Woeful Security On Financial Phone Apps Is Getting People Murdered

Longtime Slashdot reader theodp writes: Monday brought chilling news reports of the all-count trial convictions of three individuals for a conspiracy to rob and drug people outside of LGBTQ+ nightclubs in Manhattan's Hell's Kitchen neighborhood, which led to the deaths of two of their victims. The defendants were found guilty on all 24 counts, which included murder, robbery, burglary, and conspiracy. "As proven at trial," explained the Manhattan District Attorney's Office in a press release, "the defendants lurked outside of nightclubs to exploit intoxicated individuals. They would give them drugs, laced with fentanyl, to incapacitate their victims so they could take the victims' phones and drain their online financial accounts [including unauthorized charges and transfers using Cash App, Apple Cash, Apple Pay]." District Attorney Alvin L. Bragg, Jr. added, "My Office will continue to take every measure possible to protect New Yorkers from this type of criminal conduct. That includes ensuring accountability for those who commit this harm, while also working with financial companies to enhance security measures on their phone apps."

In 2024, D.A. Bragg called on financial companies to better protect consumers from fraud, including: adding a second and separate password for accessing the app on a smartphone as a default security option; imposing lower default limits on the monetary amount of total daily transfers; requiring wait times of up to a day and secondary verification for large monetary transactions; better monitoring of accounts for unusual transfer activities; and asking for confirmation when suspicious transactions occur. "No longer is the smartphone itself the most lucrative target for scammers and robbers -- it's the financial apps contained within," said Bragg as he released letters (PDF) sent to the companies that own Venmo, Zelle, and Cash App. "Thousands or even tens of thousands can be drained from financial accounts in a matter of seconds with just a few taps. Without additional protections, customers' financial and physical safety is being put at risk. I hope these companies accept our request to discuss commonsense solutions to deter scammers and protect New Yorkers' hard-earned money."

"Our cellphones aren't safe," warned the EFF's Cooper Quintin in a 2018 New York Times op-ed. "So why aren't we fixing them?" Any thoughts on what can and should be done with software, hardware, and procedures to stop "bank jackings"?

Simple.

[msauve]

>Any thoughts on what can and should be done with software, hardware, and procedures to stop "bank jackings"?

Sure. Don't carry around financial apps which can transfer thousands of dollars. Leave that to the PC at home.

Re:

[hsthompson69]

Or...just spitballing here...maybe we shouldn't hanging out with stupid people in stupid places at stupid times?

Creating a whole system based on the high risk of going to a club, getting wasted, then taking drugs from a random stranger as you go home, seems like demanding that celibate people use condoms when masturbating because people having unprotected sex might get STDs.

If anything, add a "I'm going out drinking late at night and taking drugs from strangers" button on financial apps, to freeze them from

Re:

[jenningsthecat]

If anything, add a "I'm going out drinking late at night and taking drugs from strangers" button on financial apps, to freeze them from working for 48 hours.

Now THAT seems like a really good idea! If I used my phone to pay for stuff and to access my accounts, I would activate that feature in a heartbeat - and I don't even do high-risk stuff like that mentioned in TFA.

Re:

[Sique]

Perfect! Victim blaming at its finest!

• First, in a sane society, being harmless and stupid should not come with the risk of death.
• Second, the perpetrators are the criminals here.
• Third, the crime is facilitated by apps that make it attractive to drug and rob the victims of their phones.
• Fourth, it should be made clear by the providers of the app that installing the app is akin to carrying your whole net worth in cash with you all the time.

Re:

[kaatochacha]

Being harmless and stupid, historically, has ALWAYS come with a risk of death.

Re:

[NotEmmanuelGoldstein]

... the PC at home.

In one respect you are correct: Security means putting it under lock and key. Now that phones have stopped providing that service, users should not have such applets on their phone.

The phone OS makers recognize they've dumbed-down security: Now, the high-end models offer secure storage that can hold applets and data, not merely photos and voice recordings. For 10 years, third-party applets on Google Play have provided the same security. Once again, the user failed to learn good habits.

You are also

Yep

[abulafia]

That's what I do. Banking and other sensitive apps live on an old phone that doesn't leave the house.

I can count the number of times I've needed to do an unexpected cash transfer when I'm not near home on a veteran meatpacker's hand. Even if it weren't a risk, it simply isn't a capability I need.

The phone that leaves the house also gets its own email address, which isn't used for anything important, and I set an MDM profile to ensure Icloud doesn't start exfiltrating things randomly and a few other thin

Re:

[Tony Isaac]

This problem does not affect banking apps, *all* of which require you to log in to use them. It's just these personal payment apps that have lax security.

Google Wallet has the same problem, you can't set it to require a PIN or password to authorize a payment. If your phone is unlocked, you can pay for things, no more questions asked. Nope, not doing that!

Re:

[havana9]

Nowadays you could install a banking app on your smartphone, or getting SMS to have information on suspicious use of your credit cards or to authorize payments. In one case you have to trust an app, in the other case you can be targeted wit a SIM swap attack.

Re:

[MachineShedFred]

If the attacker drugged you, took your phone, and used your finger / face to unlock it, what the fuck good is SMS MFA when the code comes to the phone they're using to steal all your shit? Why would they bother with a SIM swap when they can just read the fucking notification?

Re:

[znrt]

that's a good advice in general but won't help in this case. how would the attackers know? they might have beaten you to pulp already before even reaching for that phone, just because you look like carrying a juicy phone and being an easy target.

the defendants lurked outside of nightclubs to exploit intoxicated individuals

just don't hang around risky places in such a sorry state. learn to do drugs.

Re:

[Kisai]

There's two solutions that come to mind.

1. Require two simultaneous inputs any time an unfamiliar store is used. Eg Apple Pay at a new merchant over $50 requires you to insert the chip + PIN card first. The last 50 dollars is run through Apple Pay and the rest on the chip card. Merchants won't like this because it results in paying two sets of fees.
2. For P2P (Cashapp/Venmo/PayPal/Zelle/Wise/Xe etc) require establishing trust by
a) physically meeting and exchanging long tokens by NFC (not QR) which confirms

Re:

[PleaseThink]

Those solutions completely break the reason to use those payment features in the first place.

1. The point of using something like Apple Pay is so you don't have to carry around a wallet. Now you'd be unable to pay for anything in a new area or if you go window shopping on a whim. Stores aren't going to go for that. People who care about fashion aren't going to go for that.

2. Tons of uses of those apps are to pay for random eCommerce services from amateur sellers. Your solution completely breaks their

Re:

[thegarbz]

Sure. Don't carry around financial apps which can transfer thousands of dollars. Leave that to the PC at home.

That's called throwing the baby out with the bathwater. Why not try saying the word "password", or "2FA" or "transaction limit" instead.

I went to buy a car the other day but when the shop keeper wouldn't give it to me. Apparently he didn't want to come to my house and didn't understand when I told him I don't carry my wallet so I can't get robbed.

Re:

[Bert64]

This is a case of robbery and murder...
You will probably be carrying some form of ID which contains your home address, and likely to also be carrying the keys for accessing your home address. After murdering you, the criminals are free to take these things and visit your home address, enter using the key and take anything they find.

As an aside, having stripped your body of identifying material it will take the police longer to identify your corpse and discover your home address, so by the time they turn up

Re:

[drinkypoo]

Sure. Don't carry around financial apps which can transfer thousands of dollars. Leave that to the PC at home.

If I want to load checks into my bank account, then I need the phone app. I would have to reinstall it every time I wanted to deposit a check. I cannot do it through the PC at home.

Re:

[mjwx]

>Any thoughts on what can and should be done with software, hardware, and procedures to stop "bank jackings"?

Sure. Don't carry around financial apps which can transfer thousands of dollars. Leave that to the PC at home.

That is way too sensible, the next thing you'll be asking is for /. to write sensible headlines.

People aren't being murdered due to their financial apps, they're being killed as a side effect of robbery for their phones.

However the preventative measure is the same, secure your shit. Ultimately if it was too hard to get money via someone's phone thieves would stop. It's the same with the "endemic" phone snatching reported in London... If you don't want your phone snatched why are you walking around wit

Re:

[kaatochacha]

That, however, doesn't stop someone from attacking you believing you have the ability on your particular phone. It may even anger them to the point where they kill you just because you don't have them.

Re:Simple.

[ls671]

To me, the better solution is to treat financial apps differently from other apps. For example, have a "special folder" on the phone, and any app within that folder is subject to special rules.

If you don't want to use computers, about a dedicated phone just for banking? I have a cheap Intel celeron dedicated laptop just for banking and it's only turned on for banking then turned off again after doing updates when required. It's the only device I use for banking.

I know this breaks the picture of the magical technology dream that allows you to do everything and that most people will find it unpractical and inconvenient but anyway, I am just sharing what I do myself to feel safer.

Re:

[jenningsthecat]

I know this breaks the picture of the magical technology dream that allows you to do everything and that most people will find it unpractical and inconvenient...

Well, the best we can do is to educate people that there's really no such thing as magic. "Unpractical and inconvenient" is preferable to naive belief in a Phone Fairy which miraculously protects your accounts while simultaneously allowing virtually unfettered access to them anywhere and anytime.

Re:

[Shadow of Eternity]

Second, a password for the folder that, if entered, does something to prevent access. For example, delete the contents of the folder, locks access until a second password is entered later, locks access for some long period of time, like a week or month, and so forth.

So what you're saying is you want to turn phone robberies into kidnappings where you get tortured if you enter the duress password?

Re:

[Bert64]

Extra passwords add a lot of inconvenience, especially for quick payment apps - although you could have exceptions for small transactions.

But the fact is if you're willing to go to the extent of drugging and murdering someone to get access to their accounts, the extra step of beating them with a 5$ wrench until they hand over the password is not much of a stretch.

After all, what use is having money if you're dead? The threat of murder would be enough to convince most people to hand everything over.

Re:

[TractorBarry]

And your solution is beaten in about 2 minutes with a pipe wrench. "Unlock it". "No". "OWW... ok... ok...". No amount of encryption or passwords will protect a phone.

Phones are by their nature portable, and very easily lost or stolen. My phone has a small list of contacts, all using nicknames, and is used for voice calls and a few texts. I'm old fashioned so a lot of numbers are simply kept in my head (I come from the generation that has memory skills). If it's lost or stolen a thief will get to use u

Re:

[Tyr07]

The phones are locked. They're drugged and assaulted into giving them the password to the phone. Even if you put in a separate password, the result of not giving them the password is the same as not giving them the pin to your phone.

They will beat or kill you. If you lock the financial app, give them a password that delete the apps, they'll behave the same way as if you didn't give them the password.

That's why they do time locked safes, so that the criminal knows no matter how much pressure they apply to th

Re:

[MachineShedFred]

It's the height of naiveté to think that a criminal won't just beat another password out of you if they're already in the jackpot for armed robbery, assault by pointing a deadly weapon, and / or murder.

These people literally drugged their victims in order to be able to beat biometrics. Why in the hell do you think a password would offer any additional protection whatsoever if the victim is already in that situation?

Try thinking, please.

Re:

[GuB-42]

Except it is not about trans people in particular. It is just that robbers found that these bar patrons, who may or may not be trans or gay would make good victims.

I don't know about Hell's Kitchen in particular but sometimes, straight people sometimes go there too, gays tend to be good at partying, and many straight people with an open mind recognize this. Unfortunately, it also means lots of drugs and people wasted, making these places particularly attractive to these criminals.

Re:Trans hate instead you shold have more

[Powercntrl]

The OP is just a troll with rsilvergun living rent free in his head. Admittedly, this copypasta probably did begin as a variation of something rsilvergun wrote at some point. Lately he's been blaming Trump's victory on culture war issues, which pretty much flies in the face of the actual exit poll data (primary issues were inflation, the economy, and border security).

Sure, I'll admit that Trump's victory certainly has emboldened some of the people who already were bigots to begin with. That's what Hillary's infamous "basket of deplorables" remark was actually about, when taken in context. But the majority of the American public is not suddenly jumping on board the hate and discrimination train just because Trump is president again. I should know, I'm a gay guy living in the middle of MAGA ground zero: Florida. If people truly were becoming more homophobic, I'd have experienced it firsthand.

Re:Trans hate instead you shold have more

[Powercntrl]

Oh, it can get bad for us LGBTQ+ folks with Republicans in charge. I'm not denying that. The issue though is that being collectively okay with throwing us under the bus and being actively bigoted/homophobic are two different things. Americans are just an individualistic bunch, and we all are guilty of it to some degree.

Re: Trans hate instead you shold have more

[Slashythenkilly]

When you feel like making an intelligent comment on the content of the story, feel free to jump in hero.

Re:

[msauve]

Surely if you go upstairs and ask your mom, she'll let you use her's.

Make banks responsible

[alexgieg]

Make banks responsible for financial transactions done on their apps by victims of criminals. If the person can prove they were robbed, kidnapped, mugged, intoxicated, or whatever, the bank is obliged to cover the stolen funds so the victim loses nothing.

Once such a law goes into effect, you'll see banks RUSHING to make their apps as secure as possible. Let them figure out the details, as I'm sure they'll be way more creative than whatever criminals can think of.

Re:

[msauve]

>Make banks responsible for financial transactions done on their apps by victims of criminals.

Which is the same as saying "make all the other customers share the responsibility", so those in relatively crime free communities subsidize those in high crime ones.

Re:

[alexgieg]

Which is the same as saying "make all the other customers share the responsibility"

AKA insurance, one of the neatest features of civilization.

Re:

[alexgieg]

Or maybe they could stop going to clubs late at night (...)

Blaming the victim: the conservative go-to solution to every social ill.

Re:

[alexgieg]

They hate America for our power and wealth.

In my country the hate is generally due to the US toppling a democratically elected president to install dictators, then forcing the government to stop us from using 80% of our railways so US car manufacturer companies could sell more cars here, then forcing the government to forcibly trash formerly profitable public companies causing them to go bankrupt and be sold to American corporations, then forcing the government to further remove support for industry causing most of them to go bankrupt so we'd purcha

Re:

[alexgieg]

Saying people should be responsible and accountable for their actions is flame bait -1.

Except when it's saying banks shouldn't be responsible for providing extremely insecure methods of money transfer and offloading that insecurity into unsuspecting bank users. Then it's fine, and an enlightened view of business relations.

Also, demanding perfect morality from most of humanity, as then things will work fine. Because that always works, see e.g. the Soviet Union, and Libertarian NAP fantasies etc. (horseshoe theory and all that).

Re:

[Tony Isaac]

These aren't bank apps. Bank apps require you to log in to use them. These are non-bank payment apps, like Apple Pay and Cash App. Big difference.

Re:

[alexgieg]

In my country all bank apps work that way. There's no remarkable difference other than that bank apps have more things within them, such as investments. Also, most debit and credit cards here are contactless, so the user experience differs little between touching your phone to the POS machine, versus touching your card to it, versus shooting a photo of the QR code shown in its display.

Re:

[geekmux]

Banks? Rushing to protect you?

Might I remind you that in our era of complex passphrases and biometric multifactor authentication so commonplace that children use it, our illustrious banking institutions STILL only ever ask you to use a four-digit numeric PIN.

To secure the one resource worth the most in this world.

Hell of a way to say they give a shit.

Re:

[alexgieg]

our illustrious banking institutions STILL only ever ask you to use a four-digit numeric PIN

Well, in my country the PIN may be anything from 4 to 8 digits, it varies with each bank. But besides that several banks allow you to set a virtual limit distinct from your real one, so if you use that feature then anyone stealing their card while watching you type the PIN won't be able to purchase much.

And apps themselves use either a simple password and simple digital biometrics to access the app in reading-only mode; a second, more complex password for doing transactions; active IDing the phone to make s

Re:

[mjwx]

Make banks responsible for financial transactions done on their apps by victims of criminals. If the person can prove they were robbed, kidnapped, mugged, intoxicated, or whatever, the bank is obliged to cover the stolen funds so the victim loses nothing.

Once such a law goes into effect, you'll see banks RUSHING to make their apps as secure as possible. Let them figure out the details, as I'm sure they'll be way more creative than whatever criminals can think of.

I admire your optimism.

Banks will make their apps as secure as they are legally obliged to and no further... Especially as more security will discourage people from using said apps which means they'll switch to alternatives, the worst of which is cash as banks cant skim 2-5% off the top of cash transactions.

You're right that a lot of the solutions will be creative, finding the best way to comply with the letter of the law whilst trying to ignore the purpose of the law. Malicious compliance refined to

Re:

[alexgieg]

Banks will make their apps as secure as they are legally obliged to and no further

As profitable as they can make it, which takes into account several factors, one of which are legal obligations.

When safety becomes profitable, they become safe. Legal obligations are a great part of making safety profitable for them.

Re:

[strikethree]

Make banks responsible for financial transactions done on their apps by victims of criminals.

That is an impossible barrier to entry. Did you think this through at all or is it just a knee-jerk reaction?

How the FUCK is a bank supposed to determine whether or not someone is holding a gun to your head and requiring you to send money? They can't even do that at an ATM with video cameras.

I... I just can't... WTF bro?

Re:

[alexgieg]

That is an impossible barrier to entry.

I always find it funny when Americans say that something that's common all around the world is "impossible".

An exceptional country, the USA. :-)

Re:

[Jason Earl]

This not only encourages risky behavior, but it guarantees that the price of that risky behavior gets paid for by everyone else.

Yes, it is very convenient to be able to do all of your banking from your phone, but it is essentially the equivalent of carrying around all of your cash in a backpack. Most people have their phone unlock easily with their face or their fingerprint. If this became the accepted norm then everyone with a bank account would soon find that banking was far more expensive.

Not only

Re:

[alexgieg]

If the banks are going to be responsible for losses from phone apps then it will become very inconvenient to bank on your phone, because they will want to severely limit their exposure.

I described in other answers how it works in my country. It's a little bit more inconvenient, but not that much, and still pretty convenient all around.

I'm more inclined towards more safety at the expense of convenience myself, so I own two phones, a cheap one for banking I keep offline at home, and another I carry with me with no banking app. What I have of banking in this one is only an accounting app to know how much I have in my accounts and cards, but that's it.

Re:Make banks responsible

[alexgieg]

Making party A accountable for the actions of Party B is an absolutely horrible idea.

Nah, what I described works quite fine in my country. Such insurance is legally imposed upon banks, so their apps are extraordinarily secure compared to the crap US banks distribute to their customers. And if customers here want extra protection over the legally imposed, banks sell insurance for as low as $1.49/month with, for example, 72 hours to report robbery, rather than the legally required 24 hours.

For the record, my country has much higher crime rates than the US. And banks are HUGELY profitable despite all the "horribleness" of the idea.

Re:

[misnohmer]

The additional insurance is on top of the fact the bank has to cover all the customer loses, so if customer writes their password on the phone case, leaves the phone on a bus, then someone steals $10,000 from their account, the bank covers the $10K and insurance gives them additional $10,000 (or more, if they bought more of that insurance)? Or are banks only responsible for the fist $1,000 or some other amount, and the rest you have to buy insurance for yourself. That $1.49/month example you provided, how m

Re:

[alexgieg]

if customer writes their password on the phone case, leaves the phone on a bus, then someone steals $10,000 from their account, the bank covers the $10K (...)?

No, that isn't covered. A criterion is that there must be proof the person was victim of violence and forced to unlock their account, via a formal police report with accompanying evidence. If there's no evidence that'd be acceptable as such in a court, you're out of luck.

To help mitigate that banks provide plenty anti-fraud measures. For example, my bank app allows me to set a "virtual limit" on my non-contact credit card that is distinct from my real limit, so I keep that limit low, and only increase it wh

Re:

[mjwx]

Making party A accountable for the actions of Party B is an absolutely horrible idea.

Nah, what I described works quite fine in my country. Such insurance is legally imposed upon banks, so their apps are extraordinarily secure compared to the crap US banks distribute to their customers. And if customers here want extra protection over the legally imposed, banks sell insurance for as low as $1.49/month with, for example, 72 hours to report robbery, rather than the legally required 24 hours.

For the record, my country has much higher crime rates than the US. And banks are HUGELY profitable despite all the "horribleness" of the idea.

Which country out of curiosity.

Here in the UK banks are liable for fraud via electronic transfer... All the security measures have done is put in an extra screen when transferring cash that says "I confirm this is not a scam" as it's not legally binding. At the very best (worst) they'll stop the transaction until you contact the bank, which is a PITA when you're trying to buy a used car on a Saturday afternoon.

For a long time, banks have written off the cost of fraud as the cost of doing business, why

Re:

[alexgieg]

Which country out of curiosity.

Brazil. Our banking industry is considered one of the most advanced in the world, way ahead of most European ones, which in turn are way ahead of the US one. I've described some of that in other replies within this thread.

Notice that banking is arguably the only industry in which we lead. In everything else we're worse than most everyone else, no two ways about that.

Re:

[alexgieg]

Heh, weak trolling. :-)

Re:

[thegarbz]

It's a horrible idea which is standard and works to make banking better in literally every other country OECD country than the USA.

It may be horrible, and I'm glad we have you to feel sorry for us, but we're doing just fine thanks. You can direct your concerns somewhere else.

Re:

[MachineShedFred]

That's a horrible response. I'm sorry that you couldn't be bothered to enumerate why it's horrible when the person that offered it says that it's working for them.

Be better.

Re:

[alexgieg]

We do. They're almost completely forbidden here. Our one handgun factory sells mostly to other countries, not internally.

What in the actual fuck?

[Powercntrl]

"Woeful security" on apps is not getting people killed. People are getting killed because that area clearly has a crime problem that isn't being properly addressed. Even the best security can be defeated by the $5 wrench attack [xkcd.com].

When you think about it, most locks for houses are pretty insecure too. The majority of them can be easily opened with a bump key. Course, here in Florida you can legally be shot for doing that (and even us liberals have guns here), so that's the real deterrent.

Re: What in the actual fuck?

[commodore73]

"Give me access or I break your fingers" is also a pretty good password cracker. I cannot possibly see how the apps or banks are responsible for street crime here. Why not just blame money itself, hence the fed.

Re:

[havana9]

I have a plain old Mastercard credit card, with magnetic strip, chip and pin and wireless options, and embossed numbers.
Getting mugged at gunpoint near an ATM it's possible and happened in some crime infested areas, or pickpocketers swapping credit cards at ATM while secretly filming the PIN.

Re:

[thegarbz]

"Woeful security" on apps is not getting people killed. People are getting killed because that area clearly has a crime problem that isn't being properly addressed. Even the best security can be defeated by the $5 wrench attack [xkcd.com].

Except the $5 wrench isn't the goal. The goal is to rob people through drugging and weak security. The risk of that crime is fundamentally different for the people committing it than kidnapping someone and wrenching them to hand over their passwords. By the way the best wrench in the world can't beat a transaction limit.

Your comment is the same as those used in gun control debates - the idea that there is a perfect alternative in every way, and that one less gun means just one more stabbing, or one more bea

Re:

[jbmartin6]

The wrench attack isn't that useful if the transaction can be reversed the next day and any attempted use of the stolen funds leads law enforcement right to your door. There was a stupid Batman movie where some villain forced Bruce Wayne to put his finger on a scanner and transferred all his stuff away. They even shut off power to Wayne Manor while he was driving home.. Stupid. Those transactions would be repudiated before the villain got out the door.

Re:What in the actual fuck?

[mjwx]

"Woeful security" on apps is not getting people killed. People are getting killed because that area clearly has a crime problem that isn't being properly addressed. Even the best security can be defeated by the $5 wrench attack [xkcd.com].

When you think about it, most locks for houses are pretty insecure too. The majority of them can be easily opened with a bump key. Course, here in Florida you can legally be shot for doing that (and even us liberals have guns here), so that's the real deterrent.

Yes and no.

The headline is woeful, but this is Slashdot and if you've not figured that out you must be new here.

People are being killed due to robberies, but the cause of those robberies is that it's easy and profitable for the thieves to get access to loads of money via poorly secured apps. The apps are designed to be poorly secured to encourage their use. If you had to have any kind of security interaction to use them, a lot of people will use the apps less and go back to ordinary card and cash transactions as they're less faffing about. This means the companies behind the apps will lose money.

So long as the cost of fraud is less than the money they'd lose by securing their apps, nothing will change.

Point in short, criminals have found an easy scam... the best way to stop this is prevention (which is far better than cure), making it harder to move cash around from Apple Pay and other apps... Banks and Apple will fight this for the reasons mentioned above.

Security is inconvienient

[FeelGood314]

If it is inconvienient people will by pass it. People want higher transaction limits. Good security requires the project manager to actually think intelligently about the problem for 5 minutes. ( Collectively all the project managers in the world have never had 5 minutes of intelligent thought). NIST has only just changed their rules to explicitly dissallow password rules like a Capital, small, number, symbol and rotate your password every X days. They finally also dissallowed SMS as a 2FA. Every app wants you to have an account and password. Guess what, most apps aren't important enough for me to create a unique password for, so most people use the same password for everything. (and putting some spin on the app or website as a prefix for you password doesn't add much entropy to your password).

If I make a more secure app people will use my competitors. My app could even be easier to use but if it doesn't follow the user flow they are used to they won't use it.

I would recomend banking from home but my bank has a $2000 transfer limit on the web app and a $15000 limit on the phone app. My rent is $2500, guess which I have to use.

People are dumb. Regulations will likely make it worse as people will all use similar work arounds to make their lives easier.

Re:

[PleaseThink]

putting some spin on the app or website as a prefix for you password doesn't add much entropy to your password

It's not supposed to. It's to keep one password leak from compromising all your accounts. Those are nearly always automated attacks so using an algorithm to generate your passwords based off the site/service you're accessing is fine.

On iphone? If feeling uneasy tap power 5x

[TigerPlish]

On iphone, if you half-suspect you're 1) about to be arrested or 2) about to be mugged, tap the side button 5 times, or nail and hold the power and volume together.

Do that,, and the phone won't open unless passcode is given.

Do people actually walk around with their guard completelydown?!

(yes, yes they do. No situational awareness at all.)

Re:

[Powercntrl]

Tried the five button presses just to see what would happen. It activated my accessibility shortcut (I use it for dimming the screen below the normal minimum brightness level) and then brought up my wallet. Must be a feature they added to a later version of iOS.

Good thing I don't regularly get arrested or mugged.

The first step is not blaming the apps

[Slashythenkilly]

The apps are working as intended and can be encrypted, password protected, or simply not put on whatever device you are going to the bar with. If your defense is "the perpetrator sold me drugs" well thats on you too. Everyone is acting like this is some big mystery to solve when all along its as simple as dont carry wads of cash.

Re:

[kiviQr]

They are not. FaceID, finger print - that works with drugged person. Banking app should require additional pin for transactions. They should also allow for distress pin that would pretend that action was done.

Re:

[Todd Knarr]

"Real bank apps" do in fact have options to allow transfers, payments, etc. without additional authentication. They're there because, as bad an idea as they are, users have demanded ways to avoid having to enter credentials (even biometrics) every time they want to pay someone. Those of us who understand security have been saying over and over that this is a bad idea because if you can do something without needing to authenticate first then anyone who has your phone can do it too. And users still enable tho

Re: The first step is not blaming the apps

[Slashythenkilly]

Nope, robbery is form of theft using force, fear, or coersion to commit the crime.

Re:

[SuiteSisterMary]

I'm confused. Are you arguing that people *should* take steps to see their own safety (password their bank apps so as not to get taken advantage of/not wear sexually suggestive clothing so as not to get taken advantage of) or are you arguing that people *should not* take steps to see to their own safety (I shouldn't need a password, or clothes; criminals shouldn't crime.)

Re:

[Tony Isaac]

Both.

People should take steps to protect themselves, but even if they don't, that doesn't make the criminal less of a criminal.

Re:

[SuiteSisterMary]

That is, in fact, the correct answer.

Re: The first step is not blaming the apps

[Slashythenkilly]

"People should take steps to protect themselves" That was my point and you said no no no, thats like blaming a woman for being raped. Better make up your mind their bub....or is it just ok if you think its your idea?

Re: The first step is not blaming the apps

[Slashythenkilly]

"Your argument is like saying that if a woman wears a bikini to a bar, it's her own fault if she gets raped. Well maybe it's not so smart, but rape is still a crime committed by the rapist." 1.) You are comparing apples and oranges as there is a huge difference between rape and robbery. Nobody said a criminal isnt a criminal. What I am saying is if someone is dumb enough to leave to leave themselves wide open, there is no amount of security that is going to help. 2.) If you lock your doors when you leave

Wait! What?

[PPH]

They would give them drugs, laced with fentanyl, to incapacitate their victims

People just accept drugs from strangers? This sort of blows the whole claim that the pro-drug people have to leave distribution channels alone. Because that is what gets addicts killed. Taking unknown mixtures of who knows what from people that they have no trust relationship with.

So much for listening to junkies.

Re:

[ThumpBzztZoom]

People just accept drugs from strangers?

How do you think illegal trades work? Yelp reviews? Dealers so common everyone knows several, as the turnover rate is high? And even if you knew the dealer, you do not know all of the mid-level dealers just in the US that cut and distributed the drugs before the street-level dealer, never mind who actually made it. There are not many ways to tell what a powder or pill even is before ingesting it in some way. A lot of unaccountable strangers are in the chain, so adding one more at the end does not represent

Nope

[skogs]

Adding an extra password, pin number, etc will not have any effect on this. Thumbprint....whatever.

The bad men got people high in order to do the modern, and significantly longer, version of snatch and grab mugging. If you make it harder to log in to each app...all you're really going to do is force these twats to be rougher with their victims while they molest them to get the pin/face/eyeball/thumb/finger/number/password/pattern/textauthenticator. The person getting victimized is still sitting there. T

Thousands? Maybe

[viperidaenz]

Tens of thousands? That should be triggering an alert at the bank, requiring the customer to call them to authorise the transfers.
At least that's how my bank works. They have daily transfer limits.

Re:

[Bert64]

Requiring calls for anything is a HUGE pain when you're travelling and get hit with $5/minute roaming charges for voice calls plus 1hr+ wait times.

There's no need for any of this

[hyades1]

I've never felt a need to create any link whatsoever between my cell phone and my financial resources. Over the years, I've watched banks where I have accounts pushing to change the rules in ways that would make customers responsible for any losses that may occur from their accounts, no matter how they happen. So far, they've had only limited success, but they just don't stop trying. I have little doubt they'll get what they're after sooner or later.

Given the inevitable outcome, I have decided I have no compelling need to change my current arrangement. If I want to bank, I'll do it in person or on-line, from a PC far more secure than my cell phone could ever be.

Re:

[ledow]

I bank via an app-only bank, have done for years. It took me forever to actually find a bank in my country that had any decent online offering (I can remember leaving one bank because they tried to tell me that a Java applet in an HTTP site that showed a padlock in the Java applet window was "secure", when all the other banks were just using SSL/TLS).

But then I live in a country with consumer law too.

You are missing that there are certain things that online doesn't do that an app does.

I stand in a queue.

Re:

[Bert64]

There used to be branches of 7 different banks in the small town where i live, now there's only one.

And yes the insistence on doing things "in branch" was a HUGE headache for me 20 years ago. I only got 1 hour break for lunch, and it would take 15 mins to drive from my workplace to the closest bank. Because lunchtime was the only time most people could go there was always a long queue, including many elderly who could have gone at any time of the day but for some reason chose lunchtime anyway, plus half the

Re:

[thegarbz]

I'm glad I live in a place where what you describe is not legally an option for the bank.

If I want to bank, I'll do it in person or on-line

For how long? As you said the banks make the rules. While we have strong consumer protection laws where I live one of the laws we are missing are bank service laws. Sure you can do banking in person but you have to make an appointment first and they charge you a $5 fee.

Re:

[hyades1]

Are you insane? Where do you live that banks make you book an appointment, then charge you a service fee for it? I walked into my local branch last week to take out a sum of money for a cash transaction. It took me five minutes. There was no fee.

As for how long on-line banking will be available, one of the banks where I do business has been involved in on-line banking since around 1995. It has more than 20 million customers world-wide. That's not including a couple of hundred thousand businesses using

Fingerprints

[ledow]

Which is why I have never advised people to use fingerprints for security - it can be used when you're unconscious and without your consent.

I mean, good luck getting a passcode out of me, even drugged... I'm not sure I know what many of them are, I just know the finger-pattern. And it's hard to type that in when I'm perfectly fine, let alone incapacitated.

Fingerprints are NOT security, they are NOT your password. We need to make financial apps realise this and stop allowing their use, much like we need p

Bragg should maybe put crims in prison

[ahodgson]

Where they belong

Re:

[Targon]

Crime isn't "rampant". New York City has more people living in it that many states, so you have population density, but you also have a population that doesn't need to drive to go from their homes to where they go for entertainment, because it is in walking distance of public transportation, or even just walking distance in general. Anywhere you go, you will find that the clubs are a good place for criminals to find victims, but when you have a lot of people living in one city, you will hear about more

Re:

[MachineShedFred]

So prosecuting and convicting murderers is "failure to do anything about rampant crime" all of a sudden.

Thanks for self-identifying as an easily bilked rube who watches way too much right-wing agitprop.

Re:

[Powercntrl]

This is what they mean by that expression "there are lies, damned lies, and statistics". Other places may have more crime, but they don't have criminals going all Jeffrey Dahmer to commit robbery.

If you don't have a lot of crime but the crime you do have is seriously messed up, you still have a problem.

Re:

[ceoyoyo]

Ah yes, that expression made up by people who are annoyed when reality harshes their narrative.

Are you comparing a couple guys who drugged people to steal their money and accidentally ODed a couple to a guy who ate his victims?

Re:

[Powercntrl]

Are you comparing a couple guys who drugged people to steal their money and accidentally ODed a couple to a guy who ate his victims?

Other than the motive being one of profit rather than psychopathic behavior, the crimes otherwise had a lot of similarities. I'd even go as far to suggest that recent renewed interest in Dahmer's crimes (gee, thanks Netflix) might've provided some inspiration to the Hell's Kitchen criminals.

Re:

[ceoyoyo]

Other places may have more crime, but they don't have criminals going all Jeffrey Dahmer to commit robbery.

Ah, so you're claiming that New York is the only place where criminals sell people drugs and rob them? Colour me skeptical.

Re:

[Targon]

Look at Texas if you want to see examples of people doing that sort of thing. It's not limited to the cities, you hear about a lot of nasty stuff happening all over, but the remote areas of "The South" where people live way out in the middle of nowhere will be the source of some of the nastiest stuff, but you don't hear about it because the locations are very remote.

Re:

[toxonix]

Did someone get eaten or have their parts stuffed in a fridge here, or what? I guess there are similarities with the drugs and young party boys.

Re:

[Shadow of Eternity]

You're committing Chesa Boudin Fraud. Just because you refuse to count them doesn't mean the crimes stop existing.

Re:

[HiThere]

This doesn't sound like a hate crime, but rather "picking the low hanging fruit". Look for the most vulnerable, and rate which is the most profitable to attack.

Re:

[HiThere]

They were looking for people coming out of nightclubs and drunk enough to take drugs from strangers. Being armed wouldn't have helped.

Re:

[Shadow of Eternity]

So you're saying getting drunk and then taking unknown drugs from complete strangers in high crime areas is so inherently tied to being gay that criminals targeting those people is a hate crime against gays?

Wow that's pretty bigoted of you.

Re:

[ledow]

In the nicest possible way, no technical measure can account for a human making a very bad decision.

Which is why draining a retirement account shouldn't be just behind a technical measure but require a lot of very explicit authorisation. Not wanting her to have the financial apps is basically identical to just not wanting her to have a card or access to the account because you don't trust her. Whether that's justified or not, it's not something that anyone else can do anything about, and it's not related

Re:

[drinkypoo]

What will that help when the victim has been murdered, and therefore cannot report that their phone was used without their permission? The bank isn't going to be notified of their death.