 Hello, and welcome. Today, this is going to be a little bit of a rant, probably a two-part video, because I'm about to talk about something that hasn't quite happened yet, but has been driving me crazy the last couple days. And it's about fake security and how fake security makes things less secure, right? So for example, Android devices. There's a root account on this, just like all operating systems. But to access it, unlike a Linux desktop system, for me to access the root shell after typing a password, well, on Android device, they disable it, but you can enable it. And once it's enabled, anybody can access it because there's no password to enter. So essentially, they're just making it less secure, because there's no way to prove I am who I am when I pick up my phone and try to get root access. Well, my bank is doing something similar. So actually, it's a credit unit, Suncoast Credit Union. And I've been with them for almost exactly 20 years now. And I've been very, very happy with them. And I'm on their website daily because I got to check account balances, transfer money, make payments, and this and that. So I log into the bank account on the website multiple times a day. And the only time I have ever needed to use their mobile app is if I want to deposit a check with remote, because there's no way to deposit a check on their website. I always wish there would be. It would be a simple thing to implement. You scan or take a picture with webcam, upload it. It scans it. Same as you would do on your mobile device. But unfortunately, the website did not have that feature. But they've been boasting for months now that they're going to have a new website. They're going to redo it with new features. And although I knew it probably wouldn't happen, I was crossing my fingers that it would add the feature where I could deposit checks on the website. Because right now I actually just have an extra Android device that I keep in my desk drawer that I use just for that mobile app, because I am not going to install their proprietary crap on my mobile device. So I have an extra device just for that. And I use it so rarely that every time I turn it on, I've got to update their program because it's not the newest version that I got to log in. And it's kind of a pain in the butt, but it's easier than driving to the bank on the occasions I get a check. Well, the other day when I was logging into the Suncoast website, there was a pop-up informing me that soon they will be requiring you to have the mobile app to log into the website. How stupid is that? So now you want to do some baking online on your desktop. You need to have their app installed on a mobile device. And I don't care what a company tells you, whether they're going to tell you it's more secure or better feature or whatever, is if a company is trying to force you to install their app when there's absolutely no need for it, they're doing it just to get control of your device. They're going to have more information. To some degree, they are now on your device. And a piece of software on the device is the same as someone using your device. You wouldn't just hand your phone to a stranger and let them start doing stuff. At least most people wouldn't. Well, any time you install an application on a phone or a computer, that's what you're doing, is this program can do whatever it wants. I don't care about app-specific permissions. It's going to have access to your device. And in no way is this making it more secure. First of all, first of all, what about people who don't have smartphones? I know some people who still carry flip phones. I can think of at least two that I know. How would they access the website? What about people who maybe don't use iPhone or Android? Because there are other options out there. They won't have access to the website now. And what about people like me, who even though I do I don't like having proprietary stuff on my phone. And there are some Android systems that don't have access to the Google Play Store. And the only way to get their mobile app is through the Google Play Store or an iPhone through the Apple Store. And just we're in a day and age where I get the concept of an app store making things convenient. But you used to be able to just go to a company's website to download an application if you want one of their applications. But they don't do that anymore. Why don't you have the APK up on your site? It's not a security thing, right? Because people can fake stuff in the Apple Store and the Android Store easier than they can fake your website because I know where your website is where if I go searching for an app and there's a similar app with a similar icon I might download that instead. I also don't see how this makes things more secure. So again, this hasn't been implemented yet. So I don't know exactly how it's gonna work. But basically it's too off, which I'm not against too off because right now when I log into my bank account they send me an email and I have to get the verification code and type that in. And this is great with me. A lot of people would say that's not the best way to do it. Well, you know what? I don't have email clients on my desktop, on my laptop, on my phone. I have an email server and when I wanna check my email I SSH in and I run mutt. So it's not going to all these devices. If I have their mobile device on my phone and someone gets a hold of my phone now it sounds like they're just gonna be able to approve the login, right? Or before I needed my username which the bank also your username is your account number which I've always thought was kind of weird because you write checks and your account numbers on your checks. So having your username as your account number is ridiculous. It's not like other sites where you're communicating with people and they're seeing your username. This is something that that would be an extra step, right? If you don't know my username I need to get my username, my password. And then you also have to have access to my email account to get that verification code. And when one of those emails would go to my web server I would have a trigger set to notify me on my phone so that I know when someone's trying to log in even though I'm not getting a text or the verification code to my phone I get a notification which is great. Well now they want me to install their app which I'm not gonna do on my device. Now I have this extra Android device, right? Just for their mobile app. Well I don't carry it around with me. I keep it in the desk here again I barely ever use it. So now if I'm not at home, if I'm at work and I need to log into my bank account I won't be able to, right? Cause I'm not installing that app on my phone. So what are my options? Well I can run Android in a virtual machine on my desktop but that's always clunky and slow and it's gonna take up gigs of space. And if I use a version of Android that doesn't have Google Play services now I've gotta get their APK from some third party site. How is that more secure? So again I don't know exactly how this is gonna work. And another thing is like if I install their app on my phone they're telling me so I message them once or twice asking them for more details on this. And they tell me it's like having an extra lock on your front door. Well that would be stupid wouldn't it? Right? Cause if someone's going to take the time to pick one lock they can pick the other lock but in reality they're just gonna kick in the door where now the notifications going to my phone which I'm not gonna have on me. So if someone's trying to get into my account I won't even know where at least before I got notifications on my phone then I had to log into my server, get my email and copy and paste it over which wasn't that big of a deal because on my desktop here I'm usually logged into my web server my email server and I can copy stuff over really easily. Well how do they verify me? So if I install the mobile app on my device how do they verify it's me? Right? Cause we're using the mobile app to verify when I go to log in to the website how do they verify me? Do they use my username and password? Well if my username and password is good enough to verify me in the app why is it not good enough to verify it on the website? It just doesn't make any sense. So again I don't know exactly how this is all gonna work and the only thing I can think of and this is usually what happens when you have fake security that makes the user jump through loops. It doesn't protect you any better from the attackers. It just makes life more difficult for the user. I need to figure out a way to do this. I'm not gonna carry around two phones. I'm not gonna install their app on my phone. I've been very happy with this credit union. I don't want to switch to somebody else. It's been 20 years. This is the first real issue I've had. So the only thing I can think is like maybe, maybe I can have this phone in my desk here, keep it plugged in all the time using electricity and maybe set up some sort of script that detects when that app gets a notification because I don't know exactly how it's gonna get the notification and then just automatically click yeah, approve. I mean, how else will I log into this website when I'm not at home where this mobile device is? And some people would be like, oh just install the mobile app, I'm not going to. And this has been a concern of mine because there's so many mobile apps out there that are completely pointless. Everything they do can be done in a web browser which is gonna be more secure because you're not installing stuff on your device that can have access to stuff. And I've always worried that things like this will happen where companies will go to where you need the app, you can't just do it through the website. Even though the app I can almost guarantee you that at least 99% of it, if not all of it, is just doing HTTP requests. So it's doing everything through a web server anyway just with their app layered on top. And when it comes to security, the more layers you have, the more likely you are to have a vulnerability. So this is just above and beyond stupid and gonna cause more issues. And they're saying it's more secure, right? So the only thing is making it more secure. It's not making it more secure because again, I already had two factor going to my email server which only I had access through through SSH and I use security keys on that. So people would need my key, my password, they need to access my server. Any time someone logs in my server, I automatically get a text about it. Then they have to go into my email, find it and then they also need to know my username and password. They're just basically getting rid of all that. And it's just gonna be what it sounds like is that you're, I don't know if they're gonna send a code to your phone that you type in on the website or if it's gonna be one of those, just click okay. Right? And if it's just clicking okay is never okay for security. And if it's sending the passcode, why is that any better than sending it to an email where I can check it? And now if someone tries to log in my account, if they have my username and password, they won't have access because I get that email which I also get notification on my phone. So right away I'm gonna know someone's trying to access my account where if they're requiring the app and I don't have the app with me, someone could be trying to gain access to my account and I'll have no clue about it. So this again is just fake security. It's not making anything more secure. People who don't know any better are just gonna click yes or okay to it. And I'm just so frustrated about this. So I'll do another update when this actually is implemented and see if there's any work around to this. But again, what if you don't have an Android or an iPhone device? How are you gonna access your bank account? And I log into this account daily. It's just so frustrating. If you are like me and you are a member of Suncoast, send them a complaint because the only way stuff like this is gonna get fixed is if people complain. Just complain that you don't have access to the app on your devices. How are you gonna log into the website? If they get enough complaints, maybe they'll change their minds. I'm not counting on it, but really the only way to fight stuff like this is by banning together and doing the right thing. So it's up to you. Send Suncoast credit union messages complaining about this upcoming change. Thanks for watching. Please visit filmsbychrist.com. That's Chris the K. There's a link in the description. And as always, I hope that you have a great day.