Can you expand on that? I don't understand what you mean.

Sure, what I'm specifically addressing is "can we do it without the internet bit?", because as a security solution I see it as a bit of a problem relying on that. Since the person is calling with a duplex audio link already, by GSM or whatever, why not use that?

There are many, many ways (modems of a kind) of putting an (almost) inaudible signal into audio. Those could easily be short message authenticators, just a sequence of digits that derive from some frames of the audio, they might sound like little high frequency blips. Can you see how that might work?

[edit]

Forgot to say; those frames would get hashed along with some private part of a public key, or sym-key that only you (the user) has. A fake caller wouldn't be able to spoof them easily, and so they wouldn't decode at the client side correctly.

> what I'm specifically addressing is "can we do it without the internet bit?",

Monzo could open some branches, where it's somebody else's problem to verify the identity of the staff in the building and you can be quite certain the person behind the desk is in fact an employee

(Edit: I know they're a 'challenger' bank)

Well tbh with you that's how I bank, and I agree with you.

I think that "app based" banking is a shitshow, and will only get worse, and ultimately more insecure. The entire economic strategy of dehumanisation is a catastrophe in the making.

And clearly there is no genuine market demand for it, people hate it with a passion, but it's being forced on the population, probably for other reasons more nefarious than "convenience" or "efficiency".

That said, if you're going to do telephone banking with another actual human over an audio or AV channel - which is an acceptable mode of interaction for me - then you may as well employ that information stream for more sophisticated authentication as we go into the age of AI deep-fake voices and video.

Because authentication doesn't need a terribly large bandwidth, indeed we can do it with tiny amount, side-channels within the audio stream see a good leverage point.

Do you think telephone-based banking is more secure than app-based banking? What's your argument for that?

My experience with talking to banks on the phone has been that common security measures seem laughable to me - like "last four digits of your SSN" laughable.

Good question. Yes I think it's more secure if complemented with other good mechanisms. I agree that the current state of most voice based schemes is pretty poor. But those that involve a separate codebook can be quite tight.

Like all things it's more secure in the hands of people moderately educated in protocols and sufficiently sceptical.

A general security problem, perhaps a paradox, is that the more we try to hide it for "convenience", the more opaque and automatic, the more people come to blindly depend on the mechanism at some other layer and stop thinking.

I suppose what makes voice based interaction more secure is that it's slower. It gives more time for levels of security in depth and for people to figure out something is amiss.

But we'll have to see how that pans out with sophisticated voice-spoofing technology because I expect most people, even well educated and sceptical ones, are easily flipped into trust mode by the sound of a seemingly familiar voice and some clever replay attacks.

How do you expect that to work? Their app would either need to have access to all your phone calls, or you'd need separate hardware to detect and authenticate the audio?

Correct, an app would need to read the audio stream and do some preparatory DSP to extract audio short codes.

Of course you could build standards in at a point closer to the radio basebands. I mean, why is basic source authentication not built in as far back as SS7 given we had the technology even in the 1970s?

The only time you'd be using the app would be if receiving a call from an untrusted caller. And if you don't trust the app period, then the game is off anyway. In theory the same app could hold certs from a number of "trustworthy" sources you might like to check; much like a TLS certificate.

But in the end you'd wind up with too many, and hard to keep track of, and then buffoons like those from the EU commission would be wanting to "force trust" upon you to authenticate "approved government sources" - Which sadly is the problem with all source authentication schemes that work with PKI this way. You really need to keep the application layer relation 1-to-1.

I prefer simpler, elegant solutions - like your bank should never call you or push ANYTHING which is why I called it both a good and bad idea, and generally I distrust the whole ecosystem, of "apps" anyway.