[donkeyd]

> I also almost never use apps like dedicated banking apps or social media apps; instead, using Safari.

Nearly every bank I know of recommends using apps over their website, since in general they're safer than using their websites. But I'm in The Netherlands and I don't know whether banking apps in different countries have the same security standards.

[astrange]

That is probably true because phones are less susceptible to keyloggers or evil browser extensions, but "security standards" have approximately nothing to do with it beyond "using HTTPS".

The security model for US banks is that it's illegal to do crimes to people's bank accounts. It doesn't involve "super secure apps", bank account numbers and credit card numbers are super insecure and there is little reason you should care about this insofar as you're not liable for leaking them.

[cameronh90]

The difference is that with an app, the server can ensure it's running on a safe non-compromised/jailbroken device using remote attestation (Play Integrity, App Attest).

With a web browser, there's no way of doing that by design as the user has full control over their user agent, so you need to trust the end user is following good security practices and hasn't allowed their user agent to become compromised.

However, in the EU, banks are legally liable for financial loss caused by unauthorised transfers, so they are increasingly not willing to trust that the user hasn't just loaded their browser up with malicious extensions and malware.

[pc86]

This might be true for credit cards but for the vast majority of people, even completely irrespective of income, getting your checking account number leaked to a nefarious party can absolutely cause you a hell of a lot of trouble.

Credit cards will give you the benefit of the doubt with a credit while they investigate. Banks (and credit unions) are going to be VERY hesitant to give you a 5-figure advance into a new checking out while they investigate how your account got drained when it initially looks like you did it. Even the most pro-customer policies practicable won't help when now all your automatic payments start failing. It's certainly a recipe for ruining your week and you'll likely spend the next month or two dealing with the fallout, and that's assuming you don't face crippling financial penalties because of it, which the majority of Americans would.

[ChrisMarshallNY]

> as you're not liable for leaking them.

But it's fun when you get your checking account drained, and it takes weeks to get it back.

I've seen that happen to a couple of folks.

That's also why I don't like to link my account to sites like PayPal and Venmo.

[ChrisMarshallNY]

I solve that, by not doing banking with my phone.

Social media and store loyalty apps are basically just PID harvesters.

In fact, I have a couple of solitaire games that are constantly nagging me to join leaderboards and take community challenges.

All my financial transactions are done with my Mac, which sits behind a fairly robust home network.

I know, for certain, that banking apps are the #1 first target, for hackers.

[alpaca128]

Where I live having the app for 2FA is mandatory for online banking unless you can convince them to give you a hardware TAN generator. So transferring money is actually much less convenient in the browser because everything I do has to be confirmed with my pin in the app, so I might as well just do it in the app directly and only login on one device instead of two.

Of course this is actually "phone factor authentication" and not two-factor authentication, but I kinda need a bank account.

[ChrisMarshallNY]

Ugh. Sorry to hear that. I use 1Password for TFA, and I haven't had to use an app.

When I first run an app, and it asks for access to camera, microphone, photos, calendar, contacts, and location, I tend to immediately plonk it; regardless of its purpose.

I have a PMB, and the store has an app that uses the phone to unlock the door, after hours.

There is a keypad, but that hasn't actually worked, in months, and the store has ignored my reports.

I just go there, during business hours, even though it's inconvenient.

[pc86]

I just recently started a job that uses 1Password, which I've used personally for years, but they also recommend the 2FA built into 1Password. It's incredibly convenient, and I "know" it's as secure or more secure than using my phone, but man I just haven't been able to get over that mental hurdle of putting all my auth eggs in that 1Password basket.

[downut]

With a touch login on the phone and (say) google authenticator IMHO it's considerably less inconvenient to login into something online with the desktop than what Chase does to me. The phone is sitting right there anyway, and 6 digits to type in by hand is not that big a deal. I do it all the time.

Basically the phone is the 2FA generator.

[downut]

Does "the app" mean the site's app?

[alpaca128]

I mean the bank's phone app. It is locked to one specific device and is the only possible method of authentication. I either need to use the app itself, or confirm every login and transaction in the app when using a browser.

[marssaxman]

My bank has a similarly unhelpful approach, but at least the SMS code expires, and my phone never sees my bank password at all.

[downut]

> I solve that, by not doing banking with my phone.

Even though some scum corps like Chase make it a PITA to manage my account from a desktop through firefox, that's the only way I'm going to interact with them.

"Download the app!"

Hard no!

In fact these are the only apps I think that appear regularly on my phone, but only when I'm traveling: AirBnB, Uber/Lyft, and whatever airline I'm currently flying on next. I think if I'm crossing borders I've installed whatever gov spyware makes TSA/Global Entry easier. They're already groping me hard, why not.

LA Fitness gets to stay because it's dumb and silent. I don't see anything else not security related. On mobile I talk to the outside world with K-9, firefox, signal, whatsapp, sms. I'm happy.

[b112]

I don't use Chase in the US, but I had issues with firefox and some financial websites.

My fix was to create an entirely new profile, with no customization, no cookies restrictions, no add-ons, and use it only for financial sites.

I then exit my current FF, and switch to it, and back again.

All my issues vanished after doing that.

You could also create a different user in Linux, and isolate that way.

Hope it helps.

[quesera]

> I then exit my current FF, and switch to it, and back again.

FWIW, you can also run multiple profiles simultaneously. They are independent processes, sharing no resources or permissions.

This is my model for difficult sites. If I'm really concerned, I use FF network config to allow access only to the domains I think are proper.

Although in the case of banking, I prefer to use the official mobile apps. Some are actually pretty good. Others are awful. But I trust the iOS app sandbox and I trust my banks.

I also block traffic at the network level, so if the bank app attempted something egregious (e.g. tracking via the basket of Internet deplorables), it would fail.

[pc86]

I use Chase on my phone and desktop (Brave, not FF) and have noticed zero issues doing anything on the desktop.