Phones with outdated operating systems to lose mobile-banking access

[rooster59]

Phones with outdated operating systems to lose mobile-banking access

By The Nation

 

 

The Bank of Thailand (BOT) has stepped up measures to ensure mobile-banking security, assistant governor Siritida Panomwon Na Ayudhya said on Friday (December 20).

 

 

The central bank has issued guiding principles for mobile-banking security, which will not allow obsolete operating systems of smartphones to access banking services.

 

She said currently mobile banking has grown rapidly. There are about 55 million accounts registered to use mobile banking in the first nine months of this year, up from 41 million accounts last year, while financial transactions reached 3.2 billion items via mobile banking, up from 2.7 billion last year.

 

Mobile phones have become a more-important tool for financial transactions, she said.

 

However, risks stemming from malwares or fake applications also posed a threat to the system, she warned. Therefore, the central bank will require financial institutions to be more careful about the security of the system.

 

Banks will have to inform customers that they cannot use mobile phones with obsolete operating systems, such as Android software prior to version 4, and iOS of iPhone prior to version 8. These outdated operating systems are vulnerable to cyberattacks.

 

“Mobile phones run by an obsolete operating system would have limited access to mobile-banking services or could be totally banned in the future; mobile devices that have been jailbroken or rooted would also be prohibited,” she said. The iOS latest operating version is 13.3. Mobile phones run by the obsolete Android system is less than one per cent. An estimated 10,000 mobile phones have been jailbroken and currently are used to access banking services.

 

Banks would also be required to have more complicated settings for PIN codes and passwords in order to reduce the risk of being hacked.

 

The central bank would allow banks four months to make the necessary changes before the guiding principles are enforced in May next year, she added.

 

Source: https://www.nationthailand.com/business/30379684

 

-- © Copyright The Nation Thailand 2019-12-21

Follow Thaivisa on LINE for breaking Thailand news and visa info

 

[topt]

5 hours ago, rooster59 said:

mobile devices that have been jailbroken or rooted would also be prohibited,” she said.

That sounds a bit draconian. I would have thought that someone who has taken the trouble to root their phone is liable to be more tech savvy and hence perhaps security conscious?

Good job I don't use my phone for mobile banking.......

 

https://www.lifewire.com/what-is-jailbreaking-2377420

Quote

In July of 2010, however, the Library of Congress Copyright Office ruled that jailbreaking your phone is legal, stating that jailbreaking is "innocuous at worst and beneficial at best."

Mind you things have moved on since 2010

[apophyss]

I never understand how people can trust google/apple/chinese phone/OS safe enough for banking

when you read every weeks what GAFAM do with your personal data

(and how they deep colect it without your consentement and spy every think you do, and where you are, and people with you)

 

[PeteDaKat]

3 hours ago, apophyss said:

I never understand how people can trust google/apple/chinese phone/OS safe enough for banking

when you read every weeks what GAFAM do with your personal data

(and how they deep colect it without your consentement and spy every think you do, and where you are, and people with you)

 

You mentioned what you don't use. What technologies do you use? What countermeasures do you deploy?

[csmith]

Seems fairy enough .… 

 

 

 

 

[csmith]

I use Bangkok Banks App on my iPhone .… have for a couple of years .… it is Brilliant.

 

Has saved loads-a-time … 

[khomlong1]

No problem with K Plus . Pay bills, top up phone etc. No more 7/11 fees!

[Antonymous]

3 hours ago, apophyss said:

I never understand how people can trust google/apple/chinese phone/OS safe enough for banking

when you read every weeks what GAFAM do with your personal data

(and how they deep colect it without your consentement and spy every think you do, and where you are, and people with you)

 

Me too.

 

Personally for online banking I use a PC from home and a laptop when traveling, each with with heavy security.

[new2here]

to a point I can see why the bank would want to restrict or limit the use of their services to devices that aren’t using the most current OS... I think there’s a legitimate security interest there..

 

that said, I think perhaps a bit more of a middle ground if you will might be to restrict functionality of users whose devices aren’t OS complaint- perhaps limit the value of any one single transfer or limit the total number of transfers per block of time.

 

if the bank can show how a user that is using a rooted device risks the BANKS interests, then I think it’s fair for the bank to say no to rooted devices... but if they can’t prove it, or if the risks are purely on the users end*, then I think that’s something different. 
 

(* and assuming the end user also assumes all losses and risks and holds the bank harmless)

 

I use the iOS apps for BBL, KBank, SCB, Krungthai and CIMB and overall am well satisfied... do I worry about security?  Yes- I do... but I take what I feel is adequate and reasonably controllable safety measures; largely being the use and frequent changing of strong passwords, but also avoiding using WiFi networks when using their services.

[The Old Bull]

13 hours ago, Antonymous said:

Me too.

 

Personally for online banking I use a PC from home and a laptop when traveling, each with with heavy security.

The only time my bank account was hacked is when I used my laptop while travelling.Data on your phone is safer than some hotel wifi

[lkn]

20 hours ago, topt said:

That sounds a bit draconian. I would have thought that someone who has taken the trouble to root their phone is liable to be more tech savvy and hence perhaps security conscious?

The issue is more likely either that a) the user is unaware that their phone has been jailbroken, and someone else may be spying on their banking activities or triggering them by remote control, or b) the user has deliberately jailbroken/rooted their phone and are using someone else’s credentials together with biometrics that were never properly confirmed with these credentials (but because the phone is hacked, it will appear as they were).

 

That said, there is no way to identify a jailbroken phone with 100% accuracy, afterall, the phone is in the owner’s full control, so the owner can just disable the code that checks whether or not the phone is jailbroken.

 

That makes me think that this policy is mainly to guard against the first case mentioned above, akin to saying “we will disable mobile banking on your phone if we detect that your phone has been hacked”.

[topt]

55 minutes ago, lkn said:

That makes me think that this policy is mainly to guard against the first case mentioned above, akin to saying “we will disable mobile banking on your phone if we detect that your phone has been hacked”.

You may be right but that should almost be a "given" and written into the Ts and Cs of using the service. After all you have similar issues with online access via a pc......

[lkn]

8 minutes ago, topt said:

You may be right but that should almost be a "given" and written into the Ts and Cs of using the service. After all you have similar issues with online access via a pc......

The comparison with PCs: On my phone, I can do a bank transfer by confirming it using Face ID, whereas on my laptop, I have to enter a OTP sent to me by SMS.

 

So the banking app puts more trust into the integrity of my phone, than it does my PC.

 

You could argue, as I think someone has already done earlier in this thread, that if the mobile app detects that it is running on a “compromised” device, it should simply revert to the same two factor authentication that is used on a PC, but I think just cutting support for jailbroken devices and versions of the operating system that are more than five years old, is an understandable business decision and indirectly benefits their customers.

 

I.e. most people would not know what this is about, or if their phone has been hacked, but if the banking app tells them “please update your phone’s operating system” then they will go ahead and do this or contact someone that can help them perform the update.

 

Quite frankly, it would be rather amusing if the mobile banking app shows a message like “Your phone has been jailbroken/rooted/hacked, so we will require you to verify this action by SMS instead of your normal biometric identification” rather than “All banking services have been disabled because your phone appears to be hacked, please contact your nearest service center to restore ownership of your phone” ????