnerable than they realise. Some of the old protocols are very vulnerable.
Back to telephone numbers, there are various ways that state agencies (and in principle anyone with access to telco data) are able to deanonymise unregistered SIM cards by looking at patterns of usage including cell tower data. One reason privacy campaigners recommend to keep phones switched off when meeting other people and you don’t want this to be known, eg activist meetings or attending a demo. Payment is another way that anonymity gets breached – criminal gangs using burner phones will be very careful about who gets seen on CCTV paying for top-ups at corner shops etc in cash. But again, it’s state agencies that worry them rather than fraudsters.
On that last note, the summer rioters/demonstrators had absolutely fucking terrible opsec. Not just bringing phones but filming themselves, or letting themselves be filmed and clips shared, even while committing criminal damage. With faces showing, despite all the advances in facial recognition tech. And doing their planning in open and easily infiltrated forums like Telegram group chats. Anarchists and “antifa” seem to understand all this stuff much better. Guess they’ve got more experienced people in their ranks and a healthy suspicion of the power of government agencies.
So what you’re saying Anon, is that people who can’t be bothered about looking after their own security should trust it to the “experts”? I don’t think I will, thanx. These are the “experts” who create “unbreakable” security systems allow their clients personal data to be regularly disseminated far & wide at the accidental touch of a button.
What you’re describing above is compartmentalisation. Always a good security policy. And one that I practise. You are going to learn very little from the SIM I use for banking validation apart from the the relay tower it most often locks onto. Because it doesn’t get used for things in my life other SIMs get used for. Or even on-air, that often. Like I have a SIM for trusted contacts & another for the peasants. And like my banking is compartmentalised across several banks (& currencies). With the account most used for payments having a limited balance & no overdraft facility, so limiting the loss should it get compromised.
Using apps on a fone is the opposite of this. It’s putting all your eggs in one vulnerable basket. I’m simply not that trusting & stupid.
@bis
At no point have I said that “people who can’t be bothered about looking after their own security should trust it to the “experts””. I think people should care about their privacy and security. I also think that those people who claim that they do care need to put some effort into keeping up with it. It’s a fast changing field. And nobody can learn everything about it, so part of that is understanding what your limitations are – what stuff you’ll do for yourself and what is safest to outsource. Thinking carefully about who or what you trust is a prerequisite.
It also requires the application of logic. For example if you’re trying to protect yourself when doing online banking, that clearly cannot be done on an airgapped machine so there is some risk that it’s compromised. At this point it may become irrational to worry about malware allowing an attacker to read the code generated by a TOTP authenticator app. If your attacker can do that, odds are they can read whatever you’re doing in your online banking session anyway. There are things you can and should do to make the risk of compromise less likely, but avoiding authenticator apps probably isn’t one of them because that’s not where the weak point in the chain is. There’s a reason security experts recommend authenticator apps. You might not trust experts and skepticism is healthy, but their rationales are publicly available online and you should give them a fair hearing.
The SMS protocols are fundamentally insecure in a way that exposes people to a real, not hypothetical, form of attack. SMS is not trustworthy and this should be much more widely known than it is. For 99% of people using SMS for important things like banking security or “forgotten password” access to critical email accounts, the best advice is STOP and see if you can change your settings to use a different form of authentication. The number of services still relying on SMS for authentication in 2024 is shocking tbh. There is a reason so many firms have been trying to push customers into using other forms of authentication and if anything they’ve been too slow to do so. I appreciate this is an irritant for people with highly unusual security models who gravely distrust phone apps and don’t want to use a more physical key (like card machines for authorising transactions) but from the point of view of a company trying to limit fraud on its customers, moving away from SMS should have happened years ago.
A lot of people interested in privacy and security seem to get brainworms due to the involvement of large corporations. Fair enough, I don’t like Meta and I don’t like WhatsApp. However, a security code sent via WhatsApp using E2E encryption is massively more secure than one sent by SMS.
Similarly a lot of people say they run their own email server because they hate the idea of Microsoft or Google scanning the contents of their mail. Fine, that’s a valid concern. But what risk does corporate snooping put you under? Do you have other ways of managing or mitigating that risk? Running your own email server is quite an extreme response – there are computing hobbyists who enjoy the challenge, but if you’re going to use it for anything important, then you need to ask yourself just how up to speed you are. You can have a service that seems to be working fine, but if you made a mistake or are using outdated tools then you are wide open to being hacked or even having email intercepted.
In terms of security threats, most people would be far safer to swallow their pride and use Gmail, and just accept the creepy ads. And if you really don’t want creepy ads but aren’t expert enough to risk running your own email server, then the best response might be to switch to a paid email provider rather than a free one. (Yes your bank statements now make your paid email service effectively undeniable to the lawman even if you assiduously wipe the history of your devices… but once you put the paranoia aside, just who would this be a genuine problem for? Not nobody, but not most people either.)
Re deanonymising SIM cards… Government agencies use correlation analysis to find relationships between SIMs. Several that light up at the same base station but never at the same time over a long enough period would be a giveaway of SIM swapping, especially if on several occasions one goes dark and the other lights up minutes later. Similarly if the “secure” phone is only ever used when the “everyday” phone’s owner is in town (identified by their main phone SIM having been active recently locally) and is never used when they’re out of town. Patterns of usage can be very revealing. At least to someone with the power to do so and who’s looking for it. For John Doe, even the scary surveillance state isn’t going to bother with all this, and your common and garden fraudster lacks the means to do so. In fact the fraudster doesn’t need to since most people they target will not be compartmentalising SIMs like this. But anyone trying to overthrow the government or run a major criminal enterprise ought to be aware that swapping SIMs on a dumbphone isn’t going to make them magically invisible if someone cares to look.
“…several cases of people getting phone numbers ported away from under them…” and then “The banking apps don’t have the same vulnerabilities.”
Erm, they do. If your app is running on your phone and the number gets ported to someone else’s SIM card, then you’re toast just the same.
People saying things like, “anyone relying on SMS messages to authenticate payments is a fool”? *I’m* not relying on it, I don’t own the bank, they impose it on me. What choice do I have? Telling me to use an authenticator app is not much good; I downloaded one for Linux (which I use) and I can’t work out how to use it with my bank. It’s got a list of hundreds of “providers” I can set it up with, but none of them are of any interest to me whatsoever. WTF are Blacknight?
There’s a reason security experts recommend authenticator apps.
They have a great deal invested in authenticator apps.
@ bis 7.08 pm
All/most of those don’t care whether it is actually legal because they are Local Authorities who think that they *are* the law. I have never been unable to pay without a mobile ‘phone in any car park owned by a private company.
[TfL is owned by a Local Authority]
@ Spiro Ozer
Agreed – I find it irritating that if I’m making an efficient BACS payment through my computer which has my landline ‘phone next to it, I then have to go and find my mobile because banks are obsessed with mobile ‘phones.