this post was submitted on 29 Aug 2024
45 points (95.9% liked)
Personal Finance
3861 readers
1 users here now
Learn about budgeting, saving, getting out of debt, credit, investing, and retirement planning. Join our community, read the PF Wiki, and get on top of your finances!
Note: This community is not region centric, so if you are posting anything specific to a certain region, kindly specify that in the title (something like [USA], [EU], [AUS] etc.)
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I used to exclusively do all my banking on TAILS. Its good advice, but I've had to give it up :(
Do you know of any banks that dont wholesale block all known Tor Exit Nodes?
If I could find a bank that would run an Onion Service, they'd get all my monies.
I have no idea. I wrote a script that attempts to reach all banks and CUs over Tor and logs the results. But I never finished the project.
But I will not make myself part of the anti-tor problem by using tor-hostile services (not even over VPN because that still sends the wrong message to the bank). I do all my banking offline the old fashioned way.
Ive always wanted to see such a comparison :)
I wish you would publish your research. It would be extremely helpful for those of us searching for secure banks. It sucks that the only way to know if a bank is secure is to signup and then find out after.
Even if you use paper, another major vulnerability is that ACH and SEPA transfers are pull-based. I would really like to see some research that publishes which banks allow you to setup an "allow list" of accounts that are permitted to withdrawal from your account (in the US this is called Positive Pay), but I haven't found this. Its a rare security feature that is usually only available for business accounts.
I never finished the code and my partial results would be uselessly stale by now. But I hope to one day resurrect the attempt.
If that were true a crawler would have the same problem.
You can manually check by going through the motions of a manual login at a bank website. Clicking forgot password usually ensures you connect to the host of the portal.
But note that even if you find a usable bank, you need to think of it as temporary. So the most important feature to look for is gratis paper statements and gratis paper checks, so when enshitification happens you can land on your feet and stay functional.
In terms of SEPA pulls (“direct debits”) have a little known benefit: consumers can demand a no-questions-asked refund on demand up to 8 weeks following the settlement date, guaranteed by EU law. That’s even better than pushing a “credit transfer” because those are non-refundable the moment they execute. But indeed in the US AFAIK you’re screwed if you want to take an ACH back.
In any case, it would be useful to have a healthy project to separate tor-friendly banks from the shitty ones, which would require ongoing maintenance.
The US has a similar law, but in both places if you dont notice it for some number of months, you're fucked. Even if the bank didn't ask you to authorize the fraudulent withdrawal.
Personally I can't check all my accounts that often. I review them once per year, so I'd rather rely on technical security. Also paper isn't an option for me. I live in a country abroad that doesn't have a postal system.
Where did you get your list of banks (and their websites) to start with your research?
This would be a good project on GitHub. Something like Alec Muffett'ss real world onions. Its a github repo that queries websites Onion Services (over Tor) every day and tells their uptime.
https://github.com/alecmuffett/real-world-onion-sites
Someone could probably just fork that and replace the sites with a list of banking websites
These could help with that:
US fed banks
US state-specific lists
(edit) well shit.. some of those links have gone to shit.. Cloudflare, anti-tor, etc. But you can perhaps dig up archives.
You may also want to checkout privacy post. They explicitly focus on security. They'll use proton to send you scans of your paper mail with e2ee.
https://privacypost.io/
They're pricy, though. I haven't used them or their alternates yet.
thanks! I did not know about that one.
Those mail services are a minefield in general. Most are compromised by Cloudflare. It’s crazy how companies handling inherently sensitive info like that are exposing their customers to Cloudflare.
What do you usually suggest as an alternative to CF?
I used to work for a bank and managed to convince management to use a local company for DDOS protection. That bypassed the NSL risk of a US company, but it still gave a third party mitm power.
Best I've seen is some in-house interstitial PoW page, like "Heray" -- a proprietary system used by hetzner. But I haven't found any FOSS solutions that are well documented and fairly trivial to deploy.
I’ve never been on the other side of that problem. And it’s not my problem, so I never looked too deeply into it. I just know if a bank or CU is using Cloudflare I am not using it.
Extremely useful. Thanks!