I like the idea of a less profit-driven business that is maybe more community-focused but I wonder if they have the same capability as a bank? Have you been able to do your banking needs at a credit union? Was the customer service decent?

  • activistPnk@slrpnk.netEnglish
    41·
    4 months ago

    I’m done with credit unions. They just create the illusion of a small org but then farm you out to big companies via outsourcing anyway.

    • Most credit unions have outsourced just about every aspect of their business. They are like shell companies all working as many different façades to the same giant corporations. CUs in-house expertise doesn’t go far beyond their branding and marketing. Your sensitive financial info gets shared around with a handful of giant corporations while giving the illusion that you have the privacy benefits of a small CU.
      • billpay outsourced to 1 or 2 different billpay services nationwide
      • monthly statement generation: outsourced to the same few corps
      • statement printing: outsourced, then they charge you for it
    • Credit unions spam the shit out of whatever email address you supply, thus enabling all entities handling the email to see where you bank each time the CU decides to spam you. Commercial banks are better on this in my experience. I think commercial banks have calculated that spam just angers people and drives them off, whereas credit unions are either not diligent enough to make that calculation or they are assuming their small org appearance will go a long way in obtaining forgiveness.
    • Most credit unions have put their website on Cloudflare in the past few years. Which means:
      • Consumers are generally forced to expose their account credentials to a privacy-abusing tech giant (while agreeing to be accountable for damage stemming from credential leakage)
      • Consumers are generally forced to expose to their credit union their approximate physical location every single time they connect to the website as a consequence of Cloudflare. Which means if they move outside of the CUs service area some CUs will notice that and even freeze/lock the account. They tend to admit directly in their privacy policy that they collect IP addresses specifically for geolocation tracking of their customers.
      • Consumers are generally forced to expose to their ISP where they bank as a consequence of Cloudflare. And considering Trump overturned an Obama policy that required ISPs to obtain consent for collecting and selling customer personal data, there is nothing to stop your ISP from selling info about where you bank to data brokers and debt collectors. Biden did not reverse Trump’s privacy sabotage.
      • Cloudflare can at any moment decide to block you for any reason arbitrarily, and suddenly your web access to your money is gone.
      • Consumers who are behind CGNAT outside of their control are often blocked by Cloudflare. If a snot-nose script kiddie in your CGNAT pool decides to scrape some websites, CF’s excessive protectionism might kick in and block the IP which could go to you next, and you lose access to your money because CF overreacted to a harmless snotnose kid.

    Being free from Cloudflare sometimes means you can login over Tor and avoid most of the problems above. OTOH many commercial banks also block Tor increasingly more frequently lately (because they also want to track your physical whereabouts). There may be some Cloudflare-free CUs that still permit Tor logins though it’s becoming harder to find them.

    Gratis paper statements are important more than you realise:

    If you cannot find a bank or CU that gives you the privacy of Tor, the best feature to look for is gratis paper statements and paper checks so you can scrap the website and take back your privacy. It’s more common to find gratis paper statements from banks than CUs. As enshitification of the web proliferates and more FIs join Cloudflare, gratis paper statements is an important safety net so you can ditch their tech the moment it goes sour.

    Regarding apps:

    Credit unions do not write their own software. You have just a few closed-source Google Playstore banking app makers who all the credit unions outsource to. Whereas every commercial bank reinvents the wheel with their own implementation. For me it’s a shitshow no matter what. I am not going to enter Google Playstore and tell Google where I bank and let Google track exactly which software version I have which also reveals what vulns I inherit, to then run a closed-source app that snoops on me in countless unknown ways. Fuck all that.

    • jagged_circle@feddit.nlEnglish
      2·
      5 days ago

      I used to exclusively do all my banking on TAILS. Its good advice, but I’ve had to give it up :(

      Do you know of any banks that dont wholesale block all known Tor Exit Nodes?

      If I could find a bank that would run an Onion Service, they’d get all my monies.

      • activistPnk@slrpnk.netEnglish
        2·
        1 day ago

        I have no idea. I wrote a script that attempts to reach all banks and CUs over Tor and logs the results. But I never finished the project.

        But I will not make myself part of the anti-tor problem by using tor-hostile services (not even over VPN because that still sends the wrong message to the bank). I do all my banking offline the old fashioned way.

        • jagged_circle@feddit.nlEnglish
          11·
          1 day ago

          Ive always wanted to see such a comparison :)

          I wish you would publish your research. It would be extremely helpful for those of us searching for secure banks. It sucks that the only way to know if a bank is secure is to signup and then find out after.

          Even if you use paper, another major vulnerability is that ACH and SEPA transfers are pull-based. I would really like to see some research that publishes which banks allow you to setup an “allow list” of accounts that are permitted to withdrawal from your account (in the US this is called Positive Pay), but I haven’t found this. Its a rare security feature that is usually only available for business accounts.

          • activistPnk@slrpnk.netEnglish
            2·
            1 day ago

            I wish you would publish your research.

            I never finished the code and my partial results would be uselessly stale by now. But I hope to one day resurrect the attempt.

            It sucks that the only way to know if a bank is secure is to signup and then find out after.

            If that were true a crawler would have the same problem.

            You can manually check by going through the motions of a manual login at a bank website. Clicking forgot password usually ensures you connect to the host of the portal.

            But note that even if you find a usable bank, you need to think of it as temporary. So the most important feature to look for is gratis paper statements and gratis paper checks, so when enshitification happens you can land on your feet and stay functional.

            Even if you use paper, another major vulnerability is that ACH and SEPA transfers are pull-based.

            In terms of SEPA pulls (“direct debits”) have a little known benefit: consumers can demand a no-questions-asked refund on demand up to 8 weeks following the settlement date, guaranteed by EU law. That’s even better than pushing a “credit transfer” because those are non-refundable the moment they execute. But indeed in the US AFAIK you’re screwed if you want to take an ACH back.

            In any case, it would be useful to have a healthy project to separate tor-friendly banks from the shitty ones, which would require ongoing maintenance.