Financial Apps on cell phone- risks/benefits ?

Hmm, a couple thoughts. My FA will not do any transactions made either online or through email without speaking to DW or I.
For those with complex passcodes on your phones how often do you have to enter these?
My android phone is not locked but I seldom am places where I'm concerned about losing it.
 
In wallet if you highlight a card, go to upper right and hit the circle with 3 dots, go to card details and select Express Transit Card, this allows you to turn off Face ID and just wave for transactions.
Only for transit (like subway/bus turnstiles)
 
Paranoia strikes deep, I guess.

In order to get into my phone a thief would need my fingerprint or my PIN. That's just to get into my phone. After a certain number of failed attempts at guessing the PIN the phone would lock up.

I have the Fidelity app on my phone. In order to get into my Fidelity account a hacker would need to have my fingerprint, or my username and password, or the master password to my 1Password password manager. And in order to get into my 1Password manager the hacker would need my fingerprint to unlock it just to get a chance at guessing the password.

If the hacker were to call Fidelity and try to get access to my account(s) they would need my social security number and my voiceprint.

OTOH, I don't have banking apps on my phone because I find it easier to do online banking on my PC. However, I would not worry too much about security on a mobile banking app.
 
If you’re referring to me, not paranoid, just asked what the forum thinks about financial apps on phones. I’ll put you down as not concerned 😂
 
In wallet if you highlight a card, go to upper right and hit the circle with 3 dots, go to card details and select Express Transit Card, this allows you to turn off Face ID and just wave for transactions.
Again, I don’t know as much as criminals know, but criminals seem to evolve at least as fast as security does.
Nope, I can't see that at all.
 
So my son’s iPhone was pickpocketed last week. Within one hour the criminal was in the phone and had attempted to change gmail password which was subsequently locked for security. That meant that my son couldn’t use find my iPhone from his iPad to lock, wipe or freeze his cellphone. The criminals made 5 attempts to move money and also went into apple wallet and tried to use the credit card. The only reason they didn’t get anything was due to the apps knowing that the phone wasn’t in a typical location. Granted, my son had an easy phone lock password, but it was still scary how much phishing they were able to do. They also had access to his contact list. They texted and FaceTimed everyone in our family pretending to be him. They innocently asked for the ATT pin to our cellphone account. Luckily I contacted each family member and told they not to communicate with the stolen phone. I had already called ATT and frozen the account, but with an iPhone you can message with WiFi regardless of data plan status. That’s a brief synopsis
Thanks for sharing. I have everything available on my phone as I appreciate and take advantage of the convenience. I'll have to give this more thought to assess my own risk areas. Would render 2 factor authentication about meaningless.

After years of international travel, I am very careful about where I carry by passport, wallet, phone on my person to minimize pickpocket risk.

The criminals actually tried to FaceTime? That would be an interesting interaction.
 
I put the Fido App on my phone but removed it. Not so much a security concern as it used the fingerprint login, more so the fact I was looking at the portfolio way to often.
 
Paranoia strikes deep, I guess.

In order to get into my phone a thief would need my fingerprint or my PIN. That's just to get into my phone. After a certain number of failed attempts at guessing the PIN the phone would lock up.

I have the Fidelity app on my phone. In order to get into my Fidelity account a hacker would need to have my fingerprint, or my username and password, or the master password to my 1Password password manager. And in order to get into my 1Password manager the hacker would need my fingerprint to unlock it just to get a chance at guessing the password.

If the hacker were to call Fidelity and try to get access to my account(s) they would need my social security number and my voiceprint.

OTOH, I don't have banking apps on my phone because I find it easier to do online banking on my PC. However, I would not worry too much about security on a mobile banking app.
Fingerprint. Come on Q we’ve seen those movies with what they do to get that!
 
I have our banks app on my phone, that is the only financial one.
I have the 6 digit passcode on my iPhone and 2FA on all financial accounts.
Hopefully, that is enough. I rarely have my phone out in public, unless I am answering a text or something.
 
If you’re referring to me, not paranoid, just asked what the forum thinks about financial apps on phones. I’ll put you down as not concerned 😂

No, I didn't mean you. There are a group of people on here that are a bit skittish about having their financial information on devices.
 
Fingerprint. Come on Q we’ve seen those movies with what they do to get that!

LOL, yes we have. However, if it got to that situation, I would open my phone for them since they would not be "casual" thieves. I also believe if large transfers were initiated at Fidelity, they would attempt to contact me, whereupon I would use our secret safe word and the transfer would be stopped.
 
I do not understand why I would ever need to access my financial accounts through an app on my phone, especially when away from home. I am not checking my portfolio, buying/selling, moving sums of money between my accounts, etc. I am doing much more fun things :).

Its fine to have a virtual "wallet", but at worst for that you are only exposing CCs and not your banks accounts. I am fine that the risk with CCs due to the protection. Not so with bank and investment accounts.
 
Thinking more about this, and the OP's original question, and the risk of an attack that involves financial institutions, I'm thinking there should be more concern for having an email client on the device.

Say the bad guy pick pockets the device that has a weak or no device-wide password, so an email client is sitting there. They see your email history and know you have an account at BrokageAreUs. They hit the web site at brokerageareus.com, click "forgot password". They complete the email loop and now they try to log in on the web site. Ah, but you're smart, and set-up two factor authentication. Bzzzt! The web site sends the code via SMS, which the bad guy immediately gets, and completes the two-factor authentication! They're then authenticated to your financial site. Even though you had no financial app on the phone, you're screwed! And this is a smart hacker, and went with a VPN with a server in the US, so the non-US mitigation at brokerageareus was thwarted. Now you need to hope that there will be additional security beyond email when they set-up a payer or a wire transfer. And you're guaranteed to have a snarl to untangle.

The conclusion I'm reaching is that for all the hand-wringing about financial apps on mobile devices, the email client is the elephant in the room. One mitigation would be to remove the email password from the email client, but that would mean typing your email password every time you wanted to refresh your email, which is a pain. Or maybe the email client could be configured to use the biometrics. That would be the best mitigation to the email client risk.

For those with complex passcodes on your phones how often do you have to enter these?
Because I've got biometrics active, I type the long passcode every third day. That includes the times when my hands are wet and/or dirty, because the fingerprint sensor doesn't work well under those conditions, plus the case where it's been "too long" and the system is wanting me to re-type it so I know it by heart.
 
I do use the Fidelity app on my phone once in awhile to deposit a check, but download and then delete the app every time.
 
I’m not aware of any app that uses my phone’s passcode?

If I can’t use FaceID, then I have to login using my account name and password.

So when FaceID fails a certain number of times, the fall back is the passcode.

A passcode or password is also required if the device is in any of the following states:

  • The device has just been turned on or restarted.
  • The user has logged out of their Mac account (or hasn’t yet logged in).
  • The user hasn’t unlocked their device for more than 48 hours.
  • The user hasn’t used their passcode or password to unlock their device for 156 hours (six and a half days), and the user hasn’t used a biometric to unlock their device in 4 hours.
  • The device has received a remote lock command.
  • The user exited power off/Emergency SOS by pressing and holding either volume button and the Sleep/Wake button simultaneously for 2 seconds and then pressing Cancel.
  • There were five unsuccessful biometric match attempts (though for usability, the device might offer entering a passcode or password instead of using biometrics after a smaller number of failures).

The other thing, I use iCloud keychain so that it populates my login and password on all my Apple devices. If if fails to authenticate by fingerprint or FaceID, it will prompt you for the passcode and then fill in the passwords for you.

Good for usability but not so good for security.

It's a setting you can change in the Security section of Settings.
 
One thing to consider, Apple wallet has no passcode once in the phone. If there are any cards, accounts, tickets etc then they are able to see those and try to initiate transactions.

I appreciate all the comments. I have 2FA, long, unique passwords and ID's as well as voice recognition for my accounts.
It is still very disconcerting when you can see a stolen device on your family Life360 being charged and moving around a city and having 6 financial transactions attempted. No way to turn off the WiFi on the stolen phone and no way to know what they can see or access.

I have my Apple wallet open now on my iPhone and I can't see any card details, just the last 4 digits of each card.

Apple Wallet stores virtual versions of your credit cards. The last 4 digits are the PAN or a virtual number tied to the device. It's not the last 4 digits of your actual credit card.

They can't use that number independently of the device.
 
Yeah access to your email is a big deal. Many institutions will also send 2FA codes to your email, so your email is one of the keys to your kingdom.

Also they advise rebooting your phone once a week, so that any possible malware can't persist.

That's when a long passcode (or password, using both letters, numbers) is kind of a hassle.

Temptation is to use same passcodes or passwords more than once, like to unlock the phone and to get into 1 Password.

I've thought about changing from 6 digits to an alphanumeric passcode, haven't done it yet.

BTW, I once lost an iPhone in Amsterdam, it never appeared on Find your iPhone because whoever had it shut off communications. But I did send a message with my email offering reward.

So I got emails from some Eastern European domain and a fake iCloud website where I was prompted to enter my iCloud password, which would unlock the activation lock.
 
I keep my financial apps on the phone. If traveling, I like to check every other day the transactions to insure there is no suspicious activity. I rarely use my computer anymore to do transactions, usually I use my tablet.
 
I do not understand why I would ever need to access my financial accounts through an app on my phone, especially when away from home. I am not checking my portfolio, buying/selling, moving sums of money between my accounts, etc. I am doing much more fun things :).

Its fine to have a virtual "wallet", but at worst for that you are only exposing CCs and not your banks accounts. I am fine that the risk with CCs due to the protection. Not so with bank and investment accounts.

I keep my financial apps on the phone. If traveling, I like to check every other day the transactions to insure there is no suspicious activity. I rarely use my computer anymore to do transactions, usually I use my tablet.

I don't generally check when traveling but once in awhile I log into apps, much faster than using a desktop browser.

For instance, Fidelity, I will use app because I can get in quickly. In fact when I log in at the website, it prompts you to go open the app to verify that I'm try ing to log in.

Vanguard does this as well.

Or when I am traveling, I will check my Schwab app to see the withdraw I just made at a foreign ATM.

Once a month, I track my assets and after I let Quicken update, I will log into some of the apps just to compare the balances because sometimes Quicken fails to download all the transactions or updates to accounts.
 
Apple Wallet stores virtual versions of your credit cards. The last 4 digits are the PAN or a virtual number tied to the device. It's not the last 4 digits of your actual credit card.

They can't use that number independently of the device.
I have my Apple wallet open now and it shows the 3 images of my registered cards each with “…” followed by 4 digits and those 4 digits which exactly match the last 4 digits on each of my cards.
 
So when FaceID fails a certain number of times, the fall back is the passcode.



The other thing, I use iCloud keychain so that it populates my login and password on all my Apple devices. If if fails to authenticate by fingerprint or FaceID, it will prompt you for the passcode and then fill in the passwords for you.

Good for usability but not so good for security.

It's a setting you can change in the Security section of Settings.

I use 1Password. If FaceID fails, then I need to enter the master password.

You bring up a good point using iCloud keychain. I was thinking of moving from 1Password to iCloud keychain once iOS 18 is released with a password app. But if lets you use the passcode if FaceID doesn’t work, I may stick with 1Password.

Maybe the setting you mentioned will be good enough? I’ll need to take a look.

It goes to my earlier point though, make sure you understand your security on all devices.
 
I have my Apple wallet open now and it shows the 3 images of my registered cards each with “…” followed by 4 digits and those 4 digits which exactly match the last 4 digits on each of my cards.
You're right in the Wallet app, it shows the actual last 4 digits of the card.

But when you use it in Apple Pay, it's transmitting the PAN. When it prints the receipt of the Apple Pay transaction, you will see that the last 4 digits printed are from the PAN or also the Device Account Number, not the actual last 4 digits of your card.
 
I have all my financial entities on my smartphone.
My credit Union checking account.
My 403(b) provider (TIAA)
My primary investment provider (Vanguard)
My two credit card companies.

I access them wherever I am.
I move money to pay off my CC balance twice a month wherever I am.

I move excess retirement income from checking to my taxable account wherever I am.

I set up limit orders to buy more ETF shares blah, blah, blah.

Are we seeing a trend here?
 
Back
Top Bottom