Do You Trust The Security Of Your Andriod Smart Phone?

[connda]

Download our banking app.
"Safe and Convenient?  Just download at Google Play."
???? Ok  <Goes to Google Play and installs my bank's application.>  They only need access to most of my phones functionality:  Camera, mic, contacts, location, etc etc etc.

Then you login by just clicking their icon.  Perhaps the first time you need a user-id/password.  Might even need 2-factor authentication (going to the phone you're holding).  After that?  Bob's Your Uncle.  Just click the icon and your in! 

I don't see how Android is either safe or secure.  Possibly convenient (or not).  What do you think?
 

[worgeordie]

Install a security app , Check Lazada for Eset mobile security ,has

antivirus , phishing and safe banking  , only 116 Thb , then feel

safer .....

regards Worgeordie

[1FinickyOne]

Trust it for what?

 

ET phone home

[topt]

23 minutes ago, connda said:

Then you login by just clicking their icon.  Perhaps the first time you need a user-id/password.  Might even need 2-factor authentication (going to the phone you're holding).  After that?  Bob's Your Uncle.  Just click the icon and your in! 

Not the case with SCB app. You have to put in a 6 digit passcode, or possibly use another form of id., before you can get into anything to do with money.

[Salerno]

2 minutes ago, connda said:

I don't see how Android is either safe or secure.  Possibly convenient (or not).  What do you think?

I think you need to look at the security options more. None of my banking apps (none Thai) allow/are set to launch without another layer of security. If they could I'd uninstall.

 

Like anything, your phone is only secure as you make it.

[Negita43]

I have no apps on my phone for anything financial - for example Lazada - access via PC - pay on receipt and email for account. In this age of "big data" you can't escape them collecting and collating your data but to me it seems crazy putting everything on one device  in the name of security. So called two factor authentication on one device seems paradoxical to me - two device authetication is more secure ie access your account via a pc/notebook and get the OTP via your phone - surely it is less likely you will lose or have stolen both devices.

[moogradod]

No way. We dont have electronic banking at all - mobile or not. I had electronic banking in Switzerland. Very convenient. But not to have it here eliminates at least some part of possible fraud. And branches are open for most transactions even late in the evening or on holidays - which is convenient enough.

[KhunLA]

yes & no ... yes, because absolutely nothing on there that is a security issue, with exception of BBL, which gets my USA Soc Sec DD.  It goes in one day, and out the next.  That app simply to see if arrived, and current balance, usually <5k baht.

 

no ... as don't know a Thai site yet that hasn't be hacked, or any site for that matter.  

 

Except for BBL, there isn't much on my phone.  I use it for camera, GPS and that's about it.  Only phone calls I get are delivery folks letting me know that are on the way.  Don't think I myself make 5 phone calls a month.

[OneMoreFarang]

With many apps you have the choice if you want to enter your password manually, two factor authentication, fingerprint and other options.

It seems many users just want it simple and if they have to enter a password again, they are just annoyed.

I guess that is the reason why often by default all is set to be as comfortable as possible.

 

Normal users just don't care. Or maybe they care, but only after something happens. Why did nobody tell me? ...

 

[moogradod]

2 minutes ago, OneMoreFarang said:

With many apps you have the choice if you want to enter your password manually, two factor authentication, fingerprint and other options.

It seems many users just want it simple and if they have to enter a password again, they are just annoyed.

I guess that is the reason why often by default all is set to be as comfortable as possible.

 

Normal users just don't care. Or maybe they care, but only after something happens. Why did nobody tell me? ...

 

I am aware of all that but I am not a normal user but a security paranoid. I have been working for the IT-industry for decades.

 

And you are absolutely right - I believe especially Thais do not care that much. In fact that was the answer a bank employee gave me when I did bring up the issue of two factor authentication for transactions with my credit card. She said: No have. Thais like easy handling.

[KannikaP]

31 minutes ago, topt said:

Not the case with SCB app. You have to put in a 6 digit passcode, or possibly use another form of id., before you can get into anything to do with money.

Same with Bkk Bank, 6 digit PIN. And with all UK banks.

[it is what it is]

 

just looking at the shocking design and clunky functionality of my thai banking web pages puts me off installing their app. if the front end is that bad, how likely is it the back end is any better/reliably secure?

[ballpoint]

I can open all of my banking apps, Thai and overseas, by clicking the icon.  I can check the account balance in each, but that's about all I can do at that point.  If I want to do anything else, like set up a transfer, change my daily withdrawal limits for various methods, or even just see previous activity on my account, I need to use my fingerprint.  Then, once I've setup and confirmed the transfer / new limits, I need to enter a 6 digit PIN for it to go ahead.  This is standard for all my accounts, whether they be in Thailand, Australia, Isle of Man, and Singapore.  I have no worries whatsoever about the security of the system.  In fact, the apps make things even more secure, because they all give me a notification if someone has as much as looked at my account details anywhere.  But, keep wearing the tin foil hat, and standing in line at the bank, if it gives you a warm, fuzzy feeling.

[Crossy]

Meanwhile.

 

Line Pay needs my fingerprint TWICE (and seemingly endless confirmations) to transfer 16 Baht to a work colleague to pay for the Coke she got me from the Seven. 

 

[OneMoreFarang]

Security? Who cares?

Thai banks concentrate on the real important banking feature. Which is your favorite Blackpink girl?

 

 

I also just got a new Swensen's card. I will share my ice-cream with Jennie for the next year. ???? 

[fdsa]

Quote

Do You Trust The Security Of Your Andriod Smart Phone?

of course no.

If you want to be safe you have to use a separate phone dedicated to banking apps. I.e. use one phone for your casual stuff like sexting, playing games or browsing internets and another phone for banking only, without installing ANYTHING on it except those banking apps.

And of course this phone must come from a reputable company and run a clean operating system without tons of preinstalled malware, e.g. an Apple iPhone or a Google Pixel, not a random chinese bullshít like xiaomi or oppo.

 

P.S. despite Samsung is somewhat reputable company I would not recommend it for banking because their phones do not come with a clean Android operating system but rather filled with a bloat-/mal-ware with unknown functions and features.

[connda]

1 hour ago, topt said:

Not the case with SCB app. You have to put in a 6 digit passcode, or possibly use another form of id., before you can get into anything to do with money.

Do you know how fast a 6 digit pass-code can be hacked?

That's my point.

 

[connda]

57 minutes ago, moogradod said:

I am aware of all that but I am not a normal user but a security paranoid. I have been working for the IT-industry for decades.

Before I retired?  Me too.

[blackcab]

SCB and UOB apps both need my fingerprint to log in.

[Negita43]

Just one question for the pro app lobby - where do you keep your passwords?

[KhunBENQ]

3 hours ago, topt said:

Not the case with SCB app. You have to put in a 6 digit passcode, or possibly use another form of id., before you can get into anything to do with money.

Same for Bangkok Bank, SCB and Kasikorn.

And for effective transactions all use SMS OTP.

Not considered too safe in the west and abolished.

Insecure because of the careless procedures of telecom operators.

(easily sending out replacement SIMs to new address via hotline request e.g.)

Security of such apps is not limited/restricted by Android.

That Android is one of the most buggy operating systems is no secret.

That's what add-on security SW and regular updates are for.

[KhunBENQ]

12 minutes ago, Negita43 said:

Just one question for the pro app lobby - where do you keep your passwords?

In a manually maintained password file/container encrypted with VeraCrypt stored locally only on three backups (VeraCrypt on PC, reading on phone with EDS lite). Master-password under the scull cap, 16 characters. Enough for a while.

Individual passwords are generated and no less than 14 characters.

I am likely not in the focus of the latest quantum computer by NSA and others.

So can sleep quite well.

[topt]

2 hours ago, connda said:

Do you know how fast a 6 digit pass-code can be hacked?

That's my point.

 

No it wasn't - your point that is.

I specifically replied to your point about clicking on an icon only with no other input to access.

 

Anyway good luck to a casual thief stealing my phone and being able to crack the 6 digits before I have disabled access.

 

 

[topt]

1 hour ago, Negita43 said:

Just one question for the pro app lobby - where do you keep your passwords?

Specifically for my phone banking app - in my head. 

Otherwise generally somewhat similarly to as @KhunBENQ stated.

 

PS - I am not pro app. Most of my banking is done online with a pc. I don't use apps for my home country banking and only started recently in Thailand for ease of paying utility bills as most, for me,  cannot be paid online.

[KhunBENQ]

11 minutes ago, topt said:

Anyway good luck to a casual thief stealing my phone and being able to crack the 6 digits before I have disabled access.

Haven't tried but I assume that there is lock after x failed attempts.

My home country bank is very strict. After 3rd failed attempt I am out.

Need postal mail with new data.

 

[K2938]

10 minutes ago, topt said:

I am not pro app. Most of my banking is done online with a pc.

Given that there is no proper 2FA in Thailand, app seems safer than "online with a pc" because for the latter anybody can enter passwords in the internet from anywhere while to do the same with your app they would need to have your phone which is much more difficult.  Also, it is generally much easier now for somebody to hack into a PC than remotely access an up-to-date phone

[KhunBENQ]

One thing for sure: if your phone is hacked, planting a key(board)/screen logger you have a problem. This falls under the category of Android security. Worth using common sense when installing new stuff, doing scans with some security SW (I use Avira) and doing the updates.

Still for Thai banking there is the OTP hurdle over the cellular network.

Additionally banks send alerts via email.

Helps to find suspicious activity.

[topt]

8 minutes ago, K2938 said:

Given that there is no proper 2FA in Thailand,

Please define "proper" - if I try and set up a new payee online with SCB I have to authenticate via OTP for which I need my phone?

 

 

[JayClay]

4 hours ago, Negita43 said:

So called two factor authentication on one device seems paradoxical to me

Not really. The point of 2 factor authentication is proving who you are by something you know (your password) with something you have (your phone).

 

It doesn't matter that you're using the phone both as the thing you have and to input the thing you know; you've still proven both to be true. Which can't be achieved by 1 factor authentication.

[K2938]

16 minutes ago, topt said:

Please define "proper" - if I try and set up a new payee online with SCB I have to authenticate via OTP for which I need my phone?

OTP is a very very weak level of protection which is very easy to get around and has therefore generally been discarded because of this in many Western countries as mentioned above.  So "proper" in this means an actually well-working method of 2FA, not OTP