Nope. I have computers all over my house and lot in from any of them.HighLonesome wrote: Thu Jan 09, 2025 4:51 pm Do you use a separate PC/Laptop/Tablet to do your online investing/banking etc? What do you use and why?
MUN
Nope. I have computers all over my house and lot in from any of them.HighLonesome wrote: Thu Jan 09, 2025 4:51 pm Do you use a separate PC/Laptop/Tablet to do your online investing/banking etc? What do you use and why?
No separate device.
Many banks/institutions are using the mobile app for authentication. Bank of America and Chase both send push notifications to your phone when you call customer service to verify you.
And I do almost exactly the opposite of all of the above.MedEngineer wrote: Thu Jan 09, 2025 8:14 pm 1) I practice good computing hygiene
2) I do NOT use a phone or any device on a mobile network.
3) I do not use social media apps on my phone.
4) I do NOT use a password manager I keep an offline password file with encryption.
5) I keep my phone contacts limited to family & friends as much as possible.
6) Until recently I only used a wired connection to my router.
7) I've considered a dedicated cell phone/number just for Two-factor authentication messages, but I'm too cheap to pay for another phone.
Absolutely not; I use my laptop or phone or whatever on more or less any network that's available.HighLonesome wrote: Thu Jan 09, 2025 4:51 pm Do you use a separate PC/Laptop/Tablet to do your online investing/banking etc? What do you use and why?
They send email and SMS.MtnTravel wrote: Thu Jan 09, 2025 9:28 pmMany banks/institutions are using the mobile app for authentication. Bank of America and Chase both send push notifications to your phone when you call customer service to verify you.
And what about fraud alerts? Banks generally use the app to send you a notification and ask if X Transaction was yours.
It seems more of a hassle to not have apps on your phone.
Because the phone can be stolen, or you can be mugged and forced to log in to your accounts. By not having them on the device, that removes that possibility.Cruise wrote: Thu Jan 09, 2025 11:06 pm For those who suggest not using phone for financial transactions, why is that?
Thank you?
While this isn't bad per se, it's not practically more secure. Theoretically, probably.MedEngineer wrote: Thu Jan 09, 2025 8:14 pmNo separate device.
1) I practice good computing hygiene
2) I do NOT use a phone or any device on a mobile network.
3) I do not use social media apps on my phone.
4) I do NOT use a password manager I keep an offline password file with encryption.
5) I keep my phone contacts limited to family & friends as much as possible.
6) Until recently I only used a wired connection to my router.
7) I've considered a dedicated cell phone/number just for Two-factor authentication messages, but I'm too cheap to pay for another phone.
I'm not paranoid, just respectful of the abilities of bad actors. The old saying about raccoons and garbage cans helps a lot, if you make your trash cans harder to get into than your neighbors, then the critters go elsewhere where the pickings are easier.
So use a passcode. Now the thief has stolen a brick.exodusNH wrote: Thu Jan 09, 2025 11:34 pmBecause the phone can be stolen, or you can be mugged and forced to log in to your accounts. By not having them on the device, that removes that possibility.Cruise wrote: Thu Jan 09, 2025 11:06 pm For those who suggest not using phone for financial transactions, why is that?
Thank you?
I also worry about phone vulnerabilities. All the carriers run software on your device with root access. A vulnerability there could allow an exploit.
I slightly fibbed when I say I don't have an app on my phone. I do have my hub bank's app so that I can do mobile deposits. But I don't store my username and password and so have to be home to get the credentials. I don't use that app for any other banking functions.
I agree with all of this.BH13 wrote: Thu Jan 09, 2025 9:38 pmAnd I do almost exactly the opposite of all of the above.MedEngineer wrote: Thu Jan 09, 2025 8:14 pm 1) I practice good computing hygiene
2) I do NOT use a phone or any device on a mobile network.
3) I do not use social media apps on my phone.
4) I do NOT use a password manager I keep an offline password file with encryption.
5) I keep my phone contacts limited to family & friends as much as possible.
6) Until recently I only used a wired connection to my router.
7) I've considered a dedicated cell phone/number just for Two-factor authentication messages, but I'm too cheap to pay for another phone.
- I do use my phone / computer / iPad on any wifi network, even public ones!
- I do use many social network apps on my phone
- I do use a password manager on my phone - even Cloud sync'd & with MFA tokens
- I have all kinds of phone contacts from any interaction, again Cloud sync'd. Tho pruned regularly
- I've been using Wifi since it was released.
As a (retired) Network Security engineer, I can only advise to keep your device OS / Apps / Router up to date. There is very little need for security theater fearing bad actors. Definitely using MFA wherever possible preferring Passkeys, tokens, and App based 2-factor over any SMS 2-factor.
In fact, make sure your mobile account has a SIM lock on it to avoid SIM hijacking.
+1jebmke wrote: Thu Jan 09, 2025 4:54 pm I do not. Personally, i don't think it is necessary if one otherwise has good computing hygiene.
Google voice. No charge.MedEngineer wrote: Thu Jan 09, 2025 8:14 pm 7) I've considered a dedicated cell phone/number just for Two-factor authentication messages, but I'm too cheap to pay for another phone.
I buy cheap phones (low-end locked prepaid) and use them past the end of support for the operating system. I also don't install updates consistently on a phone.Cruise wrote: Thu Jan 09, 2025 11:06 pm For those who suggest not using phone for financial transactions, why is that?
Thank you?
This is a bad idea even without financial apps on a phone.MrNarwhal wrote: Fri Jan 10, 2025 7:17 am ...
I buy cheap phones (low-end locked prepaid) and use them past the end of support for the operating system. I also don't install updates consistently on a phone.
Why?PersonalFinanceJam wrote: Fri Jan 10, 2025 7:36 amThis is a bad idea even without financial apps on a phone.MrNarwhal wrote: Fri Jan 10, 2025 7:17 am ...
I buy cheap phones (low-end locked prepaid) and use them past the end of support for the operating system. I also don't install updates consistently on a phone.
If a criminal forces me to log into my bank app, what could they do? If they make me link their account via ACH or send a wire to them, I can almost guarantee Chase is going to decline the transaction until I jump through a bunch of hoops (which they do even when it's my own account I'm trying to link ).exodusNH wrote: Thu Jan 09, 2025 11:34 pm Because the phone can be stolen, or you can be mugged and forced to log in to your accounts. By not having them on the device, that removes that possibility.
I also worry about phone vulnerabilities. All the carriers run software on your device with root access. A vulnerability there could allow an exploit.
I slightly fibbed when I say I don't have an app on my phone. I do have my hub bank's app so that I can do mobile deposits. But I don't store my username and password and so have to be home to get the credentials. I don't use that app for any other banking functions.
Every financial account I have can be accessed via a browser if the app isn't installed on my phone.exodusNH wrote: Thu Jan 09, 2025 11:34 pmCruise wrote: Thu Jan 09, 2025 11:06 pm For those who suggest not using phone for financial transactions, why is that?
Thank you?
Because the phone can be stolen, or you can be mugged and forced to log in to your accounts. By not having them on the device, that removes that possibility.
I also worry about phone vulnerabilities. All the carriers run software on your device with root access. A vulnerability there could allow an exploit.
I slightly fibbed when I say I don't have an app on my phone. I do have my hub bank's app so that I can do mobile deposits. But I don't store my username and password and so have to be home to get the credentials. I don't use that app for any other banking functions.
A smart phone is basically just a small computer so it can still be hacked to run malware to do things like exfiltrate your contact list for additional malware targeting. Compromised phones are also increasingly being seen in use as part of botnets for cyber attacks. Honestly, unlocked used smart phones are pretty cheap from places like Swapppa and Back Market and would still have support life left in them. I just don't see an excuse for using an always on connected computer past its OS support time. Or, you could get a dumb phone.MrNarwhal wrote: Fri Jan 10, 2025 7:49 amWhy?PersonalFinanceJam wrote: Fri Jan 10, 2025 7:36 am
This is a bad idea even without financial apps on a phone.
Phone is generally powered off / rebooted daily, has background data disabled (to the extent possible on stock Android OS), and generally only used to access known apps and websites.PersonalFinanceJam wrote: Fri Jan 10, 2025 8:34 amA smart phone is basically just a small computer so it can still be hacked to run malware to do things like exfiltrate your contact list for additional malware targeting. Compromised phones are also increasingly being seen in use as part of botnets for cyber attacks. Honestly, unlocked used smart phones are pretty cheap from places like Swapppa and Back Market and would still have support life left in them. I just don't see an excuse for using an always on connected computer past its OS support time. Or, you could get a dumb phone.
Many sites will refuse to send SMS to Google Voice numbers. Even more problematic is that it might work when you first sign up, but will break in the future because they switched their SMS gateway providers.feh wrote: Fri Jan 10, 2025 6:59 amGoogle voice. No charge.MedEngineer wrote: Thu Jan 09, 2025 8:14 pm 7) I've considered a dedicated cell phone/number just for Two-factor authentication messages, but I'm too cheap to pay for another phone.
Yeah, and that's what I do.michaeljc70 wrote: Fri Jan 10, 2025 8:10 amEvery financial account I have can be accessed via a browser if the app isn't installed on my phone.exodusNH wrote: Thu Jan 09, 2025 11:34 pm
Because the phone can be stolen, or you can be mugged and forced to log in to your accounts. By not having them on the device, that removes that possibility.
I also worry about phone vulnerabilities. All the carriers run software on your device with root access. A vulnerability there could allow an exploit.
I slightly fibbed when I say I don't have an app on my phone. I do have my hub bank's app so that I can do mobile deposits. But I don't store my username and password and so have to be home to get the credentials. I don't use that app for any other banking functions.
Makes even less sense to me now. Primary machine runs an OS which tries to be secure by default and prioritizes security over most other things and phone is old out of date but you try to mitigate that. Seems like you could use the money saved by using a free operating system to update your phone a tick faster, but to each their own.MrNarwhal wrote: Fri Jan 10, 2025 8:49 am ...
Phone is generally powered off / rebooted daily, has background data disabled (to the extent possible on stock Android OS), and generally only used to access known apps and websites.
My previous post was exaggerated a bit but the point is that I view a smartphone as a convenience device for mostly non-critical (or secondary) use so I put minimal effort and expense into it. My personal laptop used for directly accessing important accounts is upgraded to the latest OS (OpenBSD) version.
Because there are often security vulnerabilities that can be triggered by seemingly innocuous activities, like simply receiving a text message with an image. (Technically a MMS.) Or a vulnerability when displaying an image that's been intentionally corrupted in a particular way. (Exploiting a bug in the image processing code.)MrNarwhal wrote: Fri Jan 10, 2025 7:49 amWhy?PersonalFinanceJam wrote: Fri Jan 10, 2025 7:36 am
This is a bad idea even without financial apps on a phone.
They all send Texts to your cell phone. You don't need their apps on your phone to get the texts. I don't have any banking apps on my phone. I get texts from all 4 of the banks I bank with based on the notifications level I accepted/set when I access their website via my home PC.MtnTravel wrote: Thu Jan 09, 2025 9:28 pmMany banks/institutions are using the mobile app for authentication. Bank of America and Chase both send push notifications to your phone when you call customer service to verify you.
And what about fraud alerts? Banks generally use the app to send you a notification and ask if X Transaction was yours.
It seems more of a hassle to not have apps on your phone.
Not a network security engineer, but I needed to pass software security reviews, audits and certifications in my employed life. I do exactly what BH13 does.BH13 wrote: Thu Jan 09, 2025 9:38 pmAnd I do almost exactly the opposite of all of the above.
- I do use my phone / computer / iPad on any wifi network, even public ones!
- I do use many social network apps on my phone
- I do use a password manager on my phone - even Cloud sync'd & with MFA tokens
- I have all kinds of phone contacts from any interaction, again Cloud sync'd. Tho pruned regularly
- I've been using Wifi since it was released.
As a (retired) Network Security engineer, I can only advise to keep your device OS / Apps / Router up to date. There is very little need for security theater fearing bad actors. Definitely using MFA wherever possible preferring Passkeys, tokens, and App based 2-factor over any SMS 2-factor.
In fact, make sure your mobile account has a SIM lock on it to avoid SIM hijacking.
The “mugger” theory is a red herringmichaeljc70 wrote: Fri Jan 10, 2025 8:10 amEvery financial account I have can be accessed via a browser if the app isn't installed on my phone.exodusNH wrote: Thu Jan 09, 2025 11:34 pm
Because the phone can be stolen, or you can be mugged and forced to log in to your accounts. By not having them on the device, that removes that possibility.
I also worry about phone vulnerabilities. All the carriers run software on your device with root access. A vulnerability there could allow an exploit.
I slightly fibbed when I say I don't have an app on my phone. I do have my hub bank's app so that I can do mobile deposits. But I don't store my username and password and so have to be home to get the credentials. I don't use that app for any other banking functions.
This is still security theater even in the face of AI. AI has nothing to do with the threats faced by the average person: credential stuffing and phishing. We already know how to protect against both threats with password managers and 2FA.xb7 wrote: Fri Jan 10, 2025 10:34 am I don't currently but think that I might move to do so. I envision a relatively cheap windows laptop that I turn on once a week or (much less frequently) to do actual transactions. The biggest time sink there would likely be making sure that windows and my security software were up-to-date each time I turned it on.
I understand the points of those who say that sufficient security 'hygiene' is all that's needed. For the most part I agree --- for right now. My concern is that increasingly good AI will make it a lot easier for fairly unsophisticated criminals to cast better nets to rob us, particularly with so very many data breaches at differing companies such that it seems likely that much or all of my classic 'ID theft' information is already out there somewhere.
It strikes me then that an inexpensive laptop that I tuck (hide??) away somewhere in my house might be worth having going forward.
I would have the only copy of my authenticator credentials on this machine, no phone or tablet or other PC access to my primary brokerage. And as others have suggested, no email done on this machine, no web surfing, game playing, social media, whatever, just the minimum number of apps installed to allow access to my brokerage account and only use the PC for that purpose only.
And per above, the first thing I would do every time I turned on this PC would be to check for windows updates and updates to my security software.
Clark Howard is a podcast host, not a security expert.AllMostThere wrote: Thu Jan 09, 2025 6:17 pm I "sandbox" a Chromebook as my dedicated financial computer and been doing this since November 2020. I purchased from Best Buy during Black Friday for only $79. It's a Lenovo - Chromebook 3 11.6" HD Laptop - Celeron N4020 - 4GB Memory - 64GB eMMC. Very peppy little computer that I keep next to my TV relaxing chair and I use it daily. I think it's a great idea that I got from Clark Howard. Key is to never, ever, not ever use for Surfing the web, Online shopping, E-mail access, Visiting Facebook, Twitter/X or any other social media platform. This is where the trouble starts. I have often thought about using a dedicated email for my financial accounts but have yet to implement that option.
Clark Howard has a great write up about the using a Financial Computer.
https://clark.com/personal-finance-cred ... rk-howard/
Scammers now take advantage of this to send fishing texts/calls which look like your bank. App based notifications don't suffer from this.LittleMaggieMae wrote: Fri Jan 10, 2025 10:03 am ...
They all send Texts to your cell phone. You don't need their apps on your phone to get the texts. I don't have any banking apps on my phone. I get texts from all 4 of the banks I bank with based on the notifications level I accepted/set when I access their website via my home PC.
Years ago, I got a fraud alert txt AND a phone call to my cell phone from a CC. I have also gotten a txt when there's been an issue with the card I was trying to use to make a purchase - basically asking me to confirm that it was really me making the purchase by entering a code or something - it was a long time ago and only happened once. I don't have the banks or the credit cards app on my phone.
Not a security engineer either, but I was a telcom engineer and now a Medical device engineer and still employed doing risk management so I lean towards the least exposure necessary. I don't disagree with mrb09 & BH13, I'm sure they are fine if they take precautions. There are new attacks strategies happening all of the time, I've seen a demonstration how to get past 2FA by cloning a cell number, yes its a pretty advanced attack but it is possible if the target is worth the effort. Also to be honest, I hate using the tiny screen on a phone for anything, so security is another justification to not use my phone.mrb09 wrote: Fri Jan 10, 2025 10:19 am Not a network security engineer, but I needed to pass software security reviews, audits and certifications in my employed life. I do exactly what BH13 does.
The people using a 1% SWR.
Absolutely agree with the mobile passcode lockdown, and also agree there are a number of other things unrelated to separate devices: strong unique passwords, 2FA for email to guard against password reset attempts, shutting off message preview for locked phone screens. And a protocol for changing passwords if a device is lost (including a stolen desktop), since a registered device may bypass 2FA. And of course keeping up on security updates.MedEngineer wrote: Fri Jan 10, 2025 3:51 pmNot a security engineer either, but I was a telcom engineer and now a Medical device engineer and still employed doing risk management so I lean towards the least exposure necessary. I don't disagree with mrb09 & BH13, I'm sure they are fine if they take precautions. There are new attacks strategies happening all of the time, I've seen a demonstration how to get past 2FA by cloning a cell number, yes its a pretty advanced attack but it is possible if the target is worth the effort. Also to be honest, I hate using the tiny screen on a phone for anything, so security is another justification to not use my phone.mrb09 wrote: Fri Jan 10, 2025 10:19 am Not a network security engineer, but I needed to pass software security reviews, audits and certifications in my employed life. I do exactly what BH13 does.