While waiting for ten minutes on "hold" to make an appointment with my local branch of Scotiabank, I had time read through the new "Digital Services Agreement. Most of the eighteen pages were unremarkable, but a couple of things stood out.
When you click "Accept", you are agreeing to not give your password to police if they ask!
You are responsible for maintaining the confidentiality and safekeeping of your Card, Card Number, Username, and Electronic Signature. ... These responsibilities include:
- not voluntarily disclosing your Electronic Signature to anyone else at any time, including any family member, friend, law enforcement agency, or financial institution employee;
You're also agreeing to not use "public" wifi:
(These responsibilities include:) using your own private wireless data connection, and avoiding use of public Wi-Fi services, when you are using the Digital Services;
This of course is from a bank that still refuses to allow Uppercase letters or Special characters in a password.
(Score: 0) by Anonymous Coward on Thursday September 29 2016, @04:05AM
If only all srrvices carrier this as a legal obligation.
Sorry, officier, I am legally required to not unlock my phone as you have demanded.
(Score: 4, Insightful) by frojack on Thursday September 29 2016, @04:20AM
The word voluntarily was used.
You make the cops get a warrant. Then it's no longer voluntary.
I think everyone needs to calm down. And maybe read the whole quote before getting all excited.
And maybe understand that upper case and special characters in a password mean diddly squat if your connection isn't secure because you logged into your bank from a coffee shop WiFi.
No, you are mistaken. I've always had this sig.
(Score: 5, Insightful) by pkrasimirov on Thursday September 29 2016, @07:38AM
What's wrong with coffee shop WiFi and SSL?
(Score: 2) by frojack on Thursday September 29 2016, @07:14PM
Ask the pimply faced kid lurking behind his laptop screen in the corner.
He probably already knows what level of SSL your bank is using and may have already tried a downgrade attack on your phone. (How sure are you that your phone isn't still using SSL 3?)
VPNs are actually WORSE [infosecurity-magazine.com] then most new browsers.
No, you are mistaken. I've always had this sig.
(Score: 2) by pkrasimirov on Thursday September 29 2016, @09:21PM
But that is 1) bank's fault at cyber security, 2) user's fault for using the bank and 3) unrelated to the coffee shop wifi. With compromised SSL I am at risk even at home.
(Score: 0) by Anonymous Coward on Thursday September 29 2016, @03:35PM
if you're logging into any site without tls you're a jackass.
(Score: 2) by bob_super on Thursday September 29 2016, @04:53PM
And yet banks keep pushing people to use phone apps to do all their banking ... Who's the most irresponsible ?
(Score: 2) by frojack on Thursday September 29 2016, @06:45PM
Phone apps can be quite secure. Most of them do use TLS/SSL. Very rarely do you hear of one that is being dragged through the mud in the press for not using secure communications.
And (contrary to popular opinion) the connection between joe user and the tower is a WHOLE LOT harder to hack than a wifi connection.
Firther, even a Stingray does not break TLS/SSL as long as the app is using it. (Which is why it was such a big deal to remove all the downgrade attacks from all the ssl libraries).
No, you are mistaken. I've always had this sig.
(Score: 2) by bob_super on Thursday September 29 2016, @07:03PM
Sure, but it doesn't matter how good your connection is, when most phones can be completely owned, with little work, by someone using any hack published a few weeks prior, because patching is slow at best, and typically non-existent.
The other reason I really like my BB phone is that it gets security updates. Even then, I don't consider it a safe platform for banking.
(Score: 2) by frojack on Thursday September 29 2016, @07:26PM
The actual incidents of someone's phone getting "completly owned" are vanishingly rare, in spite of the horror stories you read in the press.
Install Warze on your phone from some gray-market app store in Singapore? Maybe. Real world? Your phone is far more likely to explode in your pocket than be owned by someone in a coffee shop.
No, you are mistaken. I've always had this sig.
(Score: 2) by bob_super on Thursday September 29 2016, @07:57PM
The wonderful thing about the internet is that "the coffee shop" doesn't matter. Your phone is vulnerable to script kiddies scanning random IPs against old known bugs pretty much as soon as it's on...
(Score: 2) by frojack on Thursday September 29 2016, @08:37PM
So is every other connected device to some degree, realistically, the risk is tiny.
Funny thing is, other than early versions of windows directly to the internet, the script-kiddies are far from the most successful hackers in the world.
And as far as "vulnerable to kiddies the minute they are turned on", that just doesn't happen.
Have you actually tried to ping another phone on Cellular? Even if the owner looks up and tells you his IP and you have the same carrier connected to the same tower, you aren't going to ping it, let alone scan it.
You might be more at risk from the kiddies once you connect to wifi, but on cellular, not so much.
No, you are mistaken. I've always had this sig.