We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Online banking using two-step authentication
Comments
-
securityguy wrote: »The problem for banks would be writing terms and conditions to cover different customers having different security procedures. Would people who opted for two-factor be held to higher standards (ie, harder to get money refunded)? Hmm, that doesn't sound like an incentive. Would people who opted for two-factor be held to lower standards (ie, easier to get refunds, ie, harder for those using one-factor to get refunds?) That's going to cause a riot, because the people who would whine about being told to use two-factor will whine all the more about being effectively punished for not doing so.
So a few banks have made two-factor compulsory, but have had substantial customer resistance to it. It's not helped by the fact that they've mostly done it via card readers, with the fundamental security property being proof of ownership of a debit card and associated PIN, which means that people are stuck with a card reader rather than (say) a Smartphone App or a Vasco tag. There's also not been much evidence, at least not published evidence, that those banks have lower levels of fraud, or at least, low enough to pay for the project costs and the customer grief. It's all a bit of a shambles.
My gut feel is that in fact most "password theft" online fraud is actually caused by people giving their credentials to their partners and children, and therefore two-factor doesn't really alter the risk equation. After all, look at all the people who know their spouses PINs, and talk not only about doing online banking for their partner but about doing the shopping by taking their partner's card. Look at all the people who apparently know their partner's and children's PINs for phones, too. If the main threat actors in contested payments are other residents of the same house (I don't know, I'm guessing) then why would two-factor improve matters?
Thanks for some interesting thoughts on this issue. I hadn't thought about the double standards that the banks would have to consider if there were two different ways of accessing one's account. I wonder how the Nationwide (website) gets round this since the 2nd stage of logging in can either be done using a card and reader or just memorable data - it's the customer's choice (and so presumably therefore only has the lower security level of the 2nd option). Perhaps they currently provide both options with the hope of one day removing the second?
As regards your theory that "password theft" online fraud is mainly caused by people giving their credentials to their partners and children (and friends?), is there any evidence to support this theory? Surely, if this were the case, the authorities wouldn't be putting so much effort in to trying to make the internet more secure from hackers and online fraudsters etc.?0 -
Nationwide acts differently if you login with memorable data vrs card reader.Victor_Delta wrote: »I wonder how the Nationwide (website) gets round this since the 2nd stage of logging in can either be done using a card and reader or just memorable data - it's the customer's choice (and so presumably therefore only has the lower security level of the 2nd option). Perhaps they currently provide both options with the hope of one day removing the second?This is a system account and does not represent a real person. To contact the Forum Team email forumteam@moneysavingexpert.com0
-
Victor_Delta wrote: »As regards your theory that "password theft" online fraud is mainly caused by people giving their credentials to their partners and children (and friends?), is there any evidence to support this theory? Surely, if this were the case, the authorities wouldn't be putting so much effort in to trying to make the internet more secure from hackers and online fraudsters etc.?
Most computer fraud is insider: businesses are defrauded by their staff, or by outsiders working in conjunction with insiders. It would be surprising were domestic fraud to be substantially different.
It's not my research area, but when I've looked at it the banks have been very reluctant to give numbers. However, the main areas of bank fraud today are, I hear, various courier-type fraud (phone calls telling you your cards are being misused and to give them to a courier, plus social-engineering to get the PIN) and two-factor doesn't address that.
Evidence that banking fraud using technical attacks on PCs is happening at scale is pretty thin on the ground.0 -
securityguy wrote: »The usual bad faith objection, made from people who have mobile phones, is "what about people who don't have mobile phones?"
They pay BT Openreach indirectly for service... I pay no line rental for ZILTCH included on a mobile account, if people want to use a landline or pay for it as your choice then banks will end up doing the same (excluding minorities with health issues and pensioners)
Two of my banks accounts opened onlīne dont even have my signature, I have never been asked or signed anything in branch.SO... now England its the Scots turn to say dont leave the UK, stay in Europe with us in the UK, dont let the tories fool you like they did us with empty lies... You will be leaving the UK aswell as Europe
0 -
Mattygroves2 wrote: »I have no problem with the card readers but areas with bad mobile signal do exist. You would be stuffed in a fair part of Wales if you had to rely on texts.
It was a example, email - nearly every home as PC/broadband and wifi nearbySO... now England its the Scots turn to say dont leave the UK, stay in Europe with us in the UK, dont let the tories fool you like they did us with empty lies... You will be leaving the UK aswell as Europe0 -
Many places in the UK do not have reliable mobile signals, or any mobile signals at all. People living in those places can't use a bank like Santander who insist on texting a confirmation code to a mobile. And no, Santander do not offer SMS texts to landlines.
LBG and TSB are a lot smarter in that respect, as they allow you to receive your confirmation codes on a landline or a mobile.
As someone mentioned earlier, biometric ID verification for online transactions must be the way to go for all banks.0 -
Halifax and Lloyds let you complete the enhanced auth with their app now, which will work solely over wifi.Mattygroves2 wrote: »I have no problem with the card readers but areas with bad mobile signal do exist. You would be stuffed in a fair part of Wales if you had to rely on texts.0 -
Halifax and Lloyds can call to a landline to complete it.0
-
They pay BT Openreach indirectly for service... I pay no line rental for ZILTCH included on a mobile account, if people want to use a landline or pay for it as your choice then banks will end up doing the same (excluding minorities with health issues and pensioners)
Two of my banks accounts opened onlīne dont even have my signature, I have never been asked or signed anything in branch.
You will find you have accepted T&Cs online with a virtual signature and a signature capture form posted or will be captured in the future as part of upgrade to systems.
As CNP is used predominantly in branches most of the time which supersedes signature, if this fails you will be asked for signature and ID if it not present to capture.I’m a Forum Ambassador and I support the Forum Team on the Banking & Borrowing, and Reduce Debt & Boost Income boards. If you need any help on these boards, do let me know. Please note that Ambassadors are not moderators. Any posts you spot in breach of the Forum Rules should be reported via the report button, or by emailing forumteam@moneysavingexpert.com. All views are my own and not the official line of MoneySaving Expert.Save 12k in 2023 #58 Total (£4500.00) £2500.00/£5000 = 50.00%Sealed Pot Challenge ~17 #24 Total (£55.00) £0.00/£500 = 0.00%Xmas 2023 £1 a Day #13 Total (£85.00) £344.00/£365 = 94.24%Virtual Sealed Pot #1 Total (£500) £550.00/£500 = 110.00%£2 Savers Club 2023 #17 Total (£25.00) £45/£300 = 15.00%The 365 1p Challenge 2023 #7 Total £656.19/£667.95 = 98.23%Total £4095.19/£7332.95 = 55.84%0 -
I am happy with the way most banks seem to do it. One factor (two step) to log on. Text/App/Authenticator second factor to setup a new payee.
A decent balance of convenience and security IMO.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.4K Banking & Borrowing
- 253.3K Reduce Debt & Boost Income
- 453.8K Spending & Discounts
- 244.4K Work, Benefits & Business
- 599.7K Mortgages, Homes & Bills
- 177.1K Life & Family
- 258K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards