rans6andrew

My bank has provided me with a smartphone app to perform some account security stuff. Basically the app generates a transaction code which is then keyed into another computer/device being used to access my account website. The generated number is only valid for 30 seconds.

My query is just how closely are the time stamps on the app, which presumably could be using the phone network or be via a wireless internet link, and the web page, which is almost certain to be via an internet connection, tied to synchronisation?

The reason I ask is that I happened to be viewing a live view webcam on two devices earlier today. The on screen clock shown in the banner at the top of the viewers was showing a time difference of 24 seconds. The two devices were both getting their connection to the internet through the same wireless router. 24 seconds seems to be a lot of difference in signal delay for something which is about 200 miles from me, as the crow flies.

Given this time difference possibility, will I be in trouble with access to my bank account security if I try to log in from a very slow/poor internet (like we get in our holiday accommodation).

I can't use my phone to provide a personal hotspot for the netbook to access my account and, at the same time run the app for the security code so the two are bound to be using different connection paths/delays.

Kilty2

I suspect the time difference you are seeing is due to the fact that your two devices have different mechanisms for displaying the video. “Live” video requires a certain amount of buffering (from a few, to tens of seconds) to allow for stutter free playback.

Internet traffic arrives in “bursts of data” and your “connection speed” is the average amount of data received over a finite period of time. For video to appear smooth the video player will try to estimate your average connection speed and decide upon an arbitrary period of time to receive data before actually starting the playback, thus having some “pre-recorded” video to display if there is a slight lull in the data bursts for new video.

In your case there are two possible variables, the devices have different video playing mechanisms with different buffering strategies, and/or the internet connection speed of your phone is different to your wired connection.

If you want to check that both devices can see the current “internet” time open a browser on both and visit GMT: Greenwich Mean Time - World Time / Time in every Time Zone

yellowtriumph

I only post to give some background info. My wife has an on-line bank account. Whenever she is online and wishes to transfer money to somewhere else - at some point in the transaction she has a to click a button on her PC and almost instantly her mobile phone 'dings' as it receives a text with a secure code from the internet bank that she then has to input to the PC in order to proceed.

There is virtually no delay between her clicking the button on the PC and the text being received. I don't know if there is a time limit for the code to be entered into the PC, but if there is it has never been an issue. Hope this helps in some way.

andytug

Should be able to use the phone as a hotspot and run apps at the same time, only limiting factor is the 4G/3G bandwidth available. I've used mine as a hotspot for 3 Ipad minis at once and used Facebook etc at the same time with no issues (well other than the phone getting very warm and the battery draining like a sink....).

Not sure re the time difference but webcam times shown often seem behind real time, may be some buffering going on?

rans6andrew

Ta andytug, it would appear that it does perform portable hotspot and other phone apps at the same time! I don't know what went wrong last time I tried it but it is working now, finger trouble I suspect, my finger wasn't accessing my brain.

andytug

Good stuff - the one thing you can't do (I think) is run hotspot and WiFi at the same time, although thinking about it why would you want to, unless you wanted to keep the password of the WiFi secret from the people connected to your hotspot or something.

peekay4

Generally speaking if a new code is generated every 30 seconds, then at a minimum the system can tolerate clock synchronization errors of up to 2*30 seconds (< 1 minute).

If that secure code text is via SMS then it can't be considered secure and hopefully her bank will implement a more robust solution soon.

Geordie_Expat

I really do not understand why it is mandatory to have a mobile phone to do online banking ! I have done all my banking online for a good while now and don't even have a mobile phone.


Strikes me as odd as Barclays demanding you use a Russian AV (Kaspersky).

yellowtriumph

The mobile is registered to her on-line account, you can only get into the account (session) by securely logging in on-line using the keypad thingy that generates a 4 digit code and by also answering 2 questions that she alone knows the answer to. This is all done on her laptop - not her mobile phone.

I can't quite see what the weakness is? I am genuinely interested to know.

jimjim1

The mobile phone network is not secure. Probably secure enough for personal banking for most people though.

As I recall the GSM crypto is now easily crackable by anyone at all serious, or maybe Law Enforcement just have the keys?

Regarding the time thing. There is a widely used method for getting quite good time from the internet. NTP (Network time Protocol) takes account of network delays. (About 70ms London to New York round trip). If you are on DSL add several tens of ms to that. The thing is that not everybody bothers to use it. If it is turned on then vastly sub-second time synchronisation is possible. My understanding is that NTP is very clever about reducing the effects of network delays given a long enough synchronisation period. I though don't understand how it works.

For an internet clock go to timeanddate.com. Its clock will though I suppose lag the true time by the internet delay that you suffer.

If you want to play with NTP, one issue may be that the Windows NTP client was rubbish. It may be fixed now. Consider getting a different client.

reynoldsno1

Me the same and I don't need no stinkin' app. The code is a one-off, arrives within seconds, and as I'm waiting for it, it normally gets entered within a few seconds. Acceptable risk vs convenience as far as I'm concerned.

Loose rivets

Yes, and right now I'm telling Barclays it's utterly illogical to put trust in a company that can be used as part of a war strategy.

Loose rivets

Compares with your device, though I've not used it on my phone - since one should be able to rely on a phone that has GPS!

Time.is - exact time, any time zone

yellowtriumph

Yes, I suspect this is the point that may be confusing to some here. Referencing my own post: My wife is logging onto her banking site using a PC/laptop - not a phone app, she has to go through several layers of security before gaining access to her own account including answering two security questions that she alone knows the answer to and then entering a 4 digit security code generated by a hand held device (actually in her hand and activated itself using another 4 digit code known only to my wife). So that's actually 4 levels of security before she even gains access to her on-lime account.

If she then wants to transfer some money around, a text is sent to her registered mobile which is obviously in her other hand.

I don't see the security issue here? The code sent to the phone doesn't even have to be secure or encrypted - it is useless to anyone else.