this post was submitted on 29 Aug 2024
45 points (95.9% liked)

Personal Finance

3861 readers
1 users here now

Learn about budgeting, saving, getting out of debt, credit, investing, and retirement planning. Join our community, read the PF Wiki, and get on top of your finances!

Note: This community is not region centric, so if you are posting anything specific to a certain region, kindly specify that in the title (something like [USA], [EU], [AUS] etc.)

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
45
What has your experience been with a credit union? (lemm.ee)
submitted 4 months ago by [email protected] to c/[email protected]
42 comments fedilink hide all child comments
 

I like the idea of a less profit-driven business that is maybe more community-focused but I wonder if they have the same capability as a bank? Have you been able to do your banking needs at a credit union? Was the customer service decent?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 4 months ago* (last edited 4 months ago) (1 children)

I’m done with credit unions. They just create the illusion of a small org but then farm you out to big companies via outsourcing anyway.

  • Most credit unions have outsourced just about every aspect of their business. They are like shell companies all working as many different façades to the same giant corporations. CUs in-house expertise doesn’t go far beyond their branding and marketing. Your sensitive financial info gets shared around with a handful of giant corporations while giving the illusion that you have the privacy benefits of a small CU.
    • billpay outsourced to 1 or 2 different billpay services nationwide
    • monthly statement generation: outsourced to the same few corps
    • statement printing: outsourced, then they charge you for it
  • Credit unions spam the shit out of whatever email address you supply, thus enabling all entities handling the email to see where you bank each time the CU decides to spam you. Commercial banks are better on this in my experience. I think commercial banks have calculated that spam just angers people and drives them off, whereas credit unions are either not diligent enough to make that calculation or they are assuming their small org appearance will go a long way in obtaining forgiveness.
  • Most credit unions have put their website on Cloudflare in the past few years. Which means:
    • Consumers are generally forced to expose their account credentials to a privacy-abusing tech giant (while agreeing to be accountable for damage stemming from credential leakage)
    • Consumers are generally forced to expose to their credit union their approximate physical location every single time they connect to the website as a consequence of Cloudflare. Which means if they move outside of the CUs service area some CUs will notice that and even freeze/lock the account. They tend to admit directly in their privacy policy that they collect IP addresses specifically for geolocation tracking of their customers.
    • Consumers are generally forced to expose to their ISP where they bank as a consequence of Cloudflare. And considering Trump overturned an Obama policy that required ISPs to obtain consent for collecting and selling customer personal data, there is nothing to stop your ISP from selling info about where you bank to data brokers and debt collectors. Biden did not reverse Trump’s privacy sabotage.
    • Cloudflare can at any moment decide to block you for any reason arbitrarily, and suddenly your web access to your money is gone.
    • Consumers who are behind CGNAT outside of their control are often blocked by Cloudflare. If a snot-nose script kiddie in your CGNAT pool decides to scrape some websites, CF’s excessive protectionism might kick in and block the IP which could go to you next, and you lose access to your money because CF overreacted to a harmless snotnose kid.

Being free from Cloudflare sometimes means you can login over Tor and avoid most of the problems above. OTOH many commercial banks also block Tor increasingly more frequently lately (because they also want to track your physical whereabouts). There may be some Cloudflare-free CUs that still permit Tor logins though it’s becoming harder to find them.

Gratis paper statements are important more than you realise:

If you cannot find a bank or CU that gives you the privacy of Tor, the best feature to look for is gratis paper statements and paper checks so you can scrap the website and take back your privacy. It’s more common to find gratis paper statements from banks than CUs. As enshitification of the web proliferates and more FIs join Cloudflare, gratis paper statements is an important safety net so you can ditch their tech the moment it goes sour.

Regarding apps:

Credit unions do not write their own software. You have just a few closed-source Google Playstore banking app makers who all the credit unions outsource to. Whereas every commercial bank reinvents the wheel with their own implementation. For me it’s a shitshow no matter what. I am not going to enter Google Playstore and tell Google where I bank and let Google track exactly which software version I have which also reveals what vulns I inherit, to then run a closed-source app that snoops on me in countless unknown ways. Fuck all that.

[–] [email protected] 2 points 2 weeks ago (1 children)

I used to exclusively do all my banking on TAILS. Its good advice, but I've had to give it up :(

Do you know of any banks that dont wholesale block all known Tor Exit Nodes?

If I could find a bank that would run an Onion Service, they'd get all my monies.

[–] [email protected] 2 points 1 week ago (1 children)

I have no idea. I wrote a script that attempts to reach all banks and CUs over Tor and logs the results. But I never finished the project.

But I will not make myself part of the anti-tor problem by using tor-hostile services (not even over VPN because that still sends the wrong message to the bank). I do all my banking offline the old fashioned way.

[–] [email protected] 0 points 1 week ago* (last edited 1 week ago) (1 children)

Ive always wanted to see such a comparison :)

I wish you would publish your research. It would be extremely helpful for those of us searching for secure banks. It sucks that the only way to know if a bank is secure is to signup and then find out after.

Even if you use paper, another major vulnerability is that ACH and SEPA transfers are pull-based. I would really like to see some research that publishes which banks allow you to setup an "allow list" of accounts that are permitted to withdrawal from your account (in the US this is called Positive Pay), but I haven't found this. Its a rare security feature that is usually only available for business accounts.

[–] [email protected] 2 points 1 week ago (1 children)

I wish you would publish your research.

I never finished the code and my partial results would be uselessly stale by now. But I hope to one day resurrect the attempt.

It sucks that the only way to know if a bank is secure is to signup and then find out after.

If that were true a crawler would have the same problem.

You can manually check by going through the motions of a manual login at a bank website. Clicking forgot password usually ensures you connect to the host of the portal.

But note that even if you find a usable bank, you need to think of it as temporary. So the most important feature to look for is gratis paper statements and gratis paper checks, so when enshitification happens you can land on your feet and stay functional.

Even if you use paper, another major vulnerability is that ACH and SEPA transfers are pull-based.

In terms of SEPA pulls (“direct debits”) have a little known benefit: consumers can demand a no-questions-asked refund on demand up to 8 weeks following the settlement date, guaranteed by EU law. That’s even better than pushing a “credit transfer” because those are non-refundable the moment they execute. But indeed in the US AFAIK you’re screwed if you want to take an ACH back.

In any case, it would be useful to have a healthy project to separate tor-friendly banks from the shitty ones, which would require ongoing maintenance.

[–] [email protected] -1 points 1 week ago* (last edited 1 week ago) (1 children)

The US has a similar law, but in both places if you dont notice it for some number of months, you're fucked. Even if the bank didn't ask you to authorize the fraudulent withdrawal.

Personally I can't check all my accounts that often. I review them once per year, so I'd rather rely on technical security. Also paper isn't an option for me. I live in a country abroad that doesn't have a postal system.

Where did you get your list of banks (and their websites) to start with your research?

This would be a good project on GitHub. Something like Alec Muffett'ss real world onions. Its a github repo that queries websites Onion Services (over Tor) every day and tells their uptime.

https://github.com/alecmuffett/real-world-onion-sites

Someone could probably just fork that and replace the sites with a list of banking websites

[–] [email protected] 2 points 1 week ago* (last edited 1 week ago) (2 children)

I live in a country abroad that doesn’t have a postal system.

These could help with that:

Where did you get your list of banks (and their websites) to start with your research?

US fed banks

US state-specific lists

(edit) well shit.. some of those links have gone to shit.. Cloudflare, anti-tor, etc. But you can perhaps dig up archives.

[–] [email protected] 1 points 1 week ago (1 children)

You may also want to checkout privacy post. They explicitly focus on security. They'll use proton to send you scans of your paper mail with e2ee.

https://privacypost.io/

They're pricy, though. I haven't used them or their alternates yet.

[–] [email protected] 2 points 1 week ago (1 children)

thanks! I did not know about that one.

Those mail services are a minefield in general. Most are compromised by Cloudflare. It’s crazy how companies handling inherently sensitive info like that are exposing their customers to Cloudflare.

[–] [email protected] 0 points 1 week ago* (last edited 1 week ago) (1 children)

What do you usually suggest as an alternative to CF?

I used to work for a bank and managed to convince management to use a local company for DDOS protection. That bypassed the NSL risk of a US company, but it still gave a third party mitm power.

Best I've seen is some in-house interstitial PoW page, like "Heray" -- a proprietary system used by hetzner. But I haven't found any FOSS solutions that are well documented and fairly trivial to deploy.

[–] [email protected] 1 points 1 week ago

I’ve never been on the other side of that problem. And it’s not my problem, so I never looked too deeply into it. I just know if a bank or CU is using Cloudflare I am not using it.

[–] [email protected] 0 points 1 week ago

Extremely useful. Thanks!