Financial Paranoia 5 - Things we don't need for online banking

 There are several "Privacy tools" that are often recommended which are not necessary nor suitable for online banking.  

About TOR

The purpose of TOR is to make it difficult to for your ISP or the government to tell what sites you are visiting.  With normal HTTPS web sites, the contents of your session are encrypted, but the URLs are easily visible in your internet traffic.  TOR also makes it very difficult for the web sites you access to determine your IP address, and thus your identity or location.  

This makes sense in scenarios where you want to anonymously access blocked or illegal web sites without logging in.  This is why TOR is often used by journalists and activists in countries with governments that have strict punishments and very restrictive ideas on what people should be able to access or post.  This is also why TOR is often used by criminals looking to buy illegal drugs, access illegal pornography, sell stolen credit card numbers, etc.  

For accessing online banking, we generally aren't trying to hide the fact that we are accessing, say, Mitsubishi bank.  In general, it's fine if the government or your ISP knows that you are accessing online banking.  Likewise, since you are going to log into your bank account anyway, the bank will know who you are.

Since TOR could be used by bad actors who have hacked your account to log into your bank, many banks will actively block connections from TOR exit nodes.

Using TOR to access web sites is also usually quite a bit slower than accessing sites directly.  

So, TOR is not recommended for accessing your financial accounts.

About VPNs

The idea behind consumer VPNs is to encrypt all of the data transported, including URLs, and any other data that might normally be unencrypted - but this encryption only lasts until it reaches the VPN exit point.  Another possible advantage is that by choosing an exit node in another country, you can make it appear that you are accessing a site from another country than the one you are actually in.

While this may provide an extra layer of security if you are accessing your banking accounts from somewhere like a Cafe WiFi hotspot - but in general it shouldn't be necessary since banking sites use HTTPS encryption anyway, and it isn't usually a problem is the URLs you are visiting are known by 3rd parties.  

Further, banks may block foreign IP addresses and known VPN servers for similar reasons to TOR.

The end result is that accessing your accounts via a VPN may be slightly slower than accessing them directly, and some banks may block you.

About Tails

The purpose of systems like Tails is to make sure no evidence at all remains on your PC of which sites you have accessed.  This means no cookies, no browser history, cache, etc.  

This may be useful for journalists operating on adversarial environments, spies, and those visiting sites only used for illegal activities because if law enforcement confiscates and analyzes your PC, they will find no evidence of your activities.  

Again, since we generally don't need to hide the fact that we were accessing banking web sites (and they will have access logs anyway), Tails and other zero evidence systems are of limited usefulness in banking. 

There is a limited advantage to using Tails in that if a running Tails instance is hacked, it will be reset back to a non-hacked state when it is rebooted since the system itself is read-only.  This advantage can be emulated by running a VM on your normal OS, and reverting back to a post-install snapshot after every run.  

Summary

Running a locked down and hardened system is recommended for banking to reduce the change of successful attacks, however running systems designed to hide or erase your online activity is not typically necessary or useful.  

System hardening is a separate and complex topic, but there are a few simple things you can do:

1. Don't use an Administrative account for daily use - It's too easy to get tricked into approving something you didn't mean to do.  

2. Use a separate Windows / OS X / Linux login for banking related tasks - The OS has separate accounts for keeping data separate.  While the protection isn't perfect, it's better than nothing.  

3. Make sure your system is up to date - Security flaws are found and fixed all the time.  

4. Enable any firewall software - Prevent connections to your computer from random machines on the internet.  

5. Uninstall unused software and turn off unused services - Software & services can often have vulnerabilities.  For example, turn off remote desktop and file sharing if you don't use them.  

Financial Paranoia 4 - The Bare Minimum - Password Manager & Separate Usernames

 In the last installment, we discussed using a separate email account, email aliases, and a separate smart phone for online banking and credit cards.

All of this compartmentalization will go to waste, however, if you use the same username and password for your banking sites/apps as you use for things like Reddit and Facebook.  

Using a separate password for each site requires either an ironclad memory, a big paper notebook, or a password manager.

The Password Manager

For low priority non-financial sites, I recommend using something like ProtonPass or BitWarden to manage your accounts and passwords.  These work accross smart phones and PCs, sync your passwords, and are easy to use.  

For banking related stuff, however, I recommend using an offline password manager such as KeePass.   This is simply because it can't be hacked if it's not in the cloud.  You can keep this data on a USB flash drive, and attach that to your computer or phone only when you need it.  

A word of warning about USB flash drives, though.  You should make a backup to a secondary drive at least once every month or so, and you should keep it in a safe place where you won't lose it.  If you lose this drive or it breaks, you could very well lose access to all of your accounts.  

For most financial related sites, you will need some sort of username, which will typically be one of the following:

1. An Account number
2. An email address
3. A separate username

When an account number is used, you will typically not have any choice in the matter, but at least the account number will be unique.

When an email address is used, you can make it unique by using an alias. 

When a separate username is required, this will sometimes be created for you, and sometimes you can choose it yourself (or change it later).  

Since you are using a password manager anyway, I would recommend that you create a separate un-guessable username for each site when you have the opportunity.  

Either way, you for sure want to use a separate hard to guess password for each site.  Most password database tools have a feature that can generate the passwords for you.  Sadly, some sites will only accept relatively short passwords or not allow special symbols.  Use the longest password possible, as you will normally only have to copy & paste to input it.  

You might want to use easy to remember and enter passwords like "Happy-toaster-Fossil-345$" instead of "DdfhjfREgGcED32T42%#!k1$" in case you have to enter them manually ona phone keyboard or something, but even then it is usually only a one time thing.  

Once you have completed the above...

Congratulations!

You have now virtually eliminated the risk that anyone can log into any of your accounts via a password list from data breaches they purchased online.  In fact, they won't even be able to figure out your username, much less password in most cases.  

Financial Paranoia 3 - The Bare Minimum - Separate smart phones & emails

 In the last two installments, we discussed Social Engineering and Phishing, as well as the danger of password re-use.

With reguards to social engineering, the best antidote is probably increased vigilence, however I am here to propose some real world solutions to the more technical attacks.  

We'll start with the most minimal changes you can make without much inconvenience or cost, and we'll more onto more sophisticated options in future installments.  

First, since enhanced security is almost always a trade-off, let's discuss why you might be willing to endure the inconvenience in exchange for more security.  

Value Proposition

If, like many people, you don't have much money in your bank account, you might think that there isn't much to protect - but immagine that you only have $500 in your bank account, and scammers steal it.  You lose your time and effort to reset your accounts, etc., and also the only $500 you had in the world.  Worse yet, if they managed to steal your credit cards, information then they may have stolen money you didn't even earn yet by spending money on your credit cards.  Sure, perhaps you can get that money back after everything is sorted out, but this can be a long and time consuming process and you may have to pay in the meantime.  

On the other hand, if you have a lot of money in the bank, then there is more for the criminals to steal.  This means you have more to protect.  Likewise, your credit cards likely have higher limits as well.  

Step 1: Separate Banking Phone & Accounts

If you are like most people, you probably use a smart phone for some of your online banking, and possibly a computer as well.

The first "trick" is to get a second phone, one dedicated to banking.  Many people already have an old phone laying around from their last upgrade, or could get one relatively easily.  

It would be ideal if you got a separate SIM card with a separate number for your banking phone, however we'll cover that in a future installment.  For now, we'll assume you're going to go with WiFi.  

The first thing to do is to do a factory reset on your old phone, and update the operating to the newest version.  

If it's an android phone and you need to log in using a Google account, create a new one specifically for banking.  Likewise, if it's an iPhone, perhaps you need to register a new Apple account.  

When creating this email address, ideally use a random looking address that has nothing to do with your real name or normal email address.  For example, if your real name is "Akiko Wada", then won't use AkikoWada56, use ChochoHima12.  The idea is that you will only use this email for banking, so you'll never use it to post to social media and the like, and nobody (Except your banks and credit cards) should ever know what it is.  

Make sure you use a different password than your normal account.  Also, don't use your existing account as a backup account allowed to reset your normal account.  You don't want someone who compromises your normal account to be able to use that to reset your banking account.  

Make the password for your banking account sufficiently long, and set it to require an OTP when you log in if that's an option.  You can put the OTP (Authenticator) app on your normal phone for now if you like.  

There are probably apps on the phone that you don't need that will be installed by default - particularly on carrier branded Android phones.  Uninstall or disable as many of these as you can.  

Next, verify the login and password for each of your banking apps, and then uninstall them from your normal phone unless you will need them while you are out and about.  Ideally you should have a separate spending money account that isn't connected to your payroll, but more on that in a future installment.  

Install these banking apps on your Banking phone and log in.  Since we'll be using your normal phone number for now, keep your normal phone handy to receive any SMS confirmations.  

I would also highly recommend that you use ProtonMail for banking purposes, a free account is fine for now.  If you already have a Protonmail account, then sign up for a new one just for banking.  

Next, you'll want to log into each of your online banking and other finance related accounts (Credit cards, brokerages, etc), and change your email address to the new banking specific one you just created.  Before you do that, though, let me sell you on another idea.  

If you don't mind too much, it's best to create a separate account for each and every bank, credit card, etc., that you use.  You don't actually have to create separate accounts, though, as you can use so-called +Aliases.  This will work with either Gmail or Protonmail, but with ProtonMail, there is the added advantage that you can send from these addresses as well.  

How does this work?  You simply register mail addresses with each company as follows:

If your real email is xxx@yyy.zzz, you use xxx+ccc@yyy.zzz, where ccc is the company.

• beavis234@protonmail.com (Real/Main Address)
• beavis123+mitsubishi0114@protonmail.com
• beavis123+smbc1102@protonmail.com
• beavis123+mizuho1204@protonmail.com

etc.  Here I also added a number at the end to make it harder to guess.

The advantage of these types of aliases is that they are widely supported, and free.  You also don't have to create them beforehand, you can just make them up on the fly and use them.

The main disadvantage is that someone can tell your real address simply by looking at them and removing everythign between the + and @ symbols.  You also can't easily block mails to such an alias. 

So why bother?  

a. You avoid giving out your "real" address, and potentially avoid spam.

b. You can use it as a check later on to see if emails are legitimate.

c. You can use it to create forwarding rules, etc. in the future.

Whether your use the aliases or not, update each bank account to use the banking email (either normal or alias).  

If you log into your banking email on a PC, do it in a private window, and don't let your PC remember your username or password.  Log out once you are done.  

Once everything above is complete, I would recommend you switch any banking related OTP settings to use an authenticator app on your banking phone, then the separation between your work and financial online identities will be almost complete.  

If you are in the US, then I would consider setting up a Google Voice number for your banking phone, if not, then we will cover setting up a separate number for banking in a future installment.  

Congratulations:

Once this step is done you will have the following enhanced security:

1. If your normal phone is hacked, it won't give anyone access to your financial accounts since there are no banking apps on it.

2. Your banking phone is much less likely to be hacked since it doesn't have any non-financial apps.

3. Accessing your normal email via PC or phone won't give anyone any information in your finances or any way to break into your accounts.

4. If you see an email on your normal account from a bank, you will immediately know it's a phishing attempt (since all your banks will only email your baking email).

5. You are much less likely to receive phishing emails to your banking email address since you only use it for banking.

6. If your normal phone is lost or stolen you don't need to worry about banking apps being lost, and you will still have access to your critical banking apps.  (Leave your banking phone at home and turned off when you don't need it).  

7. If you used aliases, then you can easily tell when an account and the sender don't match.  For example, if you used beavis+mitsubisi0114@protonmail.com with Mitsubishi, then all emails from them should arrive at that address only.  When you receive an email from them, you can check the "to" line to make sure it's correct.  (This is where using a number at the end makes it harder for anyone to guess the correct address).  

8. If your mail account is compromised, they won't be able to use it to figure out where you bank, which credit cards you have, etc.  (You did remember to delete all old mails from those places, right?)  

9. As an added bonus, you won't need to set up all your banking apps and authentication again next time you upgrade or change your mail phone.  

10. Since you don't need to keep your banking phone with you most of the time, you can keep it at home in a safe place so there will be much less risk of it being lost or stolen.  

Financial Paranoia 2 - Phishing, Account Takeover, Password Re-use, and Typo URLs

 In the last installment, we discussed social engineering scams that were more about misleading trusting people than any technical measures.  This time we will touch on more technical methods of stealing your money.

1. Phishing

Although the term is plain silly, the activity is anything but.  Although there are many variations, this is typically when someone tried to convince you to log into a fake bank web site, etc. through a link in an email.  

It's not always banks, though, email accounts, shopping sites, and delivery services are common targets.  

I get these all the time for Yamato express and other delivery services and Office 365 and occasionally for Gmail.  

The message will usually say something like: Your account will be closed due to non-payment (so log in and update your payment information), your account needs to be re-verified for security reasons (so log in and answer some security questions), etc.

If you click on the link in the email or SMS, it may take you to a page that looks deceptively like the real web site, where you will enter your login information.  They can collect this information, and use it to log in as you to the real site.  The real site may ask them security questions when it sees you logging in from a new computer, but if they have already collected those from you, then it's not a problem.  

Worse yet, things like smart phones and one time password confirmations don't always help if they are attempting to log in with your information in real time.  For example, you enter your username and password into the fake site, and it asks you for your OTP.  Unsuspecting, you enter your OTP, and if they use it immediately, they can now log into the real site with your username, password, and OTP.  

The goals of the attacker can be anything from getting control of your email to use it for spam, buying stuff for themseves (especially gift certificates) from Amazon, redirecting your packages, all the way up to getting control of your bank account.  

Not only might they steal your money, but they might use your account to accept money they scammed from other people in an attempt to hide their idenrity.  

There are various mitigations, including never clicking links in emails for any kind of shopping or banking site, checking the link URLs carefully, checking the sender name carefully, installing anti-phishing software, etc. - but even the most careful person can get tricked occasionally.

All it takes is one wrong click.  

I have some additional suggestions, but we'll go over those in a future entry.  

2. Password Re-use

We've all heard the advice to use different passwords for different accounts and services - but why?  

The main reason is that if the password for one of your accounts is leaked via a data breach or phishing, then the attacker can try that password with your other accounts.  

For example, let's say you have an account with Rakuten Shopping, and their customer database is breached.  This information is collected into lists, and bought and sold by crackers on the dark web, and whoever buys these lists will often try to use the same password with high value services such as online shopping and banking accounts.  

If the attacker has your username "BabyMonkey2024" and your password "Password123" for Rakuten, they can not only log into your Rakuten account, but they can try the same username/email and password with Amazon, Mitsubishi, SMBC, Citibank, and wherever else they can think of.  They will also have scripts to automate this, so they can try hundreds of sites for thousands of users, and focus on the ones where they happened to be able to log in easily.  

Obviously using different passwords for each site is best defence here, but of course remembering passwords for every site is perhaps not realistic.  There are two ways around this:

a. Use a password hashing tool.  These tools will use a shared static password and the site URL to come up with a hash that you use as your password.  The advantage here is that you only need to remember one password, the calculated password for each site will be different, and there is nothing to "store".  The disadvantages are that in real life, many sites have password restrictions that may not be compatible with the generated password, and many sites require you to change your password periodically.

b. Use a password database.  There are cloud tools such as ProtonPass, BitWarden, DashLane, etc., and primarily offline tools such as KeePassXC.  

Theoretically the online tools are secure since any reputable service would encrypt your password database with your password (which they don't know).  This means that even if they are hacked, the attackers would only get a useless encrypted database.  

In reality, if your database password is weak, then it can be cracked.  Even if it is strong, there may be some unknown weakness that could be exploited later.  For these reasons, I tend to be untrusting of public cloud based password management services for personal use.  

Offline tools such as KeePass are safer in that respect, but can be less convenient to use if you have multiple devices, and require you to manage and backup your password database.  You can keep an offline backup of your password database using USB drives, etc., or you can keep a cloud backup using services such as DropBox, OneDrive, iCloud, etc. - but be aware that using cloud services to keep backups of your password databases re-introduces some of the risk associated with cloud password management services mentioned above.  

As far as the password generation itself goes, many tools have built-in to generate hard to guess complex passwords.  These passwords can also be hard to manually enter as well, though, so you might consider using something like: www.correcthorsebatterystaple.net to generate a more human readable password.  

3. Account Takeover

This is when someone takes over your email account, via Phishing or password re-use, and then they use the email account to either send emails to your contacts to scam them, reset & verify your shopping and banking accounts, or (usually) send spam.  

You'll know this has happened if you start receiving lots of bounce messages from addresses you never sent email to, or if you suddenly get locked out of your account because the attacker changes the password.  

Also, if an attacker gets access to your email account, they can see which other services you are signed up for and know where to attack next.  For example, if you have emails from Mitsubishi bank or Amazon, they will know you have accounts there, and possibly your username or account number.  

It's best to use MFA mechanisms and use different passwords for each account in order to prevent this from happening, but that won't stop all phishing attacks.  

4. Typo URLs & Evil SEO

These go hand in hand with Phishing, but is a bit narrower in scope.  For people who type a URL directly into the browser, they might mistype the URL.  For example, Mitsubishi's online banking URL is https://direct.bk.mufg.jp, but one might mistakenly enter  one of the following:

• https://direct.bk.mufj.co.jp
• https://direct.bk.mufg.com
• https://direct.bk.mufg.net
• https://direct.bk.mufj.jp
• https://direct.hk.mufj.jp

An attacker can register these and other likely mistyped URLs, and since they will own the domain, they can set up sites that mimic the look and feel of the real web site.  

The victim enters the URL, the site is displayed, and they enter their login information.  At that point, an error might be displayed after their login information is logged, or in some  cases, they might even redirect the user to the real site so they never know the difference.  

Depending on the domain and other factors, it may be possible for the attacker to obtain a valid SSL certificate (since they do own the URL) so the Key icon in the browser will even show up.

There are anti-phishing plugins and browsers that blacklist these types of sites, but the best defense is to keep the known good URL somewhere (like a password database) where you can copy &  paste it when needed, or at least store it as a bookmark in your browser. 

Another tactic that relies on user laziness and the blurring of the lines between the search box and the URL box in many browsers is that a scammer will set up a fake banking site mimicing a real bank, perhaps using a similar URL (Either a typoURL or a URL that uses obscure Unicode characters to make it look identical to the real domain name while actualy being different), and use systems like AdWords to make sure it appears high in the ranking.  

This means that if a user doesn't type in a URL manually or use a bookmark, but simply types "Mitsubishi Direct" and then clicks on a displayed URL, they may be taken to the evil site.  Of course search Engines like Yahoo and Google will try to detect this and delete such entries, but there is no guarantee.  

The best defence is to never search for an important URL.  Where money is involved, you should know the URL for sure and enter it directly.  Again this can be through a browser bookmark or copy & pasting it from a password database.  There should be no reason you ever need to ask Yahoo or Google where your bank's official web sire is.  

Financial Paranoia 1 - Social Engineering Scams

 This series is about online banking and operational security.  As such it is relevant to jot just Japan, but online banking (including smartphone banking) in general.  In fact, there is little specific to Japan, but the bank names, etc. we use here for example will be Japanese - but everything here could just as easily apply to Korea, the UK, or the US.  

We will discuss the common problems and solutions, ranging from the simple easily implemented solutions and best practices all the way to the super paranoid.

First, let's discuss the common problems, as understanding the threat model is key:

1. Offline & Social Media Social Engineering - These are when someone attempts to convince you to "invest" or outright sent them money.  

I'll give three examples:

a. The "Ore Ore" scam.  This one is popular in Japan and many other countries.  The scammer will call random phone numbers from a burner phone and claim to be a relative in trouble.  The conversation will usually go something like this:

Victim: Hello?

Scammer: Hi, it's me!

Victim: Takeshi, is that you?

Scammer: Yes, I'm in trouble.  Listen, I don't have much time to talk, but it's an emergency, I need you to send me money.

Victim: Okay, I can send some money to your account.

Scammer: I can't access my account right now, but can you sent the money to my friend's account? I'll send you the information.

Victim: Okay, I see.

Scammer: (Sends account information)

Victim: (sends money)

In this case, the scammer usually knows nothing about the victim, but just calls lots of people randomly in the hopes that someone who isn't very vigilent will assume their child, grandchild, etc. is calling, and will send the money without thinking too much due to a sense of urgency.

The scammer will likely be using a stolen account they have access to, and withdraw the money in cash as soon as it is sent.  By the time the victim realizes what's happened, it will be too late.  Even if they report the crime, the police are left with a burner phone number, and two victims, the one who sent the money, and the one who's account was used.  

Sadly, this type of crime most often affects elderly people, who seem less likely to stop and think before blindly sending money to a loved one in need.  

As cold as it may sound, the best way to stop this type of crime is simply to verify the story before sending any money to anyone.  Don't say "Is this Takeshi?", but ask "Who is this?"  If they won't tell you, or say something like "It's me!", then it's almost for sure a scam.  

You can hang up and call them on their normal number to verify the story - even if they claim they lost their phone or whatever.  It's very unlikely that anything would be that urgent that it can't wait a few hours while you check.  

b. The account takeover / POSA Gift Card Scam

In this case, someone you know will contact you by chat (f.e. LINE), SMS, email, etc., claiming to need a favor.  They may ask you to send the cash, or more often, gift cards.  Of course they will often offer to pay you back in cash the next time they see you.  Gift cards are preferable because they can be exchanged for cash without needing a bank account - so there is less evidence.  

This usually means that someone's phone has been stolen, or their email account has been taken over.  The best solution to this is to ask them to call you so you can discuss it.  If it's somene you know, you probably know what their voice sounds like, and can quickly determine if it's someone else.  You could also ask why they need the gift card, why they can't buy it themselves, etc.

This actually happened to me, with a wealthy friend suddenly asking that I buy them Amazon gift cards at 7-11 via Line.  When I asked them to call me to discuss it, they started in with "Don't you trust me?", etc.  That friend had two phones, so I called the other one and asked them about it.  They said "Oh, I lost my phone in Thailand".  I told them they should contact Line to have the account disabled, and quickly warn their other friends not to send any money to the scammer.  

I also had a similar experience where another friend sent me a message from their Gmail account explainoing how they were traveling and in trouble, and wanted me to send them money via Western Union.  I contacted them via Skype and of course it turned out to be a scam.  they were not traveling at all and were in fact at work at the time.  

c. The new friend / investment scam - Someone you don't know will contact you via some chat app, often saying they were referred to you by someone with a common name.  They will try to talk to you, and over the course of weeks will try to befriend you, or perhaps make you believe they are a romantic partner. 

At some point, the discussion will inevitably turn to money, and they will often try to "help" you by letting you know about an amazing investment opportunity.  This will often be crypto related.  

This happened to someone I know, and they were asked to invest a small amount in some crypto site.  The amazing opportunity was that they would earn 1% per month just by having money in this account.  So they invested a small amount, for example $100, and saw after a few months that they were indeed getting 1% interest per month.  That's over 12% per year compounded, so it seems like a great deal, and they invested a lot more.  The new "Friend" discouraged them from taking their winnings, suggesting they should inveest more and more.  Eventually when he did try to withdraw the money, it never arrived, and the new friend blocked them.  Of course the site was fake, and the money was long gone.  

The sage advice "Don't talk to strangers" applies here, but more to the point, most chat programs can be set to simply not allow contact from unknown accounts.  This may mean requiring that you have their phone number in your address book, making your ID non-searchable, etc.  This is the best option - but even if you allow strangers to contact you, you should never take investment advice from them or send them money.  A stranger you've been chatting with for 6 months is still a stranger if you've never met them in person.  

Sadly this person lost about $30k to their online girlfriend.  

Summary:

All of the above are social engineering scams that work based on technology, but the solutions are mainly not technological in nature - but simply verifying identity, not trusting strangers, not allowing yourself to be rushed, and thinking deliberatly before you act.  

Also, a 12% risk free investment simply doesn't exist.  In Japan if a company needs to raise capital, they can go to the bank and get a loan for less than 5%, so there is absolutely no reason they would pay individual investors 12%.  The best stable returns you can get are form a stock market index, at around 7% - and that is risky in the short term.  If someone is willing to pay you 12%, it must be riskier than that.  You should always thinkg about the transaction from the other party's point of view to see if it makes sense.  

Net Bank Update: JRE Bank＆Sumishin SBI NEOBANK

 The term "Net bank" has always seemed silly to me, as internet banks still have employees and presumably offices, and "normal banks" still have internet banking these days - so it's a relatively pointless line in the sand.  Money is mostly virtual anyway.  

That said, many so-called Net Banks don't have any branches that customers can visit.  Even Sony Bank closed their branch office due to Covid.  Since Mega-Banks have to pay rent for lots of huge offices, they tend to charge higher interest rates for loans, pay [even] lower interest rates for deposits, and charge more fees.

To stop from bleeding customers, some of the Mega-banks have started their own net banks.  For example, Mitsubishi launched Jibun Bank in a joint venture with au.  

Some people, especially the older generations, feel "safety" and "trust" with the famous mega-banks like Mizuho and Mitsubishi - but given that all accounts are insured with the government, there is no real safety advantage to having an account with one of these banks over a small regional bank or net bank.    

A more recent development is that some banks are offering their banking infrastructure and certifications for rent to other clients in much the same way that major mobile phone carriers offer their infrastructure for resale to others carriers.  

There were already a lot of companies participating in this, but most did not offer any special advantage, except if you bought a lot of stuff at a certain store.  For example, much as there is a Bic Camera Credit card, there is a "Takashimaya Bank", where it is just Shinsei SBI Neobank re-branded to Takashimaya bank.  Takashimaya is just a department store, so they don't actually have approval from regulators to create an actual bank, nor do they have the infrastructure, etc. - but they can outsource Sumishin SBI to offer a branded banking service and presumably all parties involved benefit.  (Note that the English word "Bank" has no legal meaning in Japan, so they can call themselves a "Bank" all they want, and it's just fashion).  

 Department stores aren't interesting to me - but you know what is?  Japan Rail.  Why?  Well everyone takes the train.  View Card is one of the best credit cards in Japan because the points you earn are JRE points, which can be used to charge Mobile Suica - rendering them effectively the same as cash.  No limited catalogs full of stuff you don't want that is super overpriced, no discounts on services you'll never use - none of that - just points you can spend as money anywhere.  

But what if you want to use a debit card instead of credit card?  Well Japan Rail East thought it was time to come up with a solution to this, and thus "JRE Bank" was born.  

It's a service offered by Rakuten bank, but it's separate enough that you can sidestep the usual "one account per person" restriction and set up an account with JRE bank even if you already have a Rakuten account.  

The main advantage over a normal Rakuten account is that you can earn JRE points by using your debit card, and depending on various conditions, such as setting your payroll to be deposited in your JRE Bank account, setting your View Card to deduct from there, etc., you can earn enormous discounts on train tickets.  

So, it's good for anyone who might want to take the train... which is basically everyone.   This has taken the Japanese internet by storm, but.. yeah okay so you get points and cheap train tickets.  This is great, but not even the best part to me.

See, I've had a longstanding problem:

1. I shop (and drink) at some places that only take cash.

2. I don't want to carry a lot of cash.  I want to set spending limits.

3. Because of the above, I need to go to the ATM often.

4. Most mega-banks offer free ATM service, but their ATMs have very limited operating hours, or are not so many in number.  (For example, SMBC Prestia ATMs operate nearly 24/7 and are always free to use, but they only have 14 ATMs in Tokyo).  Mitsubishi has more ATMs, and some of them are open late, but they charge 110 JPY after 9pm!

5. Most internet banks let you use Conbini ATMs for free (since they don't have their own ATMs), but only a few times per month.  After that, you have to pay.  

I like Rakuten, because it is the only bank I know of that lets you set a daily limit of less than 10,000 JPY on withdrawals, and it also lets you set times and locations where withdrawals can/can't be made.  

As an example, I can set the following:

a. Only up to 8000 JPY per day.

b. Only between 9am to 2am

c. Only in Tokyo or Kanagawa

This is a pretty good system to stop any kind of fraud or misuse, and also for even for threats and self control.  

But... if you are limiting yourself to less than 10,000 JPY then you will need to use the ATM more often.  This is exactly what I want - but I don't want to pay all the fees!  

If only there was a bank that let you set up such limits, but also had ubiquitous ATMs in many locations that were free to use for long hours.  

Enter JR bank.  Since it's based on Rakuten Bank's systems, JRE Bank allows the same sort of fine tuned security settings.  It also has a key difference from normal Rankuten bank accounts - unlimited use of View Altte ATMs.  Given that basically every JR station has a View Altte ATM, you can use the ATM for free most places you go shopping.  Sure, if you live near a subway station, there may not be a JR station nearby, but you will probably pass one on the way to work or shopping.  If not, you can also use Conbini ATMs for free a few times of month.  (Up to 7 times if you keep a massive amount of money with them).  

JR stations are also typically open long hours, typically closing after midnight and opening by 5am.  What's more, the ATMs are sometimes located on the outside of the station - in which case you can use them even when the station is closed.  W

In case there is no View Altte ATM and you use a Conbini ATM it will cost 220 JPY if you don't have any more free withdrawals left for the month, regardless of the time of day.  Not the cheapest or the most expensive.  

----

The other strong contender for ATM use is Sumishin SBI Neobank.  Just by setting up an account and linking it with your mobile phone, you can use the ATM for free 5 times per month.  

The first thing to know about Sumishin SBI is that being basically a net bank, they don't really have their own ATMs.  Having said that, you can use Conbini ATMs, Japan Post ATMs, and also View Altte ARMs.  Impressively, even when you don't have any free withdrawals left, they only charge you 110 JPY for using a Conbini or View Altte ATM - regardless of the time of day.  

Like Rakuten and JRE Bank, they also have a rank system where you can earn more free withdrawals based on various conditions, but the difference is that their terms are very generous.  

At the lowest rank, you only get one time for free, but all you have to do is log in with your smart phone to reach rank 2, which will give you 5 free withdrawals per month.  

Reaching rank 3 is still not too difficult, and will give you 10 free withdrawals per month for free.  I suspect this would be enough for most people.  

Rank 4 is a bit more difficult to reach for free, but you get 20 free withdrawals per month!  That means you could visit the ATM basically every weekday to withdraw your lunch money and still not pay any fees.  

Note: This was recently changed from unlimited to 20 times per month, so you know there were some people using the ATM three times per day or something.  

The easiest way to reach rank 4 without keeping a huge amount of money in your account is simply to pay for it by signing up for the  Platinum Debit Card (Mastercard).  The cost is something like 11,000 JPY (although the first year is free with some conditions).  

20 free withdrawals per month x 12 months = 240 free withdrawals.

11,000 / 240 = ~46 JPY per withdrawal.  

I am guessing that they are literally just charging what they are paying to the ATM providers.

Of course, since it's a platinum card, it comes with other dubious benefits like airport lounge access, vacation & mobile device insurance, etc.  The most important benefit (besides the increase in free ATM withdrawals) is that you earn points at a rate of 1%, and those points can be converted to cash back.  Granted, you would have to spend 110,000 on the card in a year to make the cash back actually cover the annual fee for the card.  

Still, if you want to use the ATM often, and are not near a JR station, then Sumishin SBI is a solid option.

Deposit Type Credit Cards in Japan

 The major international credit card brands (JCB, American Express, Visa, and Mastercard) are available in numerous types in Japan:

• Traditional post paid credit cards
• Prepaid cards that must be charged before using
• Debit cards that link to an existing bank account
• Deposit based (Secured) credit cards

Traditional post paid credit cards can help you build a credit history, but... in general they require a credit history.  One way to get such a card is to have credit history from other loans, etc., or to start with a store card before moving to a card with Visa, etc.  Some companies will take a risk by offering you a card with a small limit, and then slowly increasing it over time as you show an ability and willingness to pay on time every month.  

This is so because the card companies are taking a risk by loaning you the money you use for purchases every month.  If you are a foreignor, especially one with no credit history, banks may be reluctant to take such a risk.  Likewise, even some Japanese people will be deemed a credit risk, especially those with a history of missing payments, as well as those in debt reorganization or bankruptcy, or those who already have a high level of debt compared with their level of income.  

Prepaid cards and debit cards are a solution to this issue, but they don't help you to build credit since there is no loan taking place.  

This is where deposit based cards come in.  

With a deposit based card, you must sent a deposit to the card company once your application has been approved.  This deposit then becomes your credit limit, which the company can then use to pay off your bill in the worst case.  Because of this, the credit card company is taking on very little risk and will approve applications from most people.  The major exceptions would be if you have been flagged for malicious activity, money laundering, or outright fraud.  

However, the deposit will normally not be used unless you don't pay your monthly bill.  Typically the monthly bill will be automatically deducted from your bank account, so as long as there are funds in your account, the money you spend each month will be deducted in the following month or so, and your credit limit will be replentished.  Only in the case that a direct debit fails (for example if you close your bank account or there are insufficient funds) would the credit card company actually use your deposit.  

This is in contrast to prepaid cards, where you deposit money and then spend that money directly.  With a deposit style card, you pay the deposit, and then when you use the card that is a separate loan balance as with a normal credit card.  After the monthly billing period is over, the company will calculate your balance due and send an invoice or initiate direct debit for the that amount - without touching your deposit.  

Once the payment has been received, your credit limit will be restores, and you can make more purchases up to the limit again.  So, although you have given them a deposit, the spending does constitute a loan, and so using this style of card does build a credit history.  

Some things to note:

1. Yearly card member fees are typically higher than the fees for a "normal" credit card

2. The yearly fees typically increase with higher deposit amounts/credit limits

3. Some cards do allow you to apply for an "ETC Card", which can be used to pay tolls automatically on the highway.

4. Some cards offer special services such as travel insurance, etc., in the same way that many normal credit cards do.  

5. If you ever decide to cancel your account, then you will receive your deposit back, minus any unpaid balance due.