Banking - online; save my logon details?
-
- PlutoniumLounger
- Posts: 16070
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Banking - online; save my logon details?
I am confused about two aspects of logging in/signing on to online bank accounts:-
(1) Firefox now offers to "save my login information", which would worry me intensely were I still walking to libraries for WiFi access.
(2) Online banks have begun to send me six-digit confirmation codes by email whenever I log on. why "Bing.com" cookies from EQ online banking?
The first aspect leaves my financial accounts open for anyone who walks into my house to gain access to online accounts without knowing my user name, account number, or password. Indeed, anyone can use my bookmarks ("Finance, Scotia") and email money to their nefarious acquaintances.
The second aspect leaves my financial accounts open for anyone who walks into my house and can fire up Thunderbird, then copy/paste a six-digit number, but is a hassle for me; playing with email when I want to be working with banking is, to my mind, a needless interruption.
More than anything, the practice of saving a password for any online site (BBS, Banks, TripAdvisor, GMail account, ...) seems to blow the whole idea of security right out of the water.
I must be missing something here, but what?
Thanks, Chris
(1) Firefox now offers to "save my login information", which would worry me intensely were I still walking to libraries for WiFi access.
(2) Online banks have begun to send me six-digit confirmation codes by email whenever I log on. why "Bing.com" cookies from EQ online banking?
The first aspect leaves my financial accounts open for anyone who walks into my house to gain access to online accounts without knowing my user name, account number, or password. Indeed, anyone can use my bookmarks ("Finance, Scotia") and email money to their nefarious acquaintances.
The second aspect leaves my financial accounts open for anyone who walks into my house and can fire up Thunderbird, then copy/paste a six-digit number, but is a hassle for me; playing with email when I want to be working with banking is, to my mind, a needless interruption.
More than anything, the practice of saving a password for any online site (BBS, Banks, TripAdvisor, GMail account, ...) seems to blow the whole idea of security right out of the water.
I must be missing something here, but what?
Thanks, Chris
The most expensive thing a man can own is ignorance.
-
- Panoramic Lounger
- Posts: 8381
- Joined: 25 Jan 2010, 09:09
- Location: retirement
Re: Banking - online; save my logon details?
I use this feature extensively because for a bad guy to exploit it they would have to break into my house and then either use my PC while they were there or steal it and then use it wherever they've taken it to. My PC is a big and bulky desktop box (well, on the floor under the desk box actually). As such it's not an attractive item to steal so I consider the security risk to be low.
I'd be very surprised if your banlk do not allow you the option to receive such codes by SMS text, that's how my online banking works. It's no bother to have my phone sitting next to me whenever I log on and then type the code that is sent to the phone into the relevant box on the log on screen.ChrisGreaves wrote: ↑19 Jan 2023, 12:49...(2) Online banks have begun to send me six-digit confirmation codes by email whenever I log on...
True but what is the risk of that happening? High / Medium / Low / Very Low? In my case I think it's Very Low. In your case, given that you're not shy about publicising your address in this forum then it might nearer Medium but someone has still got to go to the effort of breaking in and stealing your kit.ChrisGreaves wrote: ↑19 Jan 2023, 12:49...
The first aspect leaves my financial accounts open for anyone who walks into my house to gain access to online accounts without knowing my user name, account number, or password. Indeed, anyone can use my bookmarks ("Finance, Scotia") and email money to their nefarious acquaintances...
See my previous comment on this. Find out how to get the bank to send the code to you by SMS text message.ChrisGreaves wrote: ↑19 Jan 2023, 12:49...
The second aspect leaves my financial accounts open for anyone who walks into my house and can fire up Thunderbird, then copy/paste a six-digit number, but is a hassle for me; playing with email when I want to be working with banking is, to my mind, a needless interruption...
I think you're missing a risk assessment of the likelihood of your security being compromised by your use of such features.ChrisGreaves wrote: ↑19 Jan 2023, 12:49...
More than anything, the practice of saving a password for any online site (BBS, Banks, TripAdvisor, GMail account, ...) seems to blow the whole idea of security right out of the water.
I must be missing something here, but what?
Thanks, Chris
Ken
-
- Administrator
- Posts: 12758
- Joined: 16 Jan 2010, 15:49
- Location: London, Europe
Re: Banking - online; save my logon details?
Any form of 2FA (two factor authentication) is MUCH better than just a username and password.
SMS text messages and emails are very weak forms of 2FA as they are both easy to intercept
An app such as Google authenticator is quite strong 2FA
A hardware token like Yubikey, or the device I got from my bank, is the best 2FA
SMS text messages and emails are very weak forms of 2FA as they are both easy to intercept
An app such as Google authenticator is quite strong 2FA
A hardware token like Yubikey, or the device I got from my bank, is the best 2FA
StuartR
-
- UraniumLounger
- Posts: 9474
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Banking - online; save my logon details?
I don't allow Fx to retain any passwords. I use Roboform to generate and store passwords, and I have a long and very complex password to access Roboform. I keep this pw at the end of or embedded in some Word files that it would be a stroke of luck for anyone to find. I also have it stored, encrypted, in the cloud.
I agree that 2FA is a very good form of identification. I especially prefer SMS for receiving codes; however some sites still use email.
I agree that 2FA is a very good form of identification. I especially prefer SMS for receiving codes; however some sites still use email.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- Panoramic Lounger
- Posts: 8381
- Joined: 25 Jan 2010, 09:09
- Location: retirement
-
- PlutoniumLounger
- Posts: 16070
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Banking - online; save my logon details?
Hi Ken, I agree with you completely about “risk”. I have considered the risk, and both (a) back in the Toronto Libraries and (b) here in a Bonavista coffee-shop, felt that my risks were low. Even lower in my own house in a town with a low crime-rate.I use this feature extensively because for a bad guy to exploit it … I consider the security risk to be low
This they do, but I don’t “do” SMS and generally do not have my smart phone on me. If I am out walking, maybe, but in my relaxed/retired state I treat it like a land-line rather than an essential weapon.'d be very surprised if your bank do not allow you the option to receive such codes by SMS text,
As noted above, I am comfortable with the risk. I lock my house and shed doors at night, but leave them unlocked during the day. I have set off shopping and realized that I have forgotten to lock the house, without going into panic mode.True but what is the risk of that happening? High / Medium / Low / Very Low? I think you're missing a risk assessment of the likelihood of your security being compromised by your use of such features.
There's not a lot of money in the bank; I'd miss it if it were gone, but we're not looking at $300,000 here. My house consists of four walls and a roof over a collection of second-hand books on Turing Machines and Newfoundland history. Plus about 250 bottles of rabbit stew, jams, ...
All that said, I am more puzzled by the Janus-like aspects. On the one hand we have Firefox making is dead easy to have anyone gain access to our online data the minute we step away from our computer, and on the other hand the financial houses making it more difficult for anyone to gain access.
It’s as if those two parties are in an arms race to make it {more easy}/{more difficult} for an individual to use the services.
Cheers, Chris
The most expensive thing a man can own is ignorance.
-
- PlutoniumLounger
- Posts: 16070
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Banking - online; save my logon details?
Hi StuartRAny form of 2FA (two factor authentication) is MUCH better than just a username and password.
If by “Better” you mean “stronger defence”, then yes, but as I noted in my reply to Stuart (“It’s as if those two parties are in an arms race”), 2FA seems to be nullified by a browser that remembers your passwords for you.
Yet in my case I feel comfortable enough with passwords that are complex enough (I reckon) and are easily remembered by me.A hardware token like Yubikey, or the device I got from my bank, is the best 2FA
Right now, because I live alone, I feel comfortable with a password, and from time to time, the name of my first pet.
Cheers, Chris
The most expensive thing a man can own is ignorance.
-
- PlutoniumLounger
- Posts: 16070
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Banking - online; save my logon details?
Well!
Since we are leaking our
I'm with BobH on this. I tried FF retaining passwords, then found it a bit unnerving having my machine log in for me.
Let's suppose you (all) are Billy Burglars. Of the 15,245 DOCuments on my Veracrypt encrypted partition, would you care to hazard a close-enough guess, even, to the name of my password file. That's assuming that it is a DOCument?
I'll even give you a hint: It is related to a place I wandered in the UK before we (my long dead Mother, long dead Father, and long dead Sister) emigrated to Australia back in 1956.
I'll even give you a bigger hint: The place was in Lancashire UK.
And if Billy Burglar is smart enough to use Everything (which by now he might be!) he might only have to inspect the 243 documents I have modified in the past 31 days. ("*.doc dm:>12/01/2022"), let alone the 15,231 objects accessed over the past 31 days(1) ("*.doc da:>12/19/2022").
If it's any consolation, I don't trust The Cloud or any remote storage facility to store my passwords.
(1) Although I do believe that it is more than 31 days since last I needed to modify anything in the password DOC.
Cheers, Chris
The most expensive thing a man can own is ignorance.
-
- Panoramic Lounger
- Posts: 8381
- Joined: 25 Jan 2010, 09:09
- Location: retirement
Re: Banking - online; save my logon details?
I rarely text, my phone is so old it's painful to text. In fact I rarely call anyone on my mobile phone, though I do take it with me when I go out. In that respect I think we are alike. However, it is trivial to have my mobile phone to hand when I log in to my bank, get the OTP code by text and then delete the message and return the phone to the shelf where it spends most of its (lonely) life. Much less hassle than getting the code by email.ChrisGreaves wrote: ↑19 Jan 2023, 18:31..I don’t “do” SMS and generally do not have my smart phone on me...
Try it, you might like it...
https://www.gocomics.com/calvinandhobbe ... ti=1875327
Ken
edited to add the link to Calvin and Hobbes when it came to mind a few mins after I'd made this post
-
- UraniumLounger
- Posts: 9474
- Joined: 13 Feb 2010, 01:27
- Location: Deep in the Heart of Texas
Re: Banking - online; save my logon details?
Except I was careful to disguise where I hide it, what types of files.
Bob's yer Uncle
Dell Intel Core i5 Laptop, 3570K,1.60 GHz, 8 GB RAM, Windows 11 64-bit, LibreOffice,and other bits and bobs
(1/2)(1+√5) |
-
- PlutoniumLounger
- Posts: 16070
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Banking - online; save my logon details?
Truth is, I have an aversion to texting to/from people; I much prefer EMail on the laptop because I can easily copy/paste, and often enough compose in MSWord then Paste into TBird.
Texting leaves a poor record in that it sits on a device separate from my "main machine"
That said, I could use the SMS for banking and go on lying to people ("My phone doesn't support texting ..."), but closer to the truth is that I resent the extra step of locating then typing/pasting one more chunk of data into a machine.
The real bottom line is that I have dedicated my life striving to make computers do what I want them to do, and resent having to do what a machine wants me to do (even 'though I know that a human designer is behind the 2FA).
I'd be happier if, for each account, I was able to choose the level of security, and be it on my own head if ...
Cheers, Chris
The most expensive thing a man can own is ignorance.
-
- Panoramic Lounger
- Posts: 8381
- Joined: 25 Jan 2010, 09:09
- Location: retirement
Re: Banking - online; save my logon details?
Why waste emotional energy over something that both beyond your control and unavoidable? 2FA for online banking is the price you pay for using online banking. If you don't want to pay that price don't use online banking.
Ken
-
- PlutoniumLounger
- Posts: 16070
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Banking - online; save my logon details?
"Good question Ken", he said, chanting The Serenity Prayer.
The short answer to your question would be that I am a paranoid conspiracy theorist with a blinkered view that Big Business and Government is out to make us all conform to a single mould.
The longer answer is that I've spent my life trying to make computing machines do good things for us.
When a clerk stares at the screen and continues "The computer says that we can't ..." I know that it is shorthand for "The system designers never envisaged that {date-years would need more than two digits} / {someone would decide to return their toll-road transponder} / {someone might want to transfer the last three cents out of their account}"
In the case of 2FA-related stuff, so far in this thread people seem to have their own ideas about authentication, and to my mind, that should govern the systems rather than some one-size-fits-all reasoning by a designer.
In the case of 2FA I would think that a checkbox "I Understand the risks and would rather go on using a simple password as sufficient" would do the trick.
One of my bricks and mortar banks recently changed their filters. Instead of allowing one to filter transactions by calendar month, we now have to choose between "last 30 days", "previous 60 days", "previous 90 days", each of them just a set of 30 days, which is a step backwards from "current month", "previous month".
I would argue that BOTH sets of filters should be possible; why throw away a filter that was working? Why not add more options? I can't think of a logical reason for decisions like these.
Folks who balance their accounts at the end or start of each month have an extra load imposed on them.
Finally, a great many people still do not live in a major city or town. Newfoundland and Labrador statistics read :-If you don't want to pay that price don't use online banking.
- 295 towns
- 471 426 inhabitants
- Area 8 373 km²
- Density 56,3 pop/km²
I would think that at least half of those town have no access to an ATM (let alone a staffed bricks-and-mortar bank. If I've used Google Maps correctly there are few Bricks and Mortar banks in this neck of the woods, so residents are forced into online banking. The upper circle, despite reading "Elliston" is really Bonavista, the lower circle identifies Clarenville, 90 minutes drive south of here. If one then zooms in one see a great many towns which, I suspect, are not served by brick-and-mortar banks at all.
Online access leaps and bounds year by year. By making online access restrictive and hassle-full, establishments are NOT "making our customers PRIORITY ONE!".
Cheers, Chris
You do not have the required permissions to view the files attached to this post.
The most expensive thing a man can own is ignorance.
-
- Panoramic Lounger
- Posts: 8381
- Joined: 25 Jan 2010, 09:09
- Location: retirement
Re: Banking - online; save my logon details?
Except too many people would not understand the risks and blindly tick such a checkbox and then resort to litigation when they fell foul of the risks. Despite such a check box appearing to absolve the bank of any liability I'm pretty sure a lawyer somewhere would eventually find a way of arguing that such a checkbox was not adequate and that the banks were indeed liable. 2FA reduces (but does not eliminate) banks liability, i.e it costs them less to enforce 2FA in their chosen manner.ChrisGreaves wrote: ↑20 Jan 2023, 14:31...I would think that a checkbox "I Understand the risks and would rather go on using a simple password as sufficient" would do the trick...
Agreed, and the same thing with the closure of bricks and mortar banks has happened over here (the bank in our village (population circa 3000) closed years ago). However, it's all an inevitable consequence of the rise of the mobile / always connected / smart phone. No business is about making customers priority one. A business exists for the sole reason of making a profit for the owners of the business. All businesses will adopt systems that maximise profit, hence they enforce 2FA [insert any other irritating new fangled improvement to any business here] in their chosen manner. Only, and only if, that chosen manner upsets the majority of their customers and thus reduced their profit, will they change their system. Profit trumps everything.ChrisGreaves wrote: ↑20 Jan 2023, 14:31...making online access restrictive and hassle-full, establishments are NOT "making our customers PRIORITY ONE!".
There just aren't enough customers getting upset by 'progress'.
Ken
PS as more and more bricks and mortar shops of all kinds close, I predict that once the last generation to remember such things has died, it won't be long thereafter before an entrepreneur has this brilliant idea of setting up a 'shop', where customers can go to see and handle the stuff being sold and pay for the goods there and then and then take their purchases home immediately. This craze will then sweep the world and the entrepreneur will be the richest person in the world!
-
- PlutoniumLounger
- Posts: 16070
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Banking - online; save my logon details?
Agreed.
Agreed. But I'll go on making a noise ...There just aren't enough customers getting upset by 'progress'.
Over my dead body!... an entrepreneur has this brilliant idea of setting up a 'shop', ...
(probably)
I still believe that us IT chaps have two conflicting ideas here, though.
On the one hand today's technology (2FA) is making life harder for the crooks, and on the other hand today's technology ("Save your login data?") is making it ridiculously easy for the crooks.
In terms of "blindly ticking", the same argument must apply to people who see the little popup from FireFox and think "Oh, I trust Firefox to do the right thing for me ..."
Cheers, Chris
The most expensive thing a man can own is ignorance.
-
- SilverLounger
- Posts: 1612
- Joined: 26 Jan 2010, 20:28
- Location: Ottawa ON
Re: Banking - online; save my logon details?
Like most, if not all, password managers, Firefox protects its saved login credentials with a...and on the other hand today's technology ("Save your login data?") is making it ridiculously easy for the crooks.
Regards,
Paul
The pessimist complains about the wind. The optimist expects it to change. The realist adjusts his sails.
Paul
-
- PlutoniumLounger
- Posts: 16070
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Banking - online; save my logon details?
Hi Paul. I was not aware that FF encrypted its password collection, but I'm not surprised.
That said, "generally" is a word unlikely to be used by those promoting password-manager software, is it?
I think that my argument still holds: Anything that makes it easy for Billy Burglar (or Paul of Ottawa - ALWAYS WELCOME HERE) to creep into my study and gain access to online accounts without having to key in a password seems to thwart the work of the 2FA crowd.
True it is that once I shut down the machine, Veracypt encryption and obfuscation (of my password text file) are on my side.
But FF saved logins have made it easier for any visitor to gain instant access at the time that the 2FA crowd are striving to protect my accounts.
Actually, Veracrypt alone probably won't help me at all; that just protects my data partition, not my boot partition and User Datat. I must reboot and see if FF still offers free logins. I suspect that it will.
Cheers, Chris
The most expensive thing a man can own is ignorance.
-
- PlutoniumLounger
- Posts: 16070
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: Banking - online; save my logon details?
I did.ChrisGreaves wrote: ↑21 Jan 2023, 12:16I must reboot and see if FF still offers free logins. I suspect that it will.
And it does!
Cheers, Chris
You do not have the required permissions to view the files attached to this post.
The most expensive thing a man can own is ignorance.
-
- SilverLounger
- Posts: 2124
- Joined: 02 Mar 2010, 16:53
- Location: An Aussie in Norway
Re: Banking - online; save my logon details?
There are many different forms of online banking (bank competion?) but most seem to rely on 2FA.
My bank has a good secure approach ... I think/hope. Via an app on computer or mobile you enter a birth number (unique to you in all government or banking contact) which redirects you to a separate mobile app where you enter a PIN code. Then before you can access banking 'my page' it is necessary to enter a personal password. Seems a bit long winded but in reality it is quick.
Banking 'on the run' with these personal codes and apps gives me confidence. Additionally should I (or someone else) make a purchase using (say my debit/credit card) I am immediately advised of the purchase on my phone.
A bit 'off topic' Charles but of possible interest.
My bank has a good secure approach ... I think/hope. Via an app on computer or mobile you enter a birth number (unique to you in all government or banking contact) which redirects you to a separate mobile app where you enter a PIN code. Then before you can access banking 'my page' it is necessary to enter a personal password. Seems a bit long winded but in reality it is quick.
Banking 'on the run' with these personal codes and apps gives me confidence. Additionally should I (or someone else) make a purchase using (say my debit/credit card) I am immediately advised of the purchase on my phone.
A bit 'off topic' Charles but of possible interest.
CYa Ron
W11 pc, Android toys.
The only reason we have the 4th dimension of Time is so that everything does not happen at once.
W11 pc, Android toys.
The only reason we have the 4th dimension of Time is so that everything does not happen at once.
-
- Microsoft MVP
- Posts: 1324
- Joined: 24 May 2013, 15:33
- Location: Warminster, PA
Re: Banking - online; save my logon details?
Having FF or any browser save passwords does nothing to thwart 2FA. After the browser enters a saved password, the number or text generated by the 2FA program does not come to you through the browser (unless you're using an online email client, but even then it's in a separate window and separate connection). If you use a smartphone to receive the value or to run an authentication app, or if you have something like a Yubi dongle, that isn't even on the same hardware.ChrisGreaves wrote: ↑21 Jan 2023, 12:16I think that my argument still holds: Anything that makes it easy for Billy Burglar (or Paul of Ottawa - ALWAYS WELCOME HERE) to creep into my study and gain access to online accounts without having to key in a password seems to thwart the work of the 2FA crowd.
My (minor) objection is that some institutions offer 2FA only by text message, which is technically easier to intercept than email, and most don't offer authentication app support at all.