Page 2 of 3 FirstFirst 123 LastLast
Results 31 to 60 of 70

Thread: On-line Banking

  1. #31
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    10,827
    Quote Originally Posted by grant hutchison View Post
    I must say I have the reverse experience - sending cheque, easy; paying on-line, annoying.
    Apart from the scams (that the questions the banks ask on the phone are to avoid) I think cheques are higher risk than on-line. Much easier to steal and (in some countries) cash over the counter.

    Also, the delay can cause problems. I would be very wary of buying a high value item with a cheque, especially from a private seller: you give them the cheque, come back 3 days later to collect the car (or whatever) and find they have disappeared.

    There is also some weird scam involving cheques for too much so they ask you to give them some cash back (or something).

  2. #32
    Join Date
    Jul 2005
    Posts
    18,330
    Yes, there are risks with all payment methods, and things you can do to limit your exposure. Signed-for delivery or collecting personally from a local branch gets around the potential for mailbox theft of chequebooks, for instance.
    Buying high-value items from unknown private sellers is the situation for which the phrase caveat emptor was invented. I can't think of the last time I bought a high-value item anywhere other than on the premises of a physical shop. Selling high-value items to unknown purchasers is another high-risk endeavour.
    The cheque-overpayment scam involves a purchaser sending a cheque for more than the requested amount, and asking for a refund of the excess before the cheque has cleared. The cheque then bounces or is cancelled. It only works if the person accepting the cheque doesn't understand cheque clearing, and doesn't check with their bank.

    Grant Hutchison

  3. #33
    Join Date
    Oct 2006
    Posts
    3,805
    Quote Originally Posted by grant hutchison View Post
    So we do bank transfers using the telephone and a person who works for the bank. This now involves answering a whole list of questions designed to check if we're being scammed in some way - whether the money is being transferred in response to an unexpected telephone call, whether the payee's bank details have been "updated" by email, and so on. All really good, sensible stuff.
    In the advertisements I see for on-line banking, people just seem to tap a few buttons on their phone and then drive the car out of the showroom. Which seems to skip merrily past all the useful checks we're subjected to when we phone the bank. Have the advertisers simply omitted a whole bunch of check-boxes in their depiction of the process?
    Yes, the ads are leaving out steps. But it sounds as if you're describing two different kinds of transactions, which might be another part of the explanation as well. In your phone scenario, it looks as if you're receiving money, and in the buying-stuff scenario, you'd be spending money. In the former case, they're trying to make sure that the sender really is sending what you think (s)he's sending. The equivalent doesn't really apply for spending; you're really just sending money, not tricking someone else into thinking you're sending it. The bank knows the sender in one case and doesn't know the sender in the other case.

    Also, on the steps that aren't shown in car-buying ads...

    A car is more likely to be bought using a loan than entirely with saved money. I haven't had an automobile loan recently, but I have had other loans from my credit union. (If the non-Americans aren't familiar with the phrase "credit union", just thinking "bank" is close enough for now.) My credit-union loans involved filling in time-consuming application forms with whatever questions they wanted to ask me, waiting days for a response, signing a paper agreement, sending it back, then waiting some more for the money to actually arrive. If there had been somebody else like a car dealer waiting for my loan, there would also have been some preliminary communication between the car dealer and the credit union about me and my loan, while I waited for the car dealer to make sure they'd get their money, well before either money or a car actually changed hands. By the time I was hypothetically at the dealer getting my car, any quick final OK signal I might send through my phone at that moment would just be essentially "OK, now I'm finally doing that thing we've all been preparing for for the last couple of weeks".

    In real life, I've only bought a couple of very cheap used cars, without loans, and it was about as quick & easy as any other purchase with cash or a card... but the banks/CUs had no reasons to ask me where I'd gotten the money from in those cases because they already knew it was my money anyway.

    Since you also brought up "bank transfers": I also recently needed to start a new account at a new credit union and transfer some money to my old one. (I moved from Harrisburg, Pennsylvania to between Buffalo and Niagara Falls, New York, and continue to use the old Pennsylvanian CU, but I can't directly deposit money into it here, so I needed a new local account just to make a few deposits and move them.) Once the account was created, linking the two for transfers required filling in a form at one's website with all the information on the other one, then waiting a couple of days for a tiny test deposit so I could answer a question about what the amount was (to establish that the other account was really mine). Then the big transfer I'd done all this to set up still took another few days for the receiving CU to be sure that it was a real deposit, not one of those fake scammy disappearing deposits, before the money was actually available for me to use. So again, if I'd been waiting for that money to make a big purchase, the moment of the purchase could have looked sudden and quick, but only because it was simply my money by that time; the delay while the bank took its precautions happened off-camera before I went to the store & actually bought the thing.

  4. #34
    Join Date
    Jul 2005
    Posts
    18,330
    Quote Originally Posted by Delvo View Post
    Yes, the ads are leaving out steps. But it sounds as if you're describing two different kinds of transactions, which might be another part of the explanation as well. In your phone scenario, it looks as if you're receiving money, and in the buying-stuff scenario, you'd be spending money. In the former case, they're trying to make sure that the sender really is sending what you think (s)he's sending.
    No, in the phone scenario, I was describing the process of sending money to another person - calling our bank and authorizing a bank transfer to the other person's account. So the same process as was being (purportedly) depicted in the car-purchase advertisement, which was (allegedly) a depiction of the joys of being able to zap your money around with your phone. See dream car; get excited and check available funds using phone outside showroom; march into showroom; do stuff on phone in presence of grinning salesperson; drive away in car, salesperson waving happily, girlfriend swooning orgasmically in passenger seat. Just in terms of transferring car ownership, insurance and tax it seems unlikely - but my interest was in the depiction of the transfer of funds.

    Interestingly, there was a news story in the UK recently about a man who lost 193,000 by transferring it to the wrong account - an error of a single digit in the sort code. To me, there are two remarkable things about it - one is that the bank didn't cross-check account number against name, and the second is that the lucky recipient of the mis-transferred funds seems to have (so far) been able to refuse to return the money.

    Grant Hutchison

  5. #35
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    10,827
    Quote Originally Posted by grant hutchison View Post
    Interestingly, there was a news story in the UK recently about a man who lost 193,000 by transferring it to the wrong account - an error of a single digit in the sort code. To me, there are two remarkable things about it - one is that the bank didn't cross-check account number against name, and the second is that the lucky recipient of the mis-transferred funds seems to have (so far) been able to refuse to return the money.
    They were supposed to have systems in place by now to stop this. Although I had a similar problem about 30 years when doing a bank transfer the old fashioned way (go to the branch and give them the details). Someone in the bank made an error transcribing one of the numbers and the money disappeared into thin air.

  6. #36
    Join Date
    Jul 2005
    Posts
    18,330
    Quote Originally Posted by Strange View Post
    They were supposed to have systems in place by now to stop this. Although I had a similar problem about 30 years when doing a bank transfer the old fashioned way (go to the branch and give them the details). Someone in the bank made an error transcribing one of the numbers and the money disappeared into thin air.
    Yes, it's all going to be fixed Real Soon Now.
    The story is doubly interesting for me, since I recently had a not-insignificant insurance pay-out, and I deliberately requested a paper cheque rather than a bank transfer. I scanned the cheque for my records, walked it down to the bank, identified the pay-in account with a bank-issued chip-and-pin card, and came away with a paper receipt. The liability if the money went astray was entirely with my bank.

    Grant Hutchison

  7. #37
    Join Date
    Oct 2001
    Location
    British Columbia
    Posts
    2,991
    Quote Originally Posted by Strange View Post
    I know people who hardly ever use cash - they pay for just about everything with a card.
    I'm one of those people. In the last 12 months I've only spent $615 in cash, more than half of that while on holiday.

    Quote Originally Posted by grant hutchison View Post
    Buying high-value items from unknown private sellers is the situation for which the phrase caveat emptor was invented. I can't think of the last time I bought a high-value item anywhere other than on the premises of a physical shop. Selling high-value items to unknown purchasers is another high-risk endeavour.
    I've sold vehicles privately and only completed the transfer after receiving cash or attending at the bank with the purchaser to confirm the funds were transferred. Other items in the range of $500-1000 I bought or sold were done with cash, and for some I've issued or received a receipt. Most of these were in liquidating an estate, and the rest are few and far between.

    Quote Originally Posted by Delvo View Post
    then waiting a couple of days for a tiny test deposit ...
    I loaned my son some money. Prior to his first payment, we first did a $1 test to make sure my account number was properly entered on his side, to avoid a situation similar to what Grant described.

  8. #38
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    10,827
    Quote Originally Posted by Torsten View Post
    I loaned my son some money. Prior to his first payment, we first did a $1 test to make sure my account number was properly entered on his side, to avoid a situation similar to what Grant described.
    That's a good idea.

    Most of my transfers are to accounts that have an IBAN (International Bank Account Number). This includes check digits which makes it less likely there will be an error entering the number (but I still double check after entering it the first time).

  9. #39
    Join Date
    Jul 2005
    Posts
    18,330
    We once had a bit of struggle getting our bank to transfer a fairly large sum to a company based in New Zealand, specifically because NZ doesn't use IBAN. I forget the details now, but it took days to get to the point where the money actually changed hands.

    Grant Hutchison

  10. #40
    Join Date
    Oct 2006
    Posts
    3,805
    Quote Originally Posted by Strange View Post
    I know people who hardly ever use cash - they pay for just about everything with a card.
    Quote Originally Posted by Torsten View Post
    I'm one of those people. In the last 12 months I've only spent $615 in cash, more than half of that while on holiday.
    For me there's no "hardly" or "just about" about it. For a while, my cash use had just naturally drifted down to the point where the only thing left that I needed cash for was laundry machines, and that needed to be in the form of quarters. So I was forced to keep coming up with artificial ways to not just use cash but use it in ways that would yield quarters back. It was annoying. Finally ending that runaround was one of the benefits of getting my own laundry machines.

    Given the existence of credit cards that give you back a percentage of your total, which essentially makes all prices slightly lower, it's hard to come up with reasons why anybody would not go cashless now.
    Last edited by Delvo; 2019-Dec-09 at 03:03 AM.

  11. #41
    Join Date
    Jul 2005
    Posts
    18,330
    Quote Originally Posted by Delvo View Post
    Given the existence of credit cards that give you back a percentage of your total, which essentially makes all prices slightly lower, it's hard to come up with reasons why anybody would not go cashless now.
    Well, there's being impoverished or in debt, which forces a whole bunch of people to operate cash-in-hand or not at all.
    And then there's reducing your risk of identity theft, and limiting the extent to which your financial activities are tracked and collated, which sits uneasily with some.
    And in my part of the world, at least, and for the things I do, I couldn't get by without cash - leaving contributions in honesty boxes, for the upkeep of paths and car-parks in rural areas; splitting bills with friends without getting into a complicated phone-dance; leaving a tip that will get to the person I want to tip; and using the various shops and food outlets in my immediate vicinity that are cash-only, because they would struggle with the overheads involved in providing a card reader, or those farther afield who are cash-only because they don't have an internet connection or a phone signal.
    I don't generally accumulate many small-denomination coins because I spend them as I get them, but my wife never seems to pay for anything except with a fresh note. This gives me one additional satisfaction from the cash economy - occasionally getting to carry a bag of her loose change down to the bank to feed it into their coin sorter.

    Grant Hutchison

  12. #42
    Join Date
    Sep 2004
    Posts
    15,579
    In my experience, online banking in itself is very safe. The main risk is in making sure who you're sending your money to. I've had to do lots of online purchases in the past few months, and I've encountered multiple fake webshops. In a webshop, it's very important that you check whether they are stating a VAT number and physical address. If they don't, it's 99% a fake shop and in the other 1% they're so loose with the rules that you shouldn't bother.

    As for errors in the account number to which you're transferring money: at least in Belgium, there's a checksum built into IBAN numbers so if you get one digit wrong, your online banking software will throw an error.
    With sufficient thrust, water towers fly just fine.

  13. #43
    Join Date
    Jun 2004
    Location
    The Great NorthWet
    Posts
    14,806
    I use on-line banking primarily for checking that I have enough in the checking account for the check I'm about to write (and I'm a Luddite who still pays most bills by check) or transferring from savings to checking so I will.

    Regarding cash vs card, I kind of like to use cash because the card is just too darn easy!
    Cum catapultae proscriptae erunt tum soli proscript catapultas habebunt.

  14. #44
    Join Date
    Jan 2005
    Location
    Olympia, WA
    Posts
    31,017
    One of the known symptoms of bipolar disorder is a certain amount of fiscal irresponsibility. The most fiscally responsible thing I've ever done is simply not have credit cards. I still don't use a ton of cash, but then, I don't spend a lot full stop, given my income. Which is low enough that it's hard to get a credit card anyway; not a lot of lenders want to give credit cards to people in my situation.
    _____________________________________________
    Gillian

    "Now everyone was giving her that kind of look UFOlogists get when they suddenly say, 'Hey, if you shade your eyes you can see it is just a flock of geese after all.'"

    "You can't erase icing."

    "I can't believe it doesn't work! I found it on the internet, man!"

  15. #45
    Join Date
    Jul 2005
    Posts
    18,330
    Quote Originally Posted by Nicolas View Post
    In my experience, online banking in itself is very safe. The main risk is in making sure who you're sending your money to. I've had to do lots of online purchases in the past few months, and I've encountered multiple fake webshops. In a webshop, it's very important that you check whether they are stating a VAT number and physical address. If they don't, it's 99% a fake shop and in the other 1% they're so loose with the rules that you shouldn't bother.

    As for errors in the account number to which you're transferring money: at least in Belgium, there's a checksum built into IBAN numbers so if you get one digit wrong, your online banking software will throw an error.
    By far the biggest security issue with on-line banking is the behaviour of the account-holder, in terms of the physical and data security of their devices, and their resistance (or otherwise) to social engineering scams. To some extent, mobile phone banking is safer than banking from your PC, since the operating system environment on a (non-jailbroken) phone is pretty secure, and people generally use apps that are security-screened by Apple or Google. The average PC is the Wild West by comparison.
    For on-line banking I'd want to use a dedicated sterile device, but that's probably just me.

    Grant Hutchison

  16. #46
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    10,827
    Quote Originally Posted by Gillianren View Post
    The most fiscally responsible thing I've ever done is simply not have credit cards.
    The most sensible financial decision I made when young (after having had a credit card for a couple of years and always owing money on it) was to switch to always paying off the full amount each month by direct debit. It was really painful for a couple of months, but such a relief after that.
    Last edited by Strange; 2019-Dec-09 at 07:16 PM.

  17. #47
    Join Date
    Sep 2004
    Posts
    15,579
    Quote Originally Posted by grant hutchison View Post
    By far the biggest security issue with on-line banking is the behaviour of the account-holder, in terms of the physical and data security of their devices, and their resistance (or otherwise) to social engineering scams. To some extent, mobile phone banking is safer than banking from your PC, since the operating system environment on a (non-jailbroken) phone is pretty secure, and people generally use apps that are security-screened by Apple or Google. The average PC is the Wild West by comparison.
    For on-line banking I'd want to use a dedicated sterile device, but that's probably just me.

    Grant Hutchison
    Our online banking system uses a separate hardware box to generate codes, so even if your PC is at an ebola level of infection, "they" can't get your PIN code or stuff like that because you never have to type it into your PC.
    With sufficient thrust, water towers fly just fine.

  18. #48
    Join Date
    Jul 2005
    Posts
    18,330
    Quote Originally Posted by Nicolas View Post
    Our online banking system uses a separate hardware box to generate codes, so even if your PC is at an ebola level of infection, "they" can't get your PIN code or stuff like that because you never have to type it into your PC.
    That's interesting. But that sort of thing is still potentially vulnerable to "man-in-the-middle" attacks, in which the user believes they are authorizing one transaction, but malware on their machine is in fact conducting a different transaction using the generated passcodes. There are cryptographic solutions to the problem (in some way binding the passcode to the user's intention, rather than the malware's), but vulnerabilities have certainly been demonstrated in early passcode generators, so I'd still want to use a sterile machine for my transactions.

    Grant Hutchison

  19. #49
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    10,827
    Quote Originally Posted by grant hutchison View Post
    That's interesting. But that sort of thing is still potentially vulnerable to "man-in-the-middle" attacks, in which the user believes they are authorizing one transaction, but malware on their machine is in fact conducting a different transaction using the generated passcodes. There are cryptographic solutions to the problem (in some way binding the passcode to the user's intention, rather than the malware's), but vulnerabilities have certainly been demonstrated in early passcode generators, so I'd still want to use a sterile machine for my transactions.

    Grant Hutchison
    One of my banks uses a key generator where it just generates a different code each time you press the button. I assume these are generated from the current time and date in some way. This is probably vulnerable to the sort of attack you suggest (and others).

    My other bank uses a more complex system where you have to enter your PIN, and details of the transaction (eg. the destination account and the amount). That would seem fairly immune to that sort of attack. (You also have to insert your ATM card in the device, which provides a bit of extra security - as long as you don't keep them together.)

  20. #50
    Join Date
    Oct 2001
    Location
    Sioux Falls, SD
    Posts
    8,857
    Quote Originally Posted by Strange View Post
    One of my banks uses a key generator where it just generates a different code each time you press the button. I assume these are generated from the current time and date in some way. This is probably vulnerable to the sort of attack you suggest (and others).
    I think - could be wrong - that it's just an encrypted counter, incrementing by 1 with each press. This is essentially the same logic your car fob uses.
    Sometimes you win, sometimes you learn

  21. #51
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    10,827
    Quote Originally Posted by SeanF View Post
    I think - could be wrong - that it's just an encrypted counter, incrementing by 1 with each press. This is essentially the same logic your car fob uses.
    I wondered that, but then how would the bank authenticate it? I can play with it, generating a sequence of numbers before entering one, and the bank still recognises it. They don't insist that I only press it once per transaction.

  22. #52
    Join Date
    Jan 2005
    Location
    Olympia, WA
    Posts
    31,017
    Quote Originally Posted by Strange View Post
    The most sensible financial decision I made when young (after having had a credit card for a couple of years and always owing money on it) was to switch to always paying off the full amount each month by direct debit. It was really painful for a couple of months, but such a relief after that.
    The issue is, with my mental health problems, I can't be sure I would have the money every month to actually do that. "Depression spending" is a well-known phenomenon, as is making foolish mistakes--with money and otherwise--because of mania.
    _____________________________________________
    Gillian

    "Now everyone was giving her that kind of look UFOlogists get when they suddenly say, 'Hey, if you shade your eyes you can see it is just a flock of geese after all.'"

    "You can't erase icing."

    "I can't believe it doesn't work! I found it on the internet, man!"

  23. #53
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    10,827
    Quote Originally Posted by Gillianren View Post
    The issue is, with my mental health problems, I can't be sure I would have the money every month to actually do that. "Depression spending" is a well-known phenomenon, as is making foolish mistakes--with money and otherwise--because of mania.
    I think there are a lot of people for whom that would be the right choice. Not everyone is sensible or strong enough to do that, especially if they already have a card (or more).

  24. #54
    Join Date
    Jul 2005
    Posts
    18,330
    Quote Originally Posted by Strange View Post
    I wondered that, but then how would the bank authenticate it? I can play with it, generating a sequence of numbers before entering one, and the bank still recognises it. They don't insist that I only press it once per transaction.
    They would deal with it in the same way they would deal with asynchrony between the clocks in the device and at the bank - the bank generates a short sequence of numbers (called the "acceptance window"), corresponding either to a sequence of button-presses or a range of times, and grants you a hit if your number matches one of those. You could check whether you have a time based or a rolling-code based device by generating a couple of hundred unused passcodes, and then seeing if the next one works. That would put you outside the likely acceptance window of a rolling-code checker. (A good way to lock your enemy out of his car, if you're into pranks that cause massive inconvenience.)

    Grant Hutchison

  25. #55
    Join Date
    Oct 2001
    Location
    Sioux Falls, SD
    Posts
    8,857
    Quote Originally Posted by Strange View Post
    I wondered that, but then how would the bank authenticate it? I can play with it, generating a sequence of numbers before entering one, and the bank still recognises it. They don't insist that I only press it once per transaction.
    Adding on to Grant's answer, I think the standard (at least for car fobs) is that the system will accept any of the next 256 numbers after the last received number.
    Sometimes you win, sometimes you learn

  26. #56
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    10,827
    Quote Originally Posted by grant hutchison View Post
    They would deal with it in the same way they would deal with asynchrony between the clocks in the device and at the bank - the bank generates a short sequence of numbers (called the "acceptance window"), corresponding either to a sequence of button-presses or a range of times, and grants you a hit if your number matches one of those. You could check whether you have a time based or a rolling-code based device by generating a couple of hundred unused passcodes, and then seeing if the next one works. That would put you outside the likely acceptance window of a rolling-code checker. (A good way to lock your enemy out of his car, if you're into pranks that cause massive inconvenience.)

    Grant Hutchison
    Interesting experiment. But would it then resync? Or could I be permanently locked out?

  27. #57
    Join Date
    Jul 2005
    Posts
    18,330
    Quote Originally Posted by Strange View Post
    Interesting experiment. But would it then resync? Or could I be permanently locked out?
    Sorry, I was being facetious. If you did do that you'd end up with a non-function passcode generator. I presume you'd need to get it resynchronized or replaced by the bank. Certainly if you mess with a car key fob in this way the resynchronization requires specialist equipment, and costs money.

    Grant Hutchison

  28. #58
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    10,827
    Quote Originally Posted by grant hutchison View Post
    Sorry, I was being facetious. If you did do that you'd end up with a non-function passcode generator. I presume you'd need to get it resynchronized or replaced by the bank. Certainly if you mess with a car key fob in this way the resynchronization requires specialist equipment, and costs money.
    OK. I won't try it then. (The idea of sitting there pressing the button 256 times didn't really appeal anyway.)

    In the case of the more complex device (the one where you need to insert your ATM card and enter the PIN) this generates a code for logging into the account. As this just requires a button press (rather than entering details of the transaction) I assume this uses the same counter method. However, I ended up with three of these devices (mine and my wife's for this account, and an identical looking device from a different bank). I have used all three of these to log in to the same account (partly because I was curious if the other bank device really was identical).

    But they would have each had different counter statuses, yet they all worked. And I wasn't locked out when I went back to the first one. But within the 6 digit code I guess there is room to provide not just the count but also some kind of device ID. I suppose the same issue arises with car keys, where you can have two keys to unlock the car.

    (I realise now that my timestamp idea couldn't be right, because most of these devices come with the battery not connected - you have to pull out a little insulating strip to turn the device on.)

  29. #59
    Join Date
    Jul 2005
    Posts
    18,330
    From a security point of view that's not a reassuring narrative, is it?

    Grant Hutchison

  30. #60
    Join Date
    Oct 2009
    Location
    a long way away
    Posts
    10,827
    Quote Originally Posted by grant hutchison View Post
    From a security point of view that's not a reassuring narrative, is it?

    Grant Hutchison
    I don't think it is too worrying. It is about what I would expect.

    I guess it would be better if the security devices were personalised for each bank or account. Or, better, each user. But I assume the banks trade off the extra security against the extra cost.

    But I'm not sure what happens if you report the loss/theft of a security device. Can they disable accesses using that specific device, or just recommend you change your PIN.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •