Thanks for your reply. To be honest, I have no idea if the bank employs rate limiting, but would hope they do. I can see what you’re saying about the time scales and rate limiting.
I can’t find any evidence of 2FA. You start the app, enter your password and you’re in. No SMS, no security key and no secret question. You then have full access to view/pay etc.
I did a bit of FaceBook messaging with them and they told me they do use 2FA, but couldn’t explain what it was. The only thing I can think is they take a fingerprint of my phone and compare that.
They told me they check that it’s ‘really me’ which sounds reassuring, but I have no idea how they could do that without knowing me personally and a video call. For example, if my wife had my password and logged in with my phone, would they know it wasn’t me? I don’t think so.
You can access the banking system online, through a web browser and that does use 2FA with the app. You start the login process online and it asks you to generate a code using the app. You login into the app with your password and choose the option to generate a code which looks quite like a TOTP code. I’m happy with that process.
But I can’t see any way that 2FA is employed for the app. There’s no user name, and no 2FA.
Yes I agree with the risks you have laid out. A small risk I have considered, is that the bank is hacked, passwords decrypted and appears for sale on the dark web. Then my mobile is stolen and the thief gets hold of the cracked database and they are in. Probably unlikely, but there it is, all fixed by a nice long uncrackable password.
Yes I was thinking of changing banks, but do quite like them. Their online system works well and generally the customer support is good, but I may change anyway.
Yes I agree with what you are saying about the crypto keys the bank uses. Presumably they wouldn’t be dumb enough to use MD5! Anyway, I don’t know and will never know as I’m sure they wouldn’t disclose.
I’m tempted to delete the app and just use the system with a web browser as this seems much better, with a user name up to 80 characters and a password of, I think, 30 characters, but as they use the app for 2FA, you have to use it. Another option is a physical security key. I asked bout this, but it takes 10 days to post it and you can’t use your account in any digital way in that period, you have to use telephone banking, which I don’t fancy much.
Sorry to bang on hope I haven’t sent anyone to sleep lol!