Coding Stephan

Fake banking security

I have this bank account, at a bank (I will not shame publicly for now), but I’m really frustrated with their “fake” security. I don’t own a bank, nor do I work for one, but in my opinion they should think differently about security. I also provide some alternative security measures that I thought up myself.

Photo by cottonbro studio

Transfer money with the website

  1. Go to the website
  2. Sign-in to their app (with either pin or fingerprint).
  3. Scan the QR code presented by their website
  4. Press transfer money
  5. Enter details (amount, other account and description)
  6. Press confirm transaction (this is actually make transfer pending)
  7. Open their mobile app again, and press Ok in the prompt that they have pending transfers
  8. Check the amount and confirm with fingerprint (I believe)

I only needed a computer (not specifically my computer) and my mobile phone.

Transfer money with the app

This bank used to have a much nicer app then they had a website, so my preferred way of transferring money is through the app and not use the website. This is where things get a little weird.

  1. Sign-in to their mobile app (with either pin or fingerprint).
  2. Press transfer money.
  3. Enter details (amount, other account and description).
  4. Press transfer money.
  5. Confirm the transfer with cloud-based face recognition.

I did not setup face recognition, nor do I plan to do so. I don’t want them to have a 3D model of my face in the cloud, possibly in another country or even outside Europe. I REALLY don’t see the point. Just let me transfer the money as I would through the website!

There is an extra mandatory verification, if I want to transfer money with just the app. I see this as an issue! If you’re a scammer, you probably have access to a computer but not to my cellphone. They can trick people into scanning the scammers qr code (and thus granting access to my account on the website and setup the transfer). Maybe even guide the victim through the app, for confirming the malicious transfer. Having the face recognition, just for transfers through the mobile app is one big charade. The change a hacker would get physical access to my mobile phone is way smaller.

Please no cloud face recognition

Up until this point it might seems like I’m an advocate for cloud face recognition, but I’m not. In fact I’ll leave this bank if they start using face recognition for all transfers, no matter of point of origin! There always is the privacy risk with using these features!

Alternative security measures

I get the point of security measures, sadly they are needed because we have a lot of people scamming. I gave this some thought and here are some alternative measures:

Limit differentiation

Allow your customers to differentiate limits between certain groups:

  • Previously used bank accounts (people you transferred money to in the last year).
  • Bank accounts that reside in the same country.
  • Bank accounts that reside in other countries (I would set this limit to 0).
  • Special contacts (for instance the countries tax institution, own account at other bank, mortgage)

If I need to pay a large sum to a specific bank account several times a year, that is not a strange transfer, the verification should be minimal. If I transfer a large amount to someone that I never contacted before…. Now that is something you must check. And with the above limits, their limit would be set to 0 in my case so I would first have to setup their account as a trusted account with a 12 hours waiting limit.

withdraw lock on savings

Be aware, you requested to unlock your savings account. As of {now + 24 hours} you can withdraw money from your savings account. If you did not request this unlock, please contact your bank immediately.

To easily secure most of the money in the bank, you could provide some sort of “withdraw lock” on one or all saving accounts. With this lock in place, you can only add money to the savings account but not take money out of it. To remove the lock, you would need to request an unlock in the app, which would trigger a push message to the phone and an email to the customer, with a text like this.

This way you can protect your customers money by them not having them worry about all their savings. I hear all these horror stories of elderly who get all their savings stolen. This “lock” would prevent that even if an attacker would get access to their computer and is able to request the lock to be removed. For all people above 60 (not sure if this is the correct age), this would also be the point where you call the customer with a question if they really planned to remove the lock on their savings, and if they maybe need some additional assistance.

Delay suspicious transfers

Together with the limit differentiation, you could also delay strange transfers for let’s say 48 hours and start calling the customer at the same time. Instead of transferring the money to this strange account, you can decide to delay the transfer. This would allow you as the bank to stop the transfer before the customer loses money. Instead of you calling the customer if they did a strange transfer, but since it already gone through there is nothing to do about it anymore.

Conclusion

Scammers are getting smarter every day, by not implementing security measures like these, (in my opinion) banks are at least half responsible if people get scammed. You did not provide your customers with the right tools to help protect your customers.

A lot of Dutch bank have this email address where you should send bank scam emails, by doing that you’re helping the banks to fight these scams. It’s valse-email@{bank-domain}, for most of them.