Banking - online; save my logon details?

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Banking - online; save my logon details?

Post by ChrisGreaves »

I am confused about two aspects of logging in/signing on to online bank accounts:-

(1) Firefox now offers to "save my login information", which would worry me intensely were I still walking to libraries for WiFi access.
(2) Online banks have begun to send me six-digit confirmation codes by email whenever I log on. why "Bing.com" cookies from EQ online banking?

The first aspect leaves my financial accounts open for anyone who walks into my house to gain access to online accounts without knowing my user name, account number, or password. Indeed, anyone can use my bookmarks ("Finance, Scotia") and email money to their nefarious acquaintances.

The second aspect leaves my financial accounts open for anyone who walks into my house and can fire up Thunderbird, then copy/paste a six-digit number, but is a hassle for me; playing with email when I want to be working with banking is, to my mind, a needless interruption.

More than anything, the practice of saving a password for any online site (BBS, Banks, TripAdvisor, GMail account, ...) seems to blow the whole idea of security right out of the water.

I must be missing something here, but what?

Thanks, Chris
An expensive day out: Wallet and Grimace

User avatar
stuck
Panoramic Lounger
Posts: 8127
Joined: 25 Jan 2010, 09:09
Location: retirement

Re: Banking - online; save my logon details?

Post by stuck »

ChrisGreaves wrote:
19 Jan 2023, 12:49
...(1) Firefox now offers to "save my login information"...
I use this feature extensively because for a bad guy to exploit it they would have to break into my house and then either use my PC while they were there or steal it and then use it wherever they've taken it to. My PC is a big and bulky desktop box (well, on the floor under the desk box actually). As such it's not an attractive item to steal so I consider the security risk to be low.
ChrisGreaves wrote:
19 Jan 2023, 12:49
...(2) Online banks have begun to send me six-digit confirmation codes by email whenever I log on...
I'd be very surprised if your banlk do not allow you the option to receive such codes by SMS text, that's how my online banking works. It's no bother to have my phone sitting next to me whenever I log on and then type the code that is sent to the phone into the relevant box on the log on screen.
ChrisGreaves wrote:
19 Jan 2023, 12:49
...
The first aspect leaves my financial accounts open for anyone who walks into my house to gain access to online accounts without knowing my user name, account number, or password. Indeed, anyone can use my bookmarks ("Finance, Scotia") and email money to their nefarious acquaintances...
True but what is the risk of that happening? High / Medium / Low / Very Low? In my case I think it's Very Low. In your case, given that you're not shy about publicising your address in this forum then it might nearer Medium but someone has still got to go to the effort of breaking in and stealing your kit.
ChrisGreaves wrote:
19 Jan 2023, 12:49
...
The second aspect leaves my financial accounts open for anyone who walks into my house and can fire up Thunderbird, then copy/paste a six-digit number, but is a hassle for me; playing with email when I want to be working with banking is, to my mind, a needless interruption...
See my previous comment on this. Find out how to get the bank to send the code to you by SMS text message.
ChrisGreaves wrote:
19 Jan 2023, 12:49
...
More than anything, the practice of saving a password for any online site (BBS, Banks, TripAdvisor, GMail account, ...) seems to blow the whole idea of security right out of the water.

I must be missing something here, but what?

Thanks, Chris
I think you're missing a risk assessment of the likelihood of your security being compromised by your use of such features.

Ken

User avatar
StuartR
Administrator
Posts: 12577
Joined: 16 Jan 2010, 15:49
Location: London, Europe

Re: Banking - online; save my logon details?

Post by StuartR »

Any form of 2FA (two factor authentication) is MUCH better than just a username and password.

SMS text messages and emails are very weak forms of 2FA as they are both easy to intercept
An app such as Google authenticator is quite strong 2FA
A hardware token like Yubikey, or the device I got from my bank, is the best 2FA
StuartR


User avatar
BobH
UraniumLounger
Posts: 9215
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Banking - online; save my logon details?

Post by BobH »

I don't allow Fx to retain any passwords. I use Roboform to generate and store passwords, and I have a long and very complex password to access Roboform. I keep this pw at the end of or embedded in some Word files that it would be a stroke of luck for anyone to find. I also have it stored, encrypted, in the cloud.

I agree that 2FA is a very good form of identification. I especially prefer SMS for receiving codes; however some sites still use email.
Bob's yer Uncle
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 10 >HPE 64-bit, MS Office 2016

User avatar
stuck
Panoramic Lounger
Posts: 8127
Joined: 25 Jan 2010, 09:09
Location: retirement

Re: Banking - online; save my logon details?

Post by stuck »

BobH wrote:
19 Jan 2023, 18:14
...it would be a stroke of luck for anyone to find...
Except now your secret is out so when Billy Burglar steals your laptop / PC he knows where to find your password.

Oops!

Ken

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: Banking - online; save my logon details?

Post by ChrisGreaves »

I use this feature extensively because for a bad guy to exploit it … I consider the security risk to be low
Hi Ken, I agree with you completely about “risk”. I have considered the risk, and both (a) back in the Toronto Libraries and (b) here in a Bonavista coffee-shop, felt that my risks were low. Even lower in my own house in a town with a low crime-rate.
'd be very surprised if your bank do not allow you the option to receive such codes by SMS text,
This they do, but I don’t “do” SMS and generally do not have my smart phone on me. If I am out walking, maybe, but in my relaxed/retired state I treat it like a land-line rather than an essential weapon.
True but what is the risk of that happening? High / Medium / Low / Very Low? I think you're missing a risk assessment of the likelihood of your security being compromised by your use of such features.
As noted above, I am comfortable with the risk. I lock my house and shed doors at night, but leave them unlocked during the day. I have set off shopping and realized that I have forgotten to lock the house, without going into panic mode.

There's not a lot of money in the bank; I'd miss it if it were gone, but we're not looking at $300,000 here. My house consists of four walls and a roof over a collection of second-hand books on Turing Machines and Newfoundland history. Plus about 250 bottles of rabbit stew, jams, ...

All that said, I am more puzzled by the Janus-like aspects. On the one hand we have Firefox making is dead easy to have anyone gain access to our online data the minute we step away from our computer, and on the other hand the financial houses making it more difficult for anyone to gain access.
It’s as if those two parties are in an arms race to make it {more easy}/{more difficult} for an individual to use the services.

Cheers, Chris
An expensive day out: Wallet and Grimace

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: Banking - online; save my logon details?

Post by ChrisGreaves »

Any form of 2FA (two factor authentication) is MUCH better than just a username and password.
Hi StuartR
If by “Better” you mean “stronger defence”, then yes, but as I noted in my reply to Stuart (“It’s as if those two parties are in an arms race”), 2FA seems to be nullified by a browser that remembers your passwords for you.
A hardware token like Yubikey, or the device I got from my bank, is the best 2FA
Yet in my case I feel comfortable enough with passwords that are complex enough (I reckon) and are easily remembered by me.

Right now, because I live alone, I feel comfortable with a password, and from time to time, the name of my first pet.

Cheers, Chris
An expensive day out: Wallet and Grimace

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: Banking - online; save my logon details?

Post by ChrisGreaves »

stuck wrote:
19 Jan 2023, 18:22
Except now your secret is out so when Billy Burglar steals your laptop / PC he knows where to find your password.
Well!
Since we are leaking our dirty clean little secrets out here ... :grin:
I'm with BobH on this. I tried FF retaining passwords, then found it a bit unnerving having my machine log in for me.

Let's suppose you (all) are Billy Burglars. Of the 15,245 DOCuments on my Veracrypt encrypted partition, would you care to hazard a close-enough guess, even, to the name of my password file. That's assuming that it is a DOCument?
I'll even give you a hint: It is related to a place I wandered in the UK before we (my long dead Mother, long dead Father, and long dead Sister) emigrated to Australia back in 1956.
I'll even give you a bigger hint: The place was in Lancashire UK.

And if Billy Burglar is smart enough to use Everything (which by now he might be!) he might only have to inspect the 243 documents I have modified in the past 31 days. ("*.doc dm:>12/01/2022"), let alone the 15,231 objects accessed over the past 31 days(1) ("*.doc da:>12/19/2022").

If it's any consolation, I don't trust The Cloud or any remote storage facility to store my passwords.

(1) Although I do believe that it is more than 31 days since last I needed to modify anything in the password DOC.
Cheers, Chris
An expensive day out: Wallet and Grimace

User avatar
stuck
Panoramic Lounger
Posts: 8127
Joined: 25 Jan 2010, 09:09
Location: retirement

Re: Banking - online; save my logon details?

Post by stuck »

ChrisGreaves wrote:
19 Jan 2023, 18:31
..I don’t “do” SMS and generally do not have my smart phone on me...
I rarely text, my phone is so old it's painful to text. In fact I rarely call anyone on my mobile phone, though I do take it with me when I go out. In that respect I think we are alike. However, it is trivial to have my mobile phone to hand when I log in to my bank, get the OTP code by text and then delete the message and return the phone to the shelf where it spends most of its (lonely) life. Much less hassle than getting the code by email.

Try it, you might like it...
    https://www.gocomics.com/calvinandhobbe ... ti=1875327

Ken
edited to add the link to Calvin and Hobbes when it came to mind a few mins after I'd made this post

User avatar
BobH
UraniumLounger
Posts: 9215
Joined: 13 Feb 2010, 01:27
Location: Deep in the Heart of Texas

Re: Banking - online; save my logon details?

Post by BobH »

stuck wrote:
19 Jan 2023, 18:22
BobH wrote:
19 Jan 2023, 18:14
...it would be a stroke of luck for anyone to find...
Except now your secret is out so when Billy Burglar steals your laptop / PC he knows where to find your password.

Oops!

Ken

Except I was careful to disguise where I hide it, what types of files. :grin:
Bob's yer Uncle
(1/2)(1+√5)
Intel Core i5, 3570K, 3.40 GHz, 16 GB RAM, ECS Z77 H2-A3 Mobo, Windows 10 >HPE 64-bit, MS Office 2016

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: Banking - online; save my logon details?

Post by ChrisGreaves »

stuck wrote:
19 Jan 2023, 18:51
I rarely text, my phone is so old it's painful to text. ...
Truth is, I have an aversion to texting to/from people; I much prefer EMail on the laptop because I can easily copy/paste, and often enough compose in MSWord then Paste into TBird.
Texting leaves a poor record in that it sits on a device separate from my "main machine"

That said, I could use the SMS for banking and go on lying to people ("My phone doesn't support texting ..."), but closer to the truth is that I resent the extra step of locating then typing/pasting one more chunk of data into a machine.

The real bottom line is that I have dedicated my life striving to make computers do what I want them to do, and resent having to do what a machine wants me to do (even 'though I know that a human designer is behind the 2FA).
I'd be happier if, for each account, I was able to choose the level of security, and be it on my own head if ... :flee:

Cheers, Chris
An expensive day out: Wallet and Grimace

User avatar
stuck
Panoramic Lounger
Posts: 8127
Joined: 25 Jan 2010, 09:09
Location: retirement

Re: Banking - online; save my logon details?

Post by stuck »

ChrisGreaves wrote:
19 Jan 2023, 20:05
..I resent...
Why waste emotional energy over something that both beyond your control and unavoidable? 2FA for online banking is the price you pay for using online banking. If you don't want to pay that price don't use online banking.

Ken

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: Banking - online; save my logon details?

Post by ChrisGreaves »

stuck wrote:
20 Jan 2023, 12:02
ChrisGreaves wrote:
19 Jan 2023, 20:05
..I resent...
Why waste emotional energy over something that both beyond your control and unavoidable? 2FA for online banking is the price you pay for using online banking.
"Good question Ken", he said, chanting The Serenity Prayer.

The short answer to your question would be that I am a paranoid conspiracy theorist with a blinkered view that Big Business and Government is out to make us all conform to a single mould.

The longer answer is that I've spent my life trying to make computing machines do good things for us.

When a clerk stares at the screen and continues "The computer says that we can't ..." I know that it is shorthand for "The system designers never envisaged that {date-years would need more than two digits} / {someone would decide to return their toll-road transponder} / {someone might want to transfer the last three cents out of their account}"

In the case of 2FA-related stuff, so far in this thread people seem to have their own ideas about authentication, and to my mind, that should govern the systems rather than some one-size-fits-all reasoning by a designer.
In the case of 2FA I would think that a checkbox "I Understand the risks and would rather go on using a simple password as sufficient" would do the trick.
One of my bricks and mortar banks recently changed their filters. Instead of allowing one to filter transactions by calendar month, we now have to choose between "last 30 days", "previous 60 days", "previous 90 days", each of them just a set of 30 days, which is a step backwards from "current month", "previous month".
I would argue that BOTH sets of filters should be possible; why throw away a filter that was working? Why not add more options? I can't think of a logical reason for decisions like these.
Folks who balance their accounts at the end or start of each month have an extra load imposed on them.
If you don't want to pay that price don't use online banking.
Finally, a great many people still do not live in a major city or town. Newfoundland and Labrador statistics read :-
- 295 towns
- 471 426 inhabitants
- Area 8 373 km²
- Density 56,3 pop/km²
I would think that at least half of those town have no access to an ATM (let alone a staffed bricks-and-mortar bank.
ATMs.png
If I've used Google Maps correctly there are few Bricks and Mortar banks in this neck of the woods, so residents are forced into online banking. The upper circle, despite reading "Elliston" is really Bonavista, the lower circle identifies Clarenville, 90 minutes drive south of here. If one then zooms in one see a great many towns which, I suspect, are not served by brick-and-mortar banks at all.

Online access leaps and bounds year by year. By making online access restrictive and hassle-full, establishments are NOT "making our customers PRIORITY ONE!".

Cheers, Chris
You do not have the required permissions to view the files attached to this post.
An expensive day out: Wallet and Grimace

User avatar
stuck
Panoramic Lounger
Posts: 8127
Joined: 25 Jan 2010, 09:09
Location: retirement

Re: Banking - online; save my logon details?

Post by stuck »

ChrisGreaves wrote:
20 Jan 2023, 14:31
...I would think that a checkbox "I Understand the risks and would rather go on using a simple password as sufficient" would do the trick...
Except too many people would not understand the risks and blindly tick such a checkbox and then resort to litigation when they fell foul of the risks. Despite such a check box appearing to absolve the bank of any liability I'm pretty sure a lawyer somewhere would eventually find a way of arguing that such a checkbox was not adequate and that the banks were indeed liable. 2FA reduces (but does not eliminate) banks liability, i.e it costs them less to enforce 2FA in their chosen manner.
ChrisGreaves wrote:
20 Jan 2023, 14:31
...making online access restrictive and hassle-full, establishments are NOT "making our customers PRIORITY ONE!".
Agreed, and the same thing with the closure of bricks and mortar banks has happened over here (the bank in our village (population circa 3000) closed years ago). However, it's all an inevitable consequence of the rise of the mobile / always connected / smart phone. No business is about making customers priority one. A business exists for the sole reason of making a profit for the owners of the business. All businesses will adopt systems that maximise profit, hence they enforce 2FA [insert any other irritating new fangled improvement to any business here] in their chosen manner. Only, and only if, that chosen manner upsets the majority of their customers and thus reduced their profit, will they change their system. Profit trumps everything.

There just aren't enough customers getting upset by 'progress'.

Ken
PS as more and more bricks and mortar shops of all kinds close, I predict that once the last generation to remember such things has died, it won't be long thereafter before an entrepreneur has this brilliant idea of setting up a 'shop', where customers can go to see and handle the stuff being sold and pay for the goods there and then and then take their purchases home immediately. This craze will then sweep the world and the entrepreneur will be the richest person in the world!

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: Banking - online; save my logon details?

Post by ChrisGreaves »

stuck wrote:
20 Jan 2023, 15:24
... and blindly tick such a checkbox and then resort to litigation
Agreed.
There just aren't enough customers getting upset by 'progress'.
Agreed. But I'll go on making a noise ...
... an entrepreneur has this brilliant idea of setting up a 'shop', ...
Over my dead body!
(probably)

I still believe that us IT chaps have two conflicting ideas here, though.
On the one hand today's technology (2FA) is making life harder for the crooks, and on the other hand today's technology ("Save your login data?") is making it ridiculously easy for the crooks.

In terms of "blindly ticking", the same argument must apply to people who see the little popup from FireFox and think "Oh, I trust Firefox to do the right thing for me ..." :sad:

Cheers, Chris
An expensive day out: Wallet and Grimace

User avatar
PaulB
BronzeLounger
Posts: 1596
Joined: 26 Jan 2010, 20:28
Location: Ottawa ON

Re: Banking - online; save my logon details?

Post by PaulB »

...and on the other hand today's technology ("Save your login data?") is making it ridiculously easy for the crooks.
Like most, if not all, password managers, Firefox protects its saved login credentials with a master primary password. The login data is generally not open to one and all.
Regards,
Paul

The pessimist complains about the wind. The optimist expects it to change. The realist adjusts his sails.

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: Banking - online; save my logon details?

Post by ChrisGreaves »

PaulB wrote:
20 Jan 2023, 20:47
Like most, if not all, password managers, Firefox protects its saved login credentials with a master primary password. The login data is generally not open to one and all.
Hi Paul. I was not aware that FF encrypted its password collection, but I'm not surprised.
That said, "generally" is a word unlikely to be used by those promoting password-manager software, is it?

I think that my argument still holds: Anything that makes it easy for Billy Burglar (or Paul of Ottawa - ALWAYS WELCOME HERE) to creep into my study and gain access to online accounts without having to key in a password seems to thwart the work of the 2FA crowd.

True it is that once I shut down the machine, Veracypt encryption and obfuscation (of my password text file) are on my side.
But FF saved logins have made it easier for any visitor to gain instant access at the time that the 2FA crowd are striving to protect my accounts.

Actually, Veracrypt alone probably won't help me at all; that just protects my data partition, not my boot partition and User Datat. I must reboot and see if FF still offers free logins. I suspect that it will.


Cheers, Chris
An expensive day out: Wallet and Grimace

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: Banking - online; save my logon details?

Post by ChrisGreaves »

ChrisGreaves wrote:
21 Jan 2023, 12:16
I must reboot and see if FF still offers free logins. I suspect that it will.
I did.
And it does!
Cheers, Chris
You do not have the required permissions to view the files attached to this post.
An expensive day out: Wallet and Grimace

User avatar
RonH
SilverLounger
Posts: 2057
Joined: 02 Mar 2010, 16:53
Location: An Aussie in Norway

Re: Banking - online; save my logon details?

Post by RonH »

There are many different forms of online banking (bank competion?) but most seem to rely on 2FA.

My bank has a good secure approach ... I think/hope. Via an app on computer or mobile you enter a birth number (unique to you in all government or banking contact) which redirects you to a separate mobile app where you enter a PIN code. Then before you can access banking 'my page' it is necessary to enter a personal password. Seems a bit long winded but in reality it is quick.

Banking 'on the run' with these personal codes and apps gives me confidence. Additionally should I (or someone else) make a purchase using (say my debit/credit card) I am immediately advised of the purchase on my phone.

A bit 'off topic' Charles but of possible interest.
CYa Ron
W11 pc, Android toys.
The only reason we have the 4th dimension of Time is so that everything does not happen at once.

User avatar
Jay Freedman
Microsoft MVP
Posts: 1313
Joined: 24 May 2013, 15:33
Location: Warminster, PA

Re: Banking - online; save my logon details?

Post by Jay Freedman »

ChrisGreaves wrote:
21 Jan 2023, 12:16
I think that my argument still holds: Anything that makes it easy for Billy Burglar (or Paul of Ottawa - ALWAYS WELCOME HERE) to creep into my study and gain access to online accounts without having to key in a password seems to thwart the work of the 2FA crowd.
Having FF or any browser save passwords does nothing to thwart 2FA. After the browser enters a saved password, the number or text generated by the 2FA program does not come to you through the browser (unless you're using an online email client, but even then it's in a separate window and separate connection). If you use a smartphone to receive the value or to run an authentication app, or if you have something like a Yubi dongle, that isn't even on the same hardware.

My (minor) objection is that some institutions offer 2FA only by text message, which is technically easier to intercept than email, and most don't offer authentication app support at all.