OCBC Bank app starts flagging users for apps installed through third-party app stores

[StDragon]

6 hours ago, LAwLz said:

I am not sure I agree that it should be up to the banks to basically do "anti-virus" work on devices.

Already a thing for members to access corporate accounts (depending on the bank)

https://www.ibm.com/products/trusteer-rapport

[Brooksie359]

3 hours ago, Kisai said:

I wish companies would not use mobile phones as a 2FA while simultaneously being an app. It's no longer 2FA if the 2FA generator is on the same device.

 

Well that's your fault for installing work apps on your personal device, or installing your banks app on your work device. Don't do that. 

 

 

iPhone does not have this problem does it? Nobody is saying a bank app is good at scanning for malware, far from it, but it likely just looks for side-loading being turned on and any installed apps missing signatures. The only reason it can even do this is because you gave it permission to do so. Will it still work if you revoke elevated access? Who knows.

 

But it's like, this is a lesson we keep having to learn in the IT biz. Customers are idiots. Lock down and remove tools that allow the average customer to do anything with the software or device that you know WILL break it if someone goes pressing buttons. This is why firmware/BIOS's are the way they are, even on desktops. You can customize a firmware (that's how you get boot logo's) it's often NOT worth the effort and potential damage to the system.

 

This is part of the reason I am not for allowing side loading on Apple. I get that a small minority wants this but I am hoping its not allowed as I would rather not have my family call me because they messed up their iPhone. Granted the EU are probably going to force it but what can you do. Hopefully they will keep it locked down for US users. 

[Alex Atkin UK]

11 hours ago, Avocado Diaboli said:

Wait, what? Your bank uses their own app as a second factor? That's monumentally stupid. Never mind that only having a single option as a second factor is also entirely too little, given that not everybody can afford a smartphone, or might not want to in the first place.

My bank use the app for verification IF you have it setup, otherwise they use the more robust independent device where you put in your physical bank card and type in certain information to generate a code.

[wanderingfool2]

5 hours ago, Kisai said:

I wish companies would not use mobile phones as a 2FA while simultaneously being an app. It's no longer 2FA if the 2FA generator is on the same device.

In general I think banking apps are pretty pointless.  Although, for myself I use the 2FA stuff and the web version; so the concept of having the 2FA still works for me (I refuse to use the app unless absolutely necessary).

 

 

Ultimately though, this boils down to the banks wanting to protect their bottom line.  If they see a rise in people who had their passwords or logins compromised, the banks often are the ones that end up having to take on a large chunk trying to recover money.  

[jagdtigger]

11 hours ago, LAwLz said:

On one hand, this seems like good intentions.

If their intentions were good they would simply hand out tokens (small sealed physical device with a numpad) like the Audi bank did back in 2016-2017.......

[jamesrc]

11 hours ago, Kisai said:

Well that's your fault for installing work apps on your personal device, or installing your banks app on your work device. Don't do that. 

The point I was getting at was that it is ultimately deterimental to the end-user when banks decide to use make their mobile applications both the only means of 2FA and an anti-virus that prevents you from banking when there are third-party applications. While OCBC did claim that it would only flag apps with "risk permissions", what these permission are is yet unknown. People reported having alipay flagged - so should people have a device for every single banking app?

 

I would be slightly more comfortable if these apps allowed you to continue banking but strongly recommended deleting these apps, maybe even an opt-out system.

 

While I do actually separate my personal and work devices, not every user has the means to do that (as I previously alluded to) and even if they do, there are many other edge cases that will result in users being locked out of their bank account. I understand the rationale between separate work, personal and banking devices, but there's no way every user should be expected to carry around 3 mobile phones just to do work, bank and send messages.

 

11 hours ago, Kisai said:

Customers are idiots. Lock down and remove tools that allow the average customer to do anything with the software or device that you know WILL break it if someone goes pressing buttons.

I agree that customers are idiots, but the way companies, especially banks, should ensure customer safety is not to lock down every single user's personal devices. Even if it is a phone they dedicate to banking, it's not as if the bank provided it for free - users should have to bear this burden. On the other hand, physical tokens were never prone to being hacked.

 

6 hours ago, jagdtigger said:

If their intentions were good they would simply hand out tokens (small sealed physical device with a numpad) like the Audi bank did back in 2016-2017.......

It seems that banks are trying to move out away from physical tokens, it feels as if they are trying to solve a problem they created...

 

[Kisai]

13 hours ago, StDragon said:

Already a thing for members to access corporate accounts (depending on the bank)

https://www.ibm.com/products/trusteer-rapport

Ugh *faceplant*

 

Not to throw IBM under the bus here, but corporate 2FA stuff is monumentally annoying. It often involves obsolete Java crap that has to run on a older desktop that still has MSIE 11.

 

Fortunately, I was "not" the person charged with troubleshooting this. Trusteer has it's own teams. 

 

For all intents, billion dollar corporations really should make their own private banking system that only deals with billion dollar corporations. Not to "keep profits private" but to get more accountability and limit access.

 

Like for people who have not experienced it, B2B stuff is a completely different animal, be it banking or internet/phone service. The people you talk to are typically the most polite and professional people you will ever talk to, because everyone is on the same page. There isn't some interference being run by corporate bean counters to pinch pennies and argue with entitled idiots. A B2B account between a Telecom and a Shipping company is the most wacky arrangement, where the telecom is not permitted to ship devices to the shipping company except via the shipping company. So the corporate CRM will have notes all over the place like "FEDEX MUST SHIP FEDEX", "UPS MUST SHIP UPS" even though both of these shipping options cost the company 100x more. The CRM might even prevent you from selecting anything else. USPS is the worst though, because USPS employees MUST receive their equipment via USPS, or someone is getting fired.  Sometimes people forget, when they quit/get fired, that this corporate entitlement is still on their personal account, and it causes them trouble for years until the corporate entity removes them.

 

The point of this story is that the way B2B stuff works is very alien and subject to some contractual obligation to use certain hardware, services, staff, etc at the detriment of the end-user. So if a corporate 2FA system requires you to use IBM Trusteer, with the old Java runtime, then someone in your physical office, needs to have a computer with that on it, even if it weakens security for everything else.

 

[StDragon]

2 hours ago, Kisai said:

Ugh *faceplant*

 

Not to throw IBM under the bus here...

By all means, please do so. 

 

Trusteer Rapport is dogshit. It's slow, crashes, and causes other unexplained issues in Windows. It slows the entire system down because it's running in the background. Many helpdesk tickets came my way with accountants always complaining about their computer performance.

 

The easiest method is to explain to the end-user the process of temporarily unloading the app (there was a captcha prompt to do so) when not in use.

Edit: Have a read.

 

Edited August 29, 2023 by StDragon
Fun read

[Mihle]

In Norway, banks are recently moving from on SIM card 2FA to app 2FA. The app is the same for all banks and seperate from the banking app.

 

That is in addition to a physical kode device, you can choose to use either or. Most people probably have it on their phone but have the code device as a backup.

[hishnash]

While people might feel upset about this in the end most malware that targets banking apps is installed from outside the play store.  When you get a cracked app (pirated game etc) the people doing this work are being paid and they are being paid by the producers of the mall were.

Should the banking app become compromised by a malware on the users device the bank then needs to go through an entier proposes of providing this was the users fault and not the banks lack of security.  This move is likly a move to provide evidence in future court cases so they can point that they have put effort in to ensure the app is not compromised so that they are not found liable.   And even if it is not about legal aspect it can also be about customer stratification,  your not going to stick with a bank who refuses to give you back money after there app is compromised, and your going to end up blaming the bank dissuading others to use the bank. 

[LAwLz]

13 hours ago, jagdtigger said:

If their intentions were good they would simply hand out tokens (small sealed physical device with a numpad) like the Audi bank did back in 2016-2017.......

That wouldn't prevent what they are trying to prevent though.

The catalyst for this change seems to have been people getting scammed. It wasn't directly related to the banking or banking app itself. It's just that they are using their own banking app as a vehicle to introduce some rather primitive anti-virus to peoples' phones.

 

 

1 hour ago, Mihle said:

In Norway, banks are recently moving from on SIM card 2FA to app 2FA. The app is the same for all banks and seperate from the banking app.

 

That is in addition to a physical kode device, you can choose to use either or. Most people probably have it on their phone but ha e the code device as a backup.

This is how we do it in Sweden too.

All the big banks got together and created their own "digital ID", which is used for a lot of 2FA duties, as well as some other stuff.

I think it's a great system, but I'd prefer if it wasn't run by for-profit banks. Especially not since it's grown to be so massive that basically everyone depends on it.

[jagdtigger]

27 minutes ago, LAwLz said:

That wouldn't prevent what they are trying to prevent though.

You cant build protection against human stupidity. Physical tokens solve the compromised device issue(in my case the token was required not only to sign in but for every action(transfer, etc) so it made it very hard for hackers to steel money), anything beyond that is pointless IMO....

[OhioYJ]

14 hours ago, wanderingfool2 said:

In general I think banking apps are pretty pointless.

I find most apps pretty pointless. However, my bank for example removed the ability to deposit checks on their website a few years ago. So now the only way to do so is through the app. In the rare instance I get a check, I download the app, deposit the check, and delete the app again. (On my rooted phone)

[LAwLz]

23 minutes ago, jagdtigger said:

You cant build protection against human stupidity. Physical tokens solve the compromised device issue(in my case the token was required not only to sign in but for every action(transfer, etc) so it made it very hard for hackers to steel money), anything beyond that is pointless IMO....

Except in this case, a physical token wouldn't have solved the issue.

Did you read the news article and the relevant associated stories?

[jagdtigger]

4 minutes ago, LAwLz said:

Except in this case, a physical token wouldn't have solved the issue.

Did you read the news article and the relevant associated stories?

Aint any story in the article, just the bank stating they are allegedly doing this flagging for security reasons citing some very vague description as the reason for flagging apps. But thats besides the point. You can have the worlds best protection and it wont matter if a portion of your users are basically braindead vegetables.....

[LAwLz]

20 minutes ago, jagdtigger said:

Aint any story in the article, just the bank stating they are allegedly doing this flagging for security reasons citing some very vague description as the reason for flagging apps. But thats besides the point. You can have the worlds best protection and it wont matter if a portion of your users are basically braindead vegetables.....

It is in the related story.

 

And just because "a portion of your users are basically braindead vegetables" does not mean we shouldn't try and protect them. If anything, those are the people who need the most protection because they need to be protected from themselves. 

Just to be perfectly clear, I do not agree with this move, but I feel like a lot of people haven't fully read the story and are just using this as an opportunity to talk shit about things they don't like (banks, smartphones, and so on). As a result, the arguments and proposed solutions being thrown around in this thread are in my opinion not really valid. There are valid arguments for why this shouldn't be done, but the issue is a bit more nuanced and complicated than it seems if you just read the headline.

 

It's important to fully understand the backstory of things to also understand why something is happening. The bank isn't doing this because they think it's fun. It's a reaction to an event that left many people in a very bad spot. There isn't a single "bad guy" that you can point your finger to and say "this is the bad guy in this story", nor is there a simple and clear-cut solution to implement.

 

I don't think this sounds good on paper, but I think this is one of the many cases where a knee-jerk reaction is bad, and the change might actually turn out to be good in the end. Remember, this isn't just a blanket ban on apps installed from third-parties. The bank isn't out to kill alternative stores. At least not if we believe what they are saying, and I don't have any reason to assume they are lying because it wouldn't make much sense for them do to. They don't profit from killing third party app stores, so it seems weird to assume that's the reason for this change. It seems to really be a security play, and most security plays comes with the potential for drawbacks. It will be up to the implementation to determine if this is good or bad in my opinion.

[StDragon]

4 hours ago, jagdtigger said:

You cant build protection against human stupidity. 

That won't stop others from trying though.

 

I would imagine in the future that some banks would issue fake phishing emails (KnowBe4) to test and train account holders. Getting them wrong could hurt your credit rating for that specific banking institution.

[HenrySalayne]

7 hours ago, LAwLz said:

Except in this case, a physical token wouldn't have solved the issue.

Why? A TAN generator seems perfectly fine to prevent any unwanted transfers from your bank account. It would need active participation of the user to do a transfer.

[jagdtigger]

8 hours ago, LAwLz said:

And just because "a portion of your users are basically braindead vegetables" does not mean we shouldn't try and protect them.

9 hours ago, jagdtigger said:

You cant build protection against human stupidity.

 

*sigh* Put in place all the defenses you want, wont matter one bit when the user basically  hands over the keys..... (Whether they do it willingly or not is a different question.)

[LAwLz]

2 hours ago, HenrySalayne said:

Why? A TAN generator seems perfectly fine to prevent any unwanted transfers from your bank account. It would need active participation of the user to do a transfer.

Because in the case that prompted this change, the transfer wasn't "unwanted". It was a scam. People were fooled. 

 

A separate hardware key would in situations like these actually be worse for security, because then the bank app has no way of knowing why the transfer may be initiated. With an app that can detect suspicious activity on the device, it might be able to prevent people from being scammed. 

 

Everything has benefits and drawbacks.

 

Just to make it clear again, I don't think this is a good change, but I can see why it's being done. Whether or not it works remains to be seen. 

[HenrySalayne]

6 minutes ago, LAwLz said:

Because in the case that prompted this change, the transfer wasn't "unwanted". It was a scam. People were fooled. 

 

A separate hardware key would in situations like these actually be worse for security, because then the bank app has no way of knowing why the transfer may be initiated. With an app that can detect suspicious activity on the device, it might be able to prevent people from being scammed. 

But you know that TAN generators show you the transfer details (account number and sum) on their internal display independent from the device?

If one device is compromised, you can check all details on the other device. If you have just a phone and it is compromised, there is no second line of defence. That's why we introduces mTAN to PCs. Then we had TAN apps, because mTAN had its weaknesses and was expensive. And now we came full circle back to one device for everything.

That completely destroyed the last line of defence and that is exactly the reason why independent 2FA is so important.