Article <usv523.f50.1@ID-201911.user.individual.net>

Deutsch English Français Italiano
<usv523.f50.1@ID-201911.user.individual.net>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!news.mixmin.net!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Frank Slootweg <this@ddress.is.invalid>
Newsgroups: comp.mobile.android
Subject: Re: Codes sent by text message
Date: 14 Mar 2024 14:28:19 GMT
Organization: NOYB
Lines: 80
Message-ID: <usv523.f50.1@ID-201911.user.individual.net>
References: <ush35k$2791b$1@dont-email.me>   <uskdq1$30533$1@dont-email.me> <ehs1ckx25o.ln2@Telcontar.valinor> <uslrfo$3d85i$1@dont-email.me> <slrnuuufkq.2dnu.trepidation@vps.jonz.net> <uso5sl$3t2g9$1@dont-email.me> <usogor$2qg7$1@dont-email.me> <uspj7v$9u60$1@dont-email.me> <dh16ckxstg.ln2@Telcontar.valinor> <1xkfdi6umcwrp.dlg@v.nguard.lh> <uiu6ckxaub.ln2@Telcontar.valinor> <1p9miiflsgdlw$.dlg@v.nguard.lh> <ussvrc.12v0.1@ID-201911.user.individual.net> <hl3nh0scthys.dlg@v.nguard.lh>
X-Trace: individual.net puZxyb18EisBu/CzWIanYwoAZmm1G7yQcS9CQd7NTLTbLRIXRK
X-Orig-Path: not-for-mail
Cancel-Lock: sha1:0Hyvj4ubkER5JvQCBSqcfeUY3mQ= sha256:WcJpDO0Uc/I6ZATUetTeqzfvlD2WlZYbOoCzbmoUAPA=
User-Agent: tin/1.6.2-20030910 ("Pabbay") (UNIX) (CYGWIN_NT-10.0-WOW/2.8.0(0.309/5/3) (i686)) Hamster/2.0.2.2
Bytes: 4912

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
> 
> > VanguardLH <V@nguard.lh> wrote:
> > [...]
> > 
> >> I resist putting a bank app on my smartphone.  Anyone that has physical
> >> access could get into my account using the .  My banks app says "Secure
> >> your account with a 4-digit passcode or biometric on supported devices."
> >> Sure wish the PIN were longer, like at least 8 digits, and more like a
> >> password where I can use alphanumeric characters, capitalization, and
> >> non-alphanumeric characters.  Or to use both a PIN *and* biometrics
> >> (fingerprint sensor).
> > 
> >   I don't use a bank app on my smartphone either. No need, on-line
> > banking on my laptop works just fine (with the bank's hardware TOTP
> > device).
> 
> My bank does not offer a hardware-based TOTP device, like a Yubi key.
> Mine is a community bank (no fees of any kind).  They're a bit behind on
> technology.
> 
> >   *If* you use a bank app, of course you don't only have to protect the
> > bank app with PIN/password/biometrics, but first of all have to protect
> > the whole phone with PIN/password/biometrics. So your scenario of
> > "Anyone that has physical access could get into my [bank] account" is a
> > non-existing one, because physical access does not mean they can get
> > 'in' your phone.
> > 
> >   Of course there is the theoretical scenario of someone getting hold of
> > your phone while it is still unlocked - for example they grab it from
> > your hands and run away -, but even in that scenario, any sensitive apps
> > - such as your bank app - are still protected by their own PIN/password/
> > biometrics.
> 
> Unfortunately my old LG V20 (c.2016) doesn't have an app lock feature.

  The app locking isn't a feature of the phone, but a - required -
feature of the app. In another response you've indicated that you bank's
app indeed does that.

  So (privacy/security) sensitive apps have a lock feature *in* the app.

[...]

> Considering theft can incur violence, I could get knocked out, forced at
> gun/knife point or by multiple assailants, dead, or the phone swiped
> while I'm using it, and someone can still press my finger to the
> fingerprint sensor.  A finger on a sensor is handy to unlock the phone,
> but doesn't require the user is voluntarily using it.  Although I have
> the fingerprint sensor configured to unlock the phone, it sometimes
> still asks for my PIN to regain access probably to account for possible
> theft of the phone, but the revert from fingerprint unlock to PIN unlock
> is infrequent.

  It's more likely that the thief/assailant just takes the phone and
runs, instead of forcing you through *all* the steps needed to get some
money/information out of you, but indeed nothing is impossible and this
has very little to do with smartphone security/privacy.
  
> Never had to hand your phone to someone else to use it?

  No, not without me supervising its use. And again, they might be able
to perform some actions, but they can't get into any sensitive apps.

[Irrelevant reverse scenario deleted.]

> I've not yet been in the situation where I'm assualted for my phone, but
> then security isn't about what has happened but what might happen.  It's
> like anti-virus software: if you've been infected then too late, it's to
> prevent infection later.

  See above. You lose your *phone*, so you buy a new one and start over.

> >   OTOH, if your name is 'Newyana2', *anything* goes! :-)
> 
> Isn't Newyana2 a later nym that Mayayana started using about Sep 2023?

  Yes, but not everybody knows that, so I'm referring to him by his
new/current nym.