Abbey One Time Passcode - OTP

pb3

ryan121 wrote: »

It's an important step in improving security. It's so easy for someone to get your pin and password these days that this should be seen as a good thing.

Oh really? Do tell! I've been using Abbey's online system for several years ever since its inception and have yet to have my details stolen. I daresay that the vast majority of these compromises are due mainly to numpties clicking on links in phishing emails, and not taking basic security precautions - Up to date AV, malware, spyware protection, shredding statements etc.

ryan121 wrote: »

You mention the landline option but that is not the better option. What if you're not at home and want to do online banking. The whole point of using a mobile is that you're always likely to have it with you wherever you are.

Oh I see - these new measures are for my convenience! :rolleyes:

Well as it happens.... the landline option is perfect for me as I only ever use online banking from my own trusted computers at home. I have absolutely no problem with those who wish to use the service away from home providing a mobile number if they wish.

Santander's insistence on harvesting customers mobile phone details is mystifiying. The landline option is no less secure and providing this as an alternative would satisfy everyone.

pb3

Sorry for resurrecting this thread once again. This time around my post is not actually a whinge

One solution which I'm planning to adopt comes in the form of a mobile broadband usb modem. This of course has a SIM card and associated mobile phone number. Crucially the number can receive SMS messages but not voice calls.

The SMS messages can be viewed using the supplied software on the computer to which the dongle is connected.

So in my case I can give this number to Abbey/Santander and use their E-banking and the new OTP system (when eventually I'm compelled to) on my Netbook.

Crucially - as I already have a PAYG mobile broadband dongle there is no additional expense to me. I appreciate that this is not a workable solution for everyone - for instance those without a mobile signal in their area. Also if you don't already have mobile broadband you will have to shell out for this service so you may as well consider getting a PAYG mobile phone!

If you do have PAYG mobile broadband, then the Vodafone offering is better as though the top-ups cost more per GB, they are not time-limited. I'm not sure whether you can continue to receive text message if your credit runs out - will need to check.

My opposition to Abbey/Santander's new system still remains despite this workaround in my case.

avantra

Rafter wrote: »

Don't work for Abbey but think this system sounds a lot simpler than having a different calculator type unit from every bank you are with.

Can't see why they can't use your home number if you don't have a mobile and text the number to that for you? You won't be able to make transfers away from home, but at least they would be secure.

You have a choice, either you get a rubbish rate of interest and more charges to cover the fraud costs when people don't install anti virus software, respond to phishing e-mails or dont' shred their statements or you get a better rate of interest but have the slight inconvenience of two factor authentication when you want to make a transfer to a new recipient.

R.

Nail, head etc'

The system is a more clever implementation of the calculator thingy, however this hopeless banking institution (aka Santander) should have the facility to send the a text to voice mail as BT do sometime.

n'af said

joncrel

I'm afraid one time passcodes via a mobile phone do not suit me very well either. I don't use a mobile phone a great deal, and so I often don't have mine charged. I also travel abroad quite often, using a company mobile, I don't want to drag my own phone and its charger along as well, and I'll doubtless be charged for receiving the sms message (and it looks like a new otp for each operation too).

The otp solution has some merits, although often laptop and phone are carried together (and stolen together), so it isn't as good as it sounds. It could offer some protect against some types of wireless snooping attacks when using open wifi networks, but the additional security is quite limited, and probably better provided by using vpn. SMS is itself not totally secure, so its quite likely that this security measure will be subverted quite quickly if banks start to depend on it. Like all forms of security, there is a trade off between convenience and security.

So if Abbey forces its customers to use otp via sms then I will move to another bank, because I do want to use online banking, but I don't want to be required to carrying a mobile phone round all the time. I have emailed abbey already and told them this. I suggest any customers who feel the same way do it too.

...of course Abbey could offer a free vpn service to its customers, that might be useful for all sorts of other things too.

benr_2

I have just opened a Santander ISA, and was asked to set up OTP when I logged in the first time. It was supposed to send a text but - as a dark cynical part of me expected - it did not work. I tried twice more, and several hours later I have not received any texts. I am getting texts from other people, so there is no problem with my service.

Most likely if the system isn't working now, then it won't be working when I need it to. I will be closing my account straight away, as this is too annoying a hurdle to transfer all my savings in.

More fundamentally, it does not sound very secure in the first place. A card reader requires you to have access to the reader AND the card. People tend to look after their card more carefully than a mobile, which is often left on desks and easily stolen from a pocket. That said, it sounds easy to change the number registered for OTP once you're logged in, so it seems pretty much useless (security theatre only).

pb3

I notice SantanDURR have not yet had the cajones to push the big red button to make the use of OTP compulsory.

Despite my previous post about a workaround through a laptop and mobile broadband dongle, I haven't registered as a matter of principle. I don't see why I should jump through their imposed hoops to get at MY money:mad:

So far I've had to visit my local branch to setup a new payment on my account. Very incovenient though I guess that it does keep the tellers in a job.

Visiting a branch every time I want to setup a new payment is really not an option for me long term,even if SantanDURR cap further expansion of OTP.

On a slightly off-topic note a friend of mine asked me for my mobile number the other day. I replied that I did not have one.

He was incredulous "Are you kidding? :eek: What about emergencies? ...yada yada yada.. I always have mine with me - it is essential - not having one is crazy!"

To which I replied "So how did you survive 20 years back when they were no mobile phones?"

My friend went away shaking his head and muttering under his breath in reflection

anamenottaken

benr wrote: »

I have just opened a Santander ISA, and was asked to set up OTP when I logged in the first time. It was supposed to send a text but - as a dark cynical part of me expected - it did not work. I tried twice more, and several hours later I have not received any texts. I am getting texts from other people, so there is no problem with my service.

Most likely if the system isn't working now, then it won't be working when I need it to. I will be closing my account straight away, as this is too annoying a hurdle to transfer all my savings in.

More fundamentally, it does not sound very secure in the first place. A card reader requires you to have access to the reader AND the card. People tend to look after their card more carefully than a mobile, which is often left on desks and easily stolen from a pocket. That said, it sounds easy to change the number registered for OTP once you're logged in, so it seems pretty much useless (security theatre only).

If you have actually subscribed (paid money into the account) already, then remember that you can't open another one this year (while it lasts) and will have lost any tax advantage you had in having that ISA.

You could, however, try to find one which allows transfers in and open (without paying any money in) and get the process in motion to move your Santander one over (however long that takes). I think that would work.

cottager

pb3 wrote: »

I notice SantanDURR have not yet had the cajones to push the big red button to make the use of OTP compulsory.

This wasn't my experience soon after the OTP was introduced. It looked as if it wasn't compulsory but when the registration screen flashed up, to be allowed to continue I could find no way of NOT registering a mobile number, so couldn't get through to see my accounts. It allowed me past the very first time, but not after that. There was no message/prompt to say this was because I hadn't registered, but it just wouldn't go any further without it.

Like you I don't have or need a mobile either, so OTP is useless for me unless text messages can be received verbally on a landline (which others seem to manage well enough). We'd become dissatisfied with Abbey and would probably have left anyway, but this decided it for us and we closed all our savings accounts about 3 months ago. OH does have a mobile but, again like you, objected to this method. Took the best part of 2 months for Abbey to close down a couple of the accounts which needed to be done postally; the others we closed in-branch... at the time the branch staff had never even heard of OTP, even when we explained what it was.

benr_2

anamenottaken wrote: »

If you have actually subscribed (paid money into the account) already, then remember that you can't open another one this year (while it lasts) and will have lost any tax advantage you had in having that ISA.

You could, however, try to find one which allows transfers in and open (without paying any money in) and get the process in motion to move your Santander one over (however long that takes). I think that would work.

Thanks anamenottaken, I have not transferred any money in yet.

I have my finger on the button to open an ISA with my current bank (Natwest) instead. Long story why I didn't do that in the first place. I want to do this right away so I can use this year's allowance.

My only concern is I'm supposed to declare I have not opened another ISA this year, but the Santander (Satan-DURR - nice one pb3) one is still alive and kicking (despite empty). I can't remember the exact wording on the NW declaration page (applications are closed after 9:45pm, strange).

Maybe I'll just open the NW one and fire off a letter to Santander at the same time to close that one, which I'm not going to use anyway. But this means I'll have opened 2 ISAs in one year. I feel like a hardened criminal. :cool2:

benr_2

cottager wrote: »

This wasn't my experience soon after the OTP was introduced. It looked as if it wasn't compulsory but when the registration screen flashed up, to be allowed to continue I could find no way of NOT registering a mobile number, so couldn't get through to see my accounts. It allowed me past the very first time, but not after that. There was no message/prompt to say this was because I hadn't registered, but it just wouldn't go any further without it.

I've logged in a few times today, in my futile attempts to get OTP working. I tried again just now. This is the process I've observed.

- Login

- I get a screen asking me to set up OTP, filled with red text. Copied directly: "OTP is mandatory to complete a number of online transactions including payments, transfers and changes to your personal details." Then there are two links: one in red saying "register now", and another which is greyed out (almost invisible) saying "register later".

- If I choose "register later" (I have to, since I do not receive any texts), then some text appears saying "Please be aware that if you do not register for OTP your eBanking access will be placed on a view only status in the future and you will not be able to transact on your accounts online".

- Once at my home page I can view my balance but that's about it. There are links to change my personal details but I'm not sure if I want to test those.

(Disclaimer: I've not transferred any money in yet, so maybe the account isn't fully active)