Jump to content

Most stupid message while flogging a shiter


Alan Prost

Recommended Posts

2 minutes ago, RoverFolkUs said:

I've listed MY reasons for why I don't accept bank transfers. I never said it's a fact.

You certainly seemed to state your reasons as fact...

There's absolutely no issue with you preferring cash - it's just that the reasons you've stated are factually incorrect or dubious.

Link to comment
Share on other sites

15 minutes ago, GrumpiusMaximus said:

i) You should use multi-factor authentication on every account that you can and in particular, banking apps where it has been the industry standard for over a decade and almost completely mitigates issues around your account details being stolen.

ii)  The transaction is highly unlikely to be reversed and banks only usually accept this if it's proven fraudulent.  Particularly if it has come from a current account.

iii)  See also ii)

iv) Fake banking apps are very, very rare and where they do exist, tend to exist on Android smartphones that are hideously out of date and should not be used.  Please provide an example of where you have seen numerous fake banking apps.

v) I've never had a transaction take more than 20 minutes, including transactions of over £10,000.

If someone gets hold of your bank card and phone, they could do quite a bit of damage. Given that most people in the British public have no idea about security it would be quite easy to find out any information to gain access to an account. 

The only way anyone can log into my account is with my card reader and pin number and some other information. Only I know the pin number. 

The bank gave me the option of using a pass number and text code. These could both be easily accessed by the third party? 

2 factor authentication is great, but that's not the principle here. 

Anything that allows access into a bank account without the pin number is not secure enough in my opinion

It's possible that the transaction could be reversed. It is not possible for the cash to disappear

I have not seen these apps, I'm not daft enough to fool for them. See again; because I do not accept bank transfers from strangers. 

Anyone who doesn't really know what they're doing or looking out for (e.g a large proportion of the public) is not going to be as wise or security conscious as yourself. 

That's all very well, but delayed payments can and do frequently happen. There's a guy on YouTube who is a car dealer  who frequently harps on about HSBC putting payments from his customers on hold. And he's a car dealer!

Link to comment
Share on other sites

7 minutes ago, GrumpiusMaximus said:

You certainly seemed to state your reasons as fact...

There's absolutely no issue with you preferring cash - it's just that the reasons you've stated are factually incorrect or dubious.

Well they're not facts, otherwise nobody would do a bank transfer. They are the risks that I perceive. 

I think you might find that most fraud victims are people that use mobile banking and the more convenient methods of using online banking. Coincidence?

Link to comment
Share on other sites

So a PIN, which is a fixed, four-digit password is more secure than a one-time use code?  The card reader is the second factor here in this case because it's something you have, combined with something you know.

How is the pass number generated?  If it's generated through an Oauth2-compatible application or a OTP token (also part of Oauth2) then that cannot be accessed by anybody else.   Text messages are less secure due to SIM cloning but still far more secure than a PIN.  A PIN and an Oauth2 single-use code is best practice.

Link to comment
Share on other sites

6 minutes ago, GrumpiusMaximus said:

So a PIN, which is a fixed, four-digit password is more secure than a one-time use code?  The card reader is the second factor here in this case because it's something you have, combined with something you know.

How is the pass number generated?  If it's generated through an Oauth2-compatible application or a OTP token (also part of Oauth2) then that cannot be accessed by anybody else.  Text messages are less secure due to SIM cloning but still far more secure than a PIN.  A PIN and an Oauth2 single-use code is best practice.

Sorry but a passnumber issued by the bank with a text code is not more secure than using your bank card, it's pin number and the randomly generated 8 digit code. 

A crook would need;

My card

It's pin number 

My customer reference number

If they guess the pin incorrectly too many times access will be frozen. 

Only I know the PIN code. It's not written down anywhere and they won't be able to request a reminder. 

If my mobile phone was stolen with the app on it, they have far too much ability to get into the bank for my liking. 

Banking apps are a stupid idea - because people don't know how to use them securely 

Link to comment
Share on other sites

30 minutes ago, petermcpete said:

Jesus christ. The guy prefers cash. Why are people so militant about this?

Ive taken large sums in cash before as well, but I definitely find counting out a grand from an envelope much more stressful than sending money through the bank.

I’ve had someone before who wanted to go to the bank with me and deposit the money, probably the best of both worlds although you do have an awkward drive there and back making small talk.

Link to comment
Share on other sites

2 minutes ago, RoverFolkUs said:

A crook would need;

My card

It's pin number 

My customer reference number

If they guess the pin incorrectly too many times access will be frozen.

To gain access to my bank account via my banking app, said crook would need to know the PIN to get into my phone, then the 8-digit PIN to get into the banking app.  The chances of anyone guessing both of those correctly in whatever number of attempts you get before everything freezes up are infinitesimally small.

Link to comment
Share on other sites

I love bank transfers.

Sold the Nissan on here to @2MB, money in account in seconds. Didn't have to go to the bank to lodge it. Bank is a couple of miles away and has odd opening hours. Transfer is done there and then.

Even when I sent our solicitor the house deposit, it was in the account in minutes and it was only a standard BACS transfer.

 

Link to comment
Share on other sites

17 minutes ago, RoverFolkUs said:

If someone gets hold of your bank card and phone, they could do quite a bit of damage.

* Impossible of you are using using app, that's the whole point.

Given that most people in the British public have no idea about security it would be quite easy to find out any information to gain access to an account. 

*Most people? Again, that's what apps are for, they are designed to keep Joe Soap safe.

The only way anyone can log into my account is with my card reader and pin number and some other information. Only I know the pin number. 

*Much less secure than an app.

The bank gave me the option of using a pass number and text code. These could both be easily accessed by the third party? 

* A one time password. Pretty secure really.

2 factor authentication is great, but that's not the principle here. 

*So you're talking about principles not facts.

Anything that allows access into a bank account without the pin number is not secure enough in my opinion

*Read what you've just written man. Pin numbers are much less secure than 2FA.

It's possible that the transaction could be reversed. It is not possible for the cash to disappear

* As said by someone above, reversing a transaction is NOT possible without heavily involving your bank.

I have not seen these apps, I'm not daft enough to fool for them. See again; because I do not accept bank transfers from strangers. 

*You're making no sense by this point.

Anyone who doesn't really know what they're doing or looking out for (e.g a large proportion of the public) is not going to be as wise or security conscious as yourself. 

*Again, that's the point of apps.

That's all very well, but delayed payments can and do frequently happen. There's a guy on YouTube who is a car dealer  who frequently harps on about HSBC putting payments from his customers on hold. And he's a car dealer!

*How much are those for? To us average shiters, a single payment of £2 or 3k will not be stopped. 

Sorry, as someone who is a risk Manager for a team who builds and maintains an online financial dashboard and a mobile app, I feel I should highlight a few things. I have added my comments within your quote and highlighted them with an asterisk.

Link to comment
Share on other sites

Just now, wuvvum said:

To gain access to my bank account via my banking app, said crook would need to know the PIN to get into my phone, then the 8-digit PIN to get into the banking app.  The chances of anyone guessing both of those correctly in whatever number of attempts you get before everything freezes up are infinitesimally small.

If you have that set up and use it properly, then great. But a lot of people can't distinguish the difference between convenience and security and will happily use the easiest method available.

Or simply have their pin code as 1234 on their phone, then have the bank's passnumber pin written in their phone notebook, then crook gets a one time passcode sent to said phone. And voila

In fairness, most of the issues stem from user error and a complete lack of education on the subject of online security 

Link to comment
Share on other sites

6 minutes ago, RoverFolkUs said:

Sorry but a passnumber issued by the bank with a text code is not more secure than using your bank card, it's pin number and the randomly generated 8 digit code. 

A crook would need;

My card

It's pin number 

My customer reference number

If they guess the pin incorrectly too many times access will be frozen. 

Only I know the PIN code. It's not written down anywhere and they won't be able to request a reminder. 

If my mobile phone was stolen with the app on it, they have far too much ability to get into the bank for my liking. 

Banking apps are a stupid idea - because people don't know how to use them securely 

So how is a four-digit PIN that can be beaten out of you more secure than a quasi-random code that cannot be intercepted without the physical device?  The pass code isn't issued by the bank, it's issued by the Outh2 provider (Oauth2 is open-source and heavily scrutinised) and is an open standard. 

I don't want to bore you to tears but the codes are generated based upon the time of setup and cannot be practicably replicated by a third-party.

Link to comment
Share on other sites

2 minutes ago, Split_Pin said:

Sorry, as someone who is a risk Manager for a team who builds and maintains an online financial dashboard and a mobile app, I feel I should highlight a few things. I have added my comments within your quote and highlighted them with an asterisk.

 

14 minutes ago, Split_Pin said:

If someone gets hold of your bank card and phone, they could do quite a bit of damage.

* Impossible of you are using using app, that's the whole point.

If someone's wallet and phone gets stolen then someone can receive the OTP to access the account, no? 

14 minutes ago, Split_Pin said:

Given that most people in the British public have no idea about security it would be quite easy to find out any information to gain access to an account. 

*Most people? Again, that's what apps are for, they are designed to keep Joe Soap safe.

Regarding most people - I mean more to the point that some people will save the codes in their phone notebook. Not the bank's or app's fault, admittedly. 

15 minutes ago, Split_Pin said:

The only way anyone can log into my account is with my card reader and pin number and some other information. Only I know the pin number. 

*Much less secure than an app.

Someone would need my customer ref number, card, and pin number to generate the random code? I take steps to stop that happening

With a passnumber and text OTP, if someone gets the passnumber (open to being saved in the phone's notebook?) And the OTP sent to the stolen phone, access granted

15 minutes ago, Split_Pin said:

2 factor authentication is great, but that's not the principle here. 

*So you're talking about principles not facts.

No, regarding the principles of 2FA it's different to using an OTP to access the bank. 2FA is about logging in with a username and password and then receiving a text message or whatever. Using a passnumber that is not random and a text message to log in is not secure enough if someone has got hold of your phone

16 minutes ago, Split_Pin said:

Anything that allows access into a bank account without the pin number is not secure enough in my opinion

*Read what you've just written man. Pin numbers are much less secure than 2FA.

Again, it's not 2FA. Logging in and then getting a text message, great. But that's not what happens

16 minutes ago, Split_Pin said:

I have not seen these apps, I'm not daft enough to fool for them. See again; because I do not accept bank transfers from strangers. 

*You're making no sense by this point

I'm not too sure how that doesn't make any sense. I haven't personally seen these apps because I don't entertain bank transfers. Therefore nobody has ever tried it on me

16 minutes ago, Split_Pin said:

Anyone who doesn't really know what they're doing or looking out for (e.g a large proportion of the public) is not going to be as wise or security conscious as yourself. 

*Again, that's the point of apps.

People will install and use these apps without the first idea of security. They'll write their pin numbers down in stupid places. It's their own fault, but it happens thanks to these "convenient" apps

17 minutes ago, Split_Pin said:

That's all very well, but delayed payments can and do frequently happen. There's a guy on YouTube who is a car dealer  who frequently harps on about HSBC putting payments from his customers on hold. And he's a car dealer!

*How much are those for? To us average shiters, a single payment of £2 or 3k will not be stopped

So he claims - most of his transactions are under £5k. That's both sending and receiving

Link to comment
Share on other sites

15 minutes ago, GrumpiusMaximus said:

So how is a four-digit PIN that can be beaten out of you more secure than a quasi-random code that cannot be intercepted without the physical device?  The pass code isn't issued by the bank, it's issued by the Outh2 provider (Oauth2 is open-source and heavily scrutinised) and is an open standard. 

I don't want to bore you to tears but the codes are generated based upon the time of setup and cannot be practicably replicated by a third-party.

I'm on about the passnumber which is not randomly generated and a one time code sent to their phone. This cannot be secure. 

If the phone is stolen, someone may have the passnumber saved in their phone and all they need to do is request the code as a text message, sent to said stolen phone.

Link to comment
Share on other sites

6 minutes ago, RoverFolkUs said:

With a passnumber and text OTP, if someone gets the passnumber (open to being saved in the phone's notebook?) And the OTP sent to the stolen phone, access granted

My banking app requires a device screen lock and another lock to get into the app.  Can't open the text without unlocking the phone.

Also if you're trying to login through the webpage on a laptop/desktop, it'll send a notification through the app to verify or an automated call where you've to put a pin code in.

It's very very unlikely for anything to happen unless you're a bit thick and got phished and gave someone codes and details.

Link to comment
Share on other sites

2 minutes ago, Spurious said:

My banking app requires a device screen lock and another lock to get into the app.  Can't open the text without unlocking the phone.

Yep thats great if the user sets it up as such. Some people will not have enough security in place to prevent this.

For example - hiding the contents of notifications when locked or having a secure code altogether. 

Some people will use the fingerprint scanner but set the phone lock code to "1234" as they never use it and think its unimportant
 

Link to comment
Share on other sites

This is like my dad

 

"I don't trust tapping my card on the machine. It can't be safe without using the PIN. So I type the PIN in every time"

"But you don't understand how it works, so why assume that it's unsafe?"

"It doesn't matter. I'll still do it this way whether it's right or wrong"

 

It is ok (usually) to do things your way, but there's no point arguing it's the best if you don't know what you're talking about. 

Link to comment
Share on other sites

1 hour ago, petermcpete said:

Jesus christ. The guy prefers cash. Why are people so militant about this?

This is AS. 

No preferences outside of the norm allowed, no modification of any part of any car ever as anything that isn't standard is ruined beyond economic repair with no exceptions - and if you want to buy a car from someone, if you message them any questions of any kind at all instead of just saying "Yes I will purchase this for the full price, please let me know when suits to collect I trust you entirely" , screenshots of the conversation with automatically be uploaded to an encrypted online album called "TiMeWaStErS" and shared globally, you'll get an automated message on every form of communication you own calling you a cunt, and the police will immediately be despatched to your last known address. 

Link to comment
Share on other sites

23 minutes ago, RoverFolkUs said:

Yep thats great if the user sets it up as such. Some people will not have enough security in place to prevent this.

The app won't install without a screenlock. 

So for someone to get in fraudulently. 

They would need 

My screen lock. My username. My 12 digit password. My 6 digit second passcode. A OTP. 

It's getting into the realms of unlikely. There's easier ways to phish money out of people. 

Link to comment
Share on other sites

@RoverFolkUs Just to clarify on this:

"No, regarding the principles of 2FA it's different to using an OTP to access the bank. 2FA is about logging in with a username and password and then receiving a text message or whatever. Using a passnumber that is not random and a text message to log in is not secure enough if someone has got hold of your phone."

Two-factor authentication is refers to two different modes of security i.e. something you have something you know  or something you are.

An OTP code is not just the code, it is the fact that it is generated on a device.  So to log into the account you have to have both the password (something you know) and the device (something you have).  If your phone is also locked with a fingerprint, you're adding in a third factor (something you are).

Any single factor on its own is insufficient but the point is that you layer them together.

The most common issue is simple password theft for an account.  If somebody has your password and that's the only factor, it's easy to log in from whereever.  However if they also need a physical device then it doesn't matter if they have your password - without your phone or the token it's useless and - even better - some applications ask for your approval to log in with a notification so you can see that somebody else is trying to access your account.

That information store in your head with your PIN number is fuck all use when somebody is hitting you with a 3-foot bar.  By which point, they've already stolen the cash that you had in your inside pocket.  Chances are, if they get your phone then they'll also get your cash - which you can also easily lose.

The Oauth2 pass numbers are random enough that they cannot be guessed or brute forced and they also expire quickly.  The text messages are less secure and there is the potential for interception but at that point you're dealing with a targeted attack on your number - which is unlikely.

Read these and crack on:

https://en.wikipedia.org/wiki/Multi-factor_authentication

https://en.wikipedia.org/wiki/OAuth

Link to comment
Share on other sites

9 minutes ago, Spurious said:

There is a legitimate weakness to Text OTPs.

Given it's based on physical sim cards, people have had replacement sim cards fraudulently ordered and all of a sudden calls, texts and data goes to a new device that's not your own.

https://www.theguardian.com/money/2020/sep/13/sim-swap-is-on-the-rise-how-can-you-stop-it-happening-to-you

 

Absolutely and SMS OTPs are nowhere near as secure as app-based or token-based OTPs.  However it's still better than just having a password and nothing else.

The Microsoft Authenticator app is particularly good because it really does just lock down to one device.  Even if your number stays the same and you get a new phone, the OTP setup doesn't migrate.  So either you nee the old phone to migrate it across or you need to ask an administrator (in an Enterprise setup) to clear the authentication for you.

Link to comment
Share on other sites

This has diverted to have nothing to do with the original point - a bank transfer can be reversed (yes, it can) and cash cannot. 

I don't have any intention of dealing with someone who's going to repeatedly club me with a 3ft pole. I think the car sale would become somewhat irrelevant if it turns into a mugging. Then it might be a police matter. A car sale going sour will not be a police matter. 

The security behind OTPs has nothing to do with bank transfers. I'm not too sure why the focus turned to that point. 

The point remains, people can cause a lot of aggro with a bank transfer which simply isn't present with cash

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...