The is a direct correlation between security and fraud related interest/insurance in regards to the cost of use and exposure to fraud.
They aren't out to "destroy" your security, it's a liability threshold calculation. At the end of the day secure yourself in life, this include choosing banks that are more stringent based on your needs and what you want to pay.
Most Dutch banks (except for ING, which does still use SMS) use hardware devices that use the chip on your debit card to authenticate. You unlock the chip with your PIN, enter the challenge code supplied by the banking website for the transaction, and the device shows you a one time code you enter in the banking website. This is a decade old technology that works rather well.
Same in Ireland. In France I've also seen a combination of SMS and pre-shared secret (SMS asking for a code from a grid printed in a small card you can store in your wallet).
I don't know but I've been using this technique for a year or two now with great success. The Google authenticator just stores its secrets in the salute db every app gets.
Autocorrect kicked in there... sqlite* (it is absurdly difficult to put an asterisk at the end of a message on HN. it seems to require a trailing whitespace[1] for it to show up, however the input is trimmed, so...)
I have not, but I have extracted the backup with https://sourceforge.net/projects/adbextractor/ and inspected the contents, visually confirming the secrets are there. Even if a restore doesn't work, I can re-enter them manually from the information in the sqlite database. However I fully expect a restore to work.
Thats exactly why I copy and save every 2fa QR Code in my KeePass database, along with backup codes. Phone changed? No worries, install Google Auth, rescan those QRs, and voila, your 2fa system is back and running !! :)
Most 2FA services that allow authenticators offer recovery codes. I keep the recovery code saved in my password manager, and if I ever lost my phone I use that to log into the site and then get a new QR code.
Yes, that's also a way, but why not save the QR code first time you see it, instead of loosing it, resetting with recovery code, and then again getting a new one? Recovery codes are fine, and should be kept safe and such, but also the Original QR code can also be saved and screenshot. That way, phone lost? open database, load QR code, scan in new phone.
I have used Yubico's U2F key since shortly after they came out (Nov 2014). They are very robust and relatively cheap. Moreover, in contrast to some cheaper keys, they require physical confirmation by a finger press.
"What is better? Authenticator apps/hardware devices?"
Mobile signature (SIM-based)(0) is the most secure method as far as I've seen in banks. Citing wiki: "supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack."
The ACH model is fundamentally insecure: anyone who knows your account number can pull money from it, and the protocol makes no allowance for the bank to check with you first. I don't think choice of bank matters very much.
You can manage your risk somewhat by:
1) Using credit and not debit cards for day to day spending.
2) Maintaining your long term wealth in separate accounts at separate institutions and not linking them directly to anything except your checking
account. This minimizes what can be stolen if your checking account is compromised, and makes it less likely that your savings can be stolen directly (account number is used in fewer places).
3) Turning on all the alerting and notification settings you can find, so that you'll hear about unauthorized activity immediately.
I read somewhere that companies that do a lot of ACH payments use different accounts for receiving and sending payments. The receiving account is locked so that it can't send and the sending account is supposed to stay secret. I don't know if that actually works in practice, though.
Yeah but for 90%+ of transactions, if you are being paid by a company, you can almost always request a paper check instead of an ACH transfer (sometimes with a fee). In that case they either have yet another account for check writing (which won't be "secret") or they give away their "secret" ACH account.
Why they keep that system? In most of Europe you got "normal" banking system where you can give everyone your account number and worse thing they can do is to put some money there.
In US it seems #freemarket is putting externalities (security) on the customer.
ACH is a service of the Federal Reserve, actually.
It also provides wire transfers, which are a little more secure because they're push only, but also less secure because they're instantaneous and irreversible. All banks charge at least ~$15 per transaction and they're really only used for high value, time sensitive deals.
For SEPA-DD, 8 weeks is for no questions asked refund; in general for non-authorised payments you have 13 months to request a refund, but if it's 8+ weeks they can verify the lack of direct debit mandate before hand - but it seems to be the policy of most banks that they'll refund anyway immediately and let the merchant handle the problems.
So what? Someone set up a direct debit, he can just cancel it and get the money back. Of course it will take a bit (a few seconds with online banking nowadays) but you wouldn't lose any money. There's no way someone can get money from a UK bank account by just knowing the account number, assuming that you check your account regularly.
I had somebody buying products on Amazon using my company's IBAN numbers. Amazon were super frustrating to deal with. They kept asking for my amazon account details and I kept explaining that the company doesn't have an amazon account. They didn't know how to proceed ! But in the end they did reverse the charge.
My girlfriend had somebody buying groceries using her numbers. They just write numbers in and signed the sheet of paper at the store. The store refused to take responsibility for doing this without ID-ing the person. The police were more understanding.
My CEO went to a local large bank and demanded as a condition of his business with them that they have an out-of-band communication (a phone call or SMS or whatever) with him before any outbound wire transaction can be attempted. They rejected his condition because they interpreted it as both (1) added liability due to all of the customers that could potentially claim they should have been similarly protected and (2) too much effort/cost/resources/whatever.
I don't deny that there are _corporatist government regulations_ (which largely prevent the best qualified engineers/entrepreneurs from wanting to tackle the consumer fintech problems), but banks are dragging their feet and the #freemarket hasn't developed a viable alternative yet.
The business model of all fintech is to ensure straight-through processing for as close to 100% of transactions as possible; if you have slightly more manual processing than competitors, then you can't be competitive price-wise.
A requirement "out-of-band communication [..] before any outbound wire transaction can be attempted" easily turns the processing cost (not price) from $0.02 to $20+ per transaction, a thousandfold increase, and that's assuming that this'd be offered as standard product and not a special case for a single customer.
If it's not made as a standard product, then it's really painful - it would mean that either the whole staff&systems would have to be trained for that customers needs (not likely unless you're bringing 10+% of the whole bank's revenue) or the customer wouldn't be able to use any standard banking channels ever, not the normal branches, not the normal online services, not the normal call centres, only directly through your private bankers.
I never experienced this directly, but when Chip'n'Pin first came out, wasn't it the case that some European banks held customers responsible when it got hacked? The theory was apparently that it was "impossible" to hack Chip'n'Pin so something must have been the customer's fault...
Isn't it still impossible? You can only hack it if you can guess the PIN or in cases where the victim wrote it on the card. The latter happens quite often and this is where banks sometimes refuse to pay.
If you keep your PIN secret it's a very secure system (unless the attacker is very lucky).
They aren't out to "destroy" your security, it's a liability threshold calculation. At the end of the day secure yourself in life, this include choosing banks that are more stringent based on your needs and what you want to pay.