Was wondering what the prevailing opinion is for security (ie - breaching your financial accounts via your device) for sensitive apps (banking, investment, password management, personal information, health, etc).

How do you perceive the security of your device to protect from breaches on your device (getting into your account, mining your account name / password, identity theft, other undesirable outcomes)?

1. Trusted but ack some risk. Not too worried.
2. Ack considerable risk but still use carefully - no real alternatives.
3. Don't trust at all; use a different device.

Macbooks (M processor based)?
Iphones (Iphone 11 and later)?
Samsung phones (last 5 years)?
Windows/Intel computer (last 5 years)?

This message has been edited. Last edited by: konata88,

I don't do QR Codes.

Nope, neither do I. I also never do any financial stuff on my phone. I only use my home computer for that.

I never do QR codes. Ignore the QR comment - that was just they trigger for the question. The question is really about device and comfort level.

What type of computer do you use? And what's your comfort level (I assume it's just websites and not apps then)?

I'm not very comfortable with Windows. I do it because I don't have options (for now).

I will move to Mac and iPad/iphone. But wondering if security of an app (say some bank) is better than using a website (brave or safari).

I am quite comfortable on all my Apple devices. I am very careful not to use any public wifi for anything important. I don't click on any links in emails or messages. Instead, I manually enter the webpage url if it is something I am interested in, e.g. a message supposedly from my bank, or an email from a merchant I frequent.

I use 2 factor authentication on anything financial.

I don't do anything sensitive even using my cell service data when in questionable foreign countries. I will be adding a VPN to all my devices in the near future once I find the one I prefer.

quote:

Originally posted by konata88:
I never do QR codes. Ignore the QR comment - that was just they trigger for the question. The question is really about device and comfort level.

What type of computer do you use? And what's your comfort level (I assume it's just websites and not apps then)?

I'm not very comfortable with Windows. I do it because I don't have options (for now).

I will move to Mac and iPad/iphone. But wondering if security of an app (say some bank) is better than using a website (brave or safari).

My laptop is an old Dell that originally had Windows 7 on it. I've since updated it to Linux. I liked Win 7 and 10 both (10 was on my office machine until I retired), but Win 7 is well beyond its support term now, and Win 10 will be in the same state next month. I tried Win 11 and hated it, that's why I went with Linux. I found a distribution that looks and feels a LOT like Win 10. My home wifi is secured and I changed the password after it was installed, but the laptop is connected with a cable, it doesn't use wifi at all.

All the sites I access from the laptop are standard HTTPS web sites. AFAIK none of those institutions have "apps" that run on Windows or Linux. If they did I probably still wouldn't use them. I suppose that's a comfort level thing. I'm a lot more familiar with website technologies than I am with phone apps. I was a Windows software engineer for 30-something years before I retired in `22. My early years in that arena were mostly client-facing applications that installed directly on the computer. By time I started working on web sites, the security infrastructure for them was pretty much all built in to the operating system and the libraries that we linked in with the web applications, so I've never had to "roll my own" web site security stuff.

Being that I've never developed phone apps, I can't speak to how good their security is. I do use 2FA for all financial transactions (most sites don't even give you the option not to anymore). It's kind of a PITA and sometimes I get really annoyed with it, but it does work. Some sites will write a cookie on your computer that records the IP address of the machine (or maybe write it into their database instead of a cookie). Then the next time you hit the site it will check your IP address again, and if it hasn't changed then they'll skip the 2FA step. Not all of them do that though.

I seldom take my laptop outside the house, and if I do then I never use any public wifi except for stuff like surfing the web while I'm waiting for my car to get fixed or something. The only things I use my phone for are phone calls and text messages.

I would be more worried/be careful on what you click on and what info you provide over the actual device used.

It's usually our own carelessness that starts the problem ball rolling.

Just us MFA and have good passwords.

I'm not too concerned about my devices.

No important data is stored on my phone or tablet. The apps i use to access any financial systems do not store any data and i do not stay logged in. No passwords are stored on ANY device, and I never use any wi-fi network other then my home set up.

QR codes are a subject of their own, there have been a couple of threads about them. But in short, almost NEVER.

quote:

Originally posted by SpinZone:
<snip>
No passwords are stored on ANY device
<snip>

You use the same few easily remembered passwords for all accounts?
You have a sheet of passwords taped to your monitor?

I have a PW Manager app (mSecure) on my iPhone and MacBook – they sync. A different long strong PW for every account. Including IRS, LOGIN.GOV, and ID.me. And many other accounts too.

Up front, I'll say now that I work in the financial industry in technology. I've been in this one the last 10 years out of a 30+ year career, other industries before that.

The short answer: It doesn't matter.

The web page on your laptop and the app on your phone are both (likely[1]) talking to the same Application Programming Interface (API) sites. As already stated, people are their own worst enemy, not the tools. Kinda like guns.

Be religious about MFA/passkeys (passkey thread). Use biometrics on your phone. Don't share passwords among sites. Ever. Use a password manager.

And don't click things sent to you.

No one is relying on IP addresses anymore as it isn't reliable. It's done with client/browser fingerprinting.


1. Likely, but there isn't some tech standard that says it has to. For example, the phone app might use a different authentication/authorization API because it's in a transition phase post acquisition, etc. It is simply just more efficient to use the same and the company will want efficient, secure paths.

SigJacket ^^^^ reiterates my viewpoint.

So many think bots, gremlins and Russians are scanning the Internet like a searchlight looking for victims.

The reality is that when they scan ~ they are looking for high value targets like institutions or government where the payoff will likely be big.

For the rest of us as individuals ~ it is usually what we do that gets us in trouble and for the most part that means we clicked either by being tricked or being careless on the wrong thing and start giving the attacker all the information they need to do us harm.

In the distant past we were concerned about virus's and malware but that was mostly from an annoyance state. For the most part we were not worried about the massive financial fraud. So we hardened the computers with passwords, AV software, updates etc.

As technology evolved we are more concerned with more advanced crime as we are connected to financial and other personal sites, this makes us vulnerable and much more lucrative to criminals. Technology at the individual level from a hardware/software perspective is now pretty good which as mentioned by SigJacket who said it doesn't make a difference. This is not absolute but for the most part essentially true.

One of the biggest threats and most deadly (financially) is RansomWare.
As an IT guy ~ this is one I cannot defeat and backups are the only saving grace.
^^ This happens at all levels from the Individual to Corporations and more.
It is not to be messed with if you have valuable information on your computer

However, it is either initiated by clicking errantly and letting them in or if you set up carelessly a remote access to a computer with few safeguards like proper firewall configuration.

Backup!

So common sense in browsing and clicking needs to be the order of the day.
NEVER respond to random emails or other communication directly
Checking your bank balance ~ go the site directly and that includes paying attention to links from GOOGLE or other search engines that may look legit.
2FA authentication is not the end-all but very effective and if your institution offers that (as a PIA as it is) > use it.

Bottom line it is less the device now days and more the user > use common sense.

I use biometrics as well as 2FA for everything I can regardless of device. Our last 'breach' was over the phone. They had my account info and called the bank - draining all of our linked accounts in moments. Immediately after I set up 2fa and some voice verification stuff, but now with AI - voice verification is essentially worthless.

Good info guys.

So, to try summarizing:

1. Security of platforms (computer/tablet/phone running apple or windows OS) are sufficiently secure and can be treated agnostically.

2. Applet or https are considered secure, especially when augmented with MFA/2FA and using different passwords for each site.

3. The primary risk is in clicking malicious links.

To the end of #3, perhaps one should use a dedicated phone/computer for sensitive websites / apps (banking, etc) and a general device (phone/computer) for general browsing. Or is it sufficient (on computers) to just use different user accounts?

ETA: In this case, the weak link will be tablets/phones where multiple devices are cumbersome and costly AND multiple accounts per device are not available.

Just stay disciplined with 2FA and a password manager, you’ve already cut out 95% of the risk.

I use Apple products. Whether they are really safer or not I don't know. That said, I prefer to use Apple Pay rather than using my credit card directly. The system, in theory at least, is safer since none of your information is transferred. Only a transaction number is sent to the retailer. I think it's relatively safe but there is still a risk. I have had my phone, email, and bank accounts breached once before. I believe it was when I was setting up my new phone at the Apple Store about a year ago. I foolishly allowed the salesperson to talk me into allowing AirDrop to accept messages from unknown numbers for a short time. Normally I restrict it to known contacts. Shortly after that I noticed a large amount of money was moved from savings to checking. It was then I found out that my cellphone number had been hijacked and I wasn't able to access my email. Both accounts had had their passwords changed. Cellular provider found my account was associated with a different SIM so all messages and calls were going there. Changed passwords on all accounts. Notified bank, credit cards, and cell provider. Froze credit reports. Have a monitoring service now. So far nothing new has happened but I have changed security procedures. No more shared passwords.

When it comes to online I normally only use recognized sites. I use Apple Pay if possible. With any financial site I use 2 factor identification and a different email address than for other things. I use a password generator or passkey whenever possible. Passwords are changed often. If I get an email regarding financial accounts or commerce accounts I do not use the contact information provided. I use information I have or look it up online and confirm through multiple sources. AirDrop is turned off unless I'm using it and then only to known contacts.

quote:

Originally posted by MP:
When it comes to online I normally only use recognized sites. I use Apple Pay if possible. With any financial site I use 2 factor identification and a different email address than for other things. I use a password generator or passkey whenever possible. Passwords are changed often. If I get an email regarding financial accounts or commerce accounts I do not use the contact information provided. I use information I have or look it up online and confirm through multiple sources. AirDrop is turned off unless I'm using it and then only to known contacts.

I do most of this as well. I should use a different email address for sensitive sites than what I use generally. Perhaps proton or icloud mail (maybe not icloud - since it's only available while I use apple devices? Proton is ecosystem/platform agnostic?).

quote:

Originally posted by konata88:

To the end of #3, perhaps one should use a dedicated phone/computer for sensitive websites / apps (banking, etc) and a general device (phone/computer) for general browsing. Or is it sufficient (on computers) to just use different user accounts?

I know people who use virtual machines on their desktop/laptop for this. I don't. I generally use the iPhone to pay bills that are not part of an autopay setup.

quote:

Originally posted by konata88:
Perhaps proton or icloud mail (maybe not icloud - since it's only available while I use apple devices? Proton is ecosystem/platform agnostic?).

iCloud mail can be accessed by anything, you just may have to do manual configurations. Or let Apple autogenerate some mail that is forwarded to where you want. If it is even needed... my bank logins do not use email, for example.

quote:

Originally posted by MP:
Cellular provider found my account was associated with a different SIM so all messages and calls were going there.

SIM hijack. Could be Apple Store employee, could be phone provider employee, or both, and they probably aren't the masterminds. These aren't lone wolf things, there are criminal enterprises that do this at grand scale. This is why I prefer MFA apps instead of SMS codes, if I can. The problem is SMS messages are easier for customers who don't have decades in technology and are comfortable with the MFA apps like Google Authenticator or Authy.

Good to know I can continue to use icloud email even if I stop using apple devices.

I've never heard of MFA apps. I'll need to look it up. If one is averse to google, then what are good MFA app alternatives?

quote:

Originally posted by konata88:
Good to know I can continue to use icloud email even if I stop using apple devices.

I've never heard of MFA apps. I'll need to look it up. If one is averse to google, then what are good MFA app alternatives?

Personally, I use Authy.