So I opened a bank account required for to deposit paychecks. The problem is that if I do a withdrawal by ATM or over the counter with a teller, I get two notifications that specifies the amount of money I have withdrawn: by email or by SMS.
Both of these message protocols are not encrypted and therefore readable and likely collected by surveillance agencies. Which one is the worse one to have? This is assuming one notification can actually be disabled.
For SMS: The telco companies can see what is being sent around and since these are automated by computers, We can speculatie that local intelligence agencies may be able to access them. Nefariously, foreign surveillance agencies may be able to access them through hacks and maybe leaks by the computers that goes through them.
For email: Each hop to a server, as can be checked via a traceroute command can be a potential avenue for data collection of my finances. These can directly be checked from the domain of the email that gets sent and count how many hops it gets before it reaches the email server.
Also, the notification are for direct cash withdrawals, Do we know if a fraudulent transaction can even be reversible because it ultimately involves cash? So these notifications do not actually a purpose at all.
So if I had the option to disable these notifications, should I disable email notification or SMS notification? Should I even bother or remove it all?
1 Like
I’d just disable all notifications and move on if possible. You know how much you’re taking out, and there’s always a record of the transaction within the bank itself. Assume we can’t disable all notifications. Between email and SMS, I would choose email. Think about the risks.
The bank will already retain a record of your withdrawals via it’s records. There is nothing private about a withdrawal, and this is a good thing. I would like to know when money is taken out of my account. Let’s not pretend that email or SMS protocols are secure. Both were never designed with privacy in mind. If one must be sent, we can analyze the travel routes.
The bad news is that sending either email or SMS messages is often the most insecure part of the transaction, unless your bank uses RSA encrypted email. I don’t think there’s a best-option between how the content is sent. I do think we can choose which one’s better based on where it lands. Email will win this battle nearly every time, so long as your email is stored with a secure provider like Tuta or Proton. I’d choose to have the notifications sent to a secure email inbox if possible.
By the time someone’s withdrawing cash, you have much bigger problems. Most banks have daily withdrawal limits. I’d inquire with the bank in question to confirm what this limit is. You may be able to lower the daily limit if you believe you won’t need more than the maximum withdrawal amount per-day. I would assume the purpose is to make sure you are alerted as soon as possible if a fraudulent withdrawal occurs.
To reiterate, I’d disable all notifications if possible. I know how much money I am withdrawing and can check my account regularly to monitor transactions. If I find someone has withdrawn money from my account via. an ATM I have never used, I would call the bank and lock the account immediately. Someone will have gotten my physical card, assuming I understand the process correctly. Otherwise, I’d send the notifications to a secured Tuta or Protonmail address.
2 Likes
If you live in a place where your bank knows your name, email, and phone number, and is above board enough to send you SMS notifications, then I would bet that information and your transaction history are already available to the government anyway. IMO this sounds like being far too concerned about something that is not your actual problem.
Since SMS is unencrypted, individual people at the telco company would potentially have access to that information in plaintext, plus anyone that asks with a lawful order.
Email is inherently not secure, as the other user has said, but you can’t do anything about the insecure part, which is that a bank is sending an email from their servers to anywhere else, even if you use E2EE services like Proton/Tuta. That’s where you’re still exposed.
Not that it matters, no one is tracking bank account usage by emails because it’s imprecise. It’s probably easier for anyone you’re worried about to just ask the bank what you do, rather than ask a telco for a proxy measure that might not be the complete picture because you can just turn off notifications.
If you’re in another country than the bank (let’s say bank is in Switzerland and you’re in Sudan), then if you turn off SMS and only use email, then only Swiss authorities would (potentially) see the email. This is the only way I could see valid concern - if you’re in the same country as the bank, then the government very likely has access to your accounts 24/7 if they like.
Does the bank have an app with notifications? Run a VPN and use the app if it’s E2EE, which it might be. Email using an E2EE service is next best. Don’t use SMS.
1 Like
Both of these message protocols are not encrypted and therefore readable
Are you certain the email lacks encryption? While not E2EE, wouldn’t you still benefit from TLS that would protect the content of the message for any intermediaries routing the email? I disable SMS with my bank and opt for email where possible.
While I know we would prefer end-to-end encryption - it was my understanding email is often encrypted from prying eyes on the wire during transport. I don’t think the same can be said for SMS.