OT: a new scam

Blimey.

Some bank apps contain your bank card PIN in the clear - which I do not consider a safe or sensible practice. That's why I won't have one.

Yes. I can see that for millennials who do everything on a StupidPhone including paying for their worthless purchases in shops designed to gull them from their unearned cash, they have some advantages.

But for security, the best place to do banking is at home, on a desktop machine.

Otherwise a credit or debit card will allow you to pay in cheques, pay for goods in a shop, withdraw cash and all the other stuff you cant actually do from home.

And not require the actual cheque? That is asking for forgery.

You can get genuine ones from them. There is a weird dichotomy that can catch you out if you move house and have subscribed to eg Barclaycard Secure. You have to separately notify the provider of that branded service as well as notifying Barclaycard of your change of address.

Otherwise a list of all your protected cards and any genuine fraud notifications will go to your previous address forever. I have seen it happen - a previous tenant got such a notification sent to my home!

My first reaction was that someone had got a credit card pointing at my address. I took it into their bank and they confirmed that it was real. ie It was a real fraud alert sent to their old address!

Yup that is an advantage, it is far less likely to run on a platform that has already been compromised.

Not sure why the software in the app would be more buggy than the software running in the pinsentry device?

(they both will be written to comply with the same Chip Authentication Program standard).

Generally most mobile users will only download stuff via their respective app stores. That is usually less of a problem than with desktop machines.

As with most things of this nature. In their infancy it is easy to argue that, but with time they become integrated into common processes and before long end up being ubiquitous and eventually "essential". Much like mobile phones or GPS.

perhaps being the administrator of a machine carrying at that time about half the countries internet email (before the internet itself arrived) stored in plain text and easily visible to me, cured me of the fallacious notion that any big company does not have technicians in it who could, can and probably do data mine it for stuff to pass off to criminal chums.

Every time I give an email to a new online entity "your details will be held securely and not shared with third parties" I get up to 50 spam emails selling me everything from sex to a an invitation to collect my lottery winnings.

In short I am acutely aware of just how insecure data held in someone else's cloud is. Even my own public 'cloud' is accessible to the sysadmin on whose machines it is hosted.

My most secure locations is my domestic server and network. My wifi barely reaches outside the house, is encrypted and passworded and not used for financial transactions. Whilst there are ways to access my server remotely, they are custom built and very unlikely to be revealed to random port scanners. My PIN numbers are not written down anywhere, In the case of my main one, it is engraved into my brain cells, my HSBC one is written down in a personal shared secret code.

I have other passwords in a password manager, the pass key to which is again engraved in my brain and is utterly unguessable.

I have never been hacked, not suffered any banking fraud scam being successful. I run 100% linux at all times.

So when you are expecting an order from Ali-express and you get a notification that there is a customs fee to pay before the parcel can be delivered?

The danger is not in all those cases where the notification is implausible, but in that one case where it aligns exactly with what you were expecting.

(Then think how much more effective such attacks could be in cases where someone's email has been hacked, and they now have access to exact details of their orders).

is "under £1000" limited?

You can pay in a cheque with the phone apps. Once you have confirmed that the payment has completed, you can destroy the paper cheque.

One of the tenants of good security is that it does not depend on "security by obscurity". I.e. you should be able to make a transaction with any third party having full visibility of it, and them also having full knowledge of the processes and algorithms that make it work, and yet it still remain secure. So even if apple, google, your mobile provider, your ISP etc, can see all the details of the transaction, it should not matter.

Delivery information is more problematic as I do receive genuine communications with specific and complex links for tracking and the like. Going in on the normal website and trying to find a way to get to the information, especially on a phone, can be quite hard.

Thunderbird does that too.

My bank has genuinely called me in the past and before going into detail has asked me to prove my ID by giving three characters from my password. I pointed out that they hadn't proved their ID to me and that maybe they should have a password system for that. I ended the call and then called the bank on my mobile. It proved to have been a genuine call, about a suspect payment.

Coincidences can be very convincing. Several years ago I was browsing several sites looking for a new smartphone. A Samsung one looked interesting, but I didn't go further as it was getting late in the day. The next morning I had an email from Amazon, offering me a good discount on a different model Samsung phone. I was about to log on when I happened to glance at the address the email had come from. it was ..@amazan.com! A close shave, but it did teach me to be more observant, and not read what I /thought/ was written, but what was /actually/ written.

Some weeks ago I was caught out by what was actually a test at work - a link to digitally sign an updated contract. As I have had to digitally sign contract updates before and my agent had called me the week before to confirm that my contract had been updated as requested, the timing made it very plausible.

I can tell you that it would be very useful when your local branch and all the nearby alternatives have closed down one by one, the more distant alternatives are all shut at the times you can get there (i.e. they only open for office hours) and the only Saturday opening branch left is in on the city centre high-street, in a predestrianised zone and you have walking difficulties! Unfortunately, our bank doesn't offer this service.

Some banks have offered that service for a number of years now and I have not been hearing of problems. The sending bank can still decline to pay it, just as with a paper cheque.

At least one bank used to allow established customers to pay in a cheque at a branch and vouch for the sender (a relative, friend or well known business, HMRC, etc.) to confirm that the cheque was unlikely to bounce and (at the customer's risk) they would credit the account immediately, rather than waiting for the cheque clearing service to deal with it.

When gathering-in an estate, yes, also four cheques/week when you get a couple of dozen tiny dividend backlog cheques all within a few pence of the same amount.

Certainly not new as I've had it with my bank and also with my investment platform. In the latter case they rang in response of an issue I raised and I still had to go through the security questions, though of course I knew that they were who they purported to be.

They can display it in the clear, but I highly doubt they have it stored it in the clear, they'll either obtain it from the bank's servers or have the intermediate pin stored, and obtain your actual offset from the bank's servers.

Is the intermediate pin still stored on the magstripe?

Yes, you have to trust they wipe the result from memory afterwards, but they only display it for a few seconds.