Online banking using two-step authentication

securityguy

colsten wrote: »

As someone mentioned earlier, biometric ID verification for online transactions must be the way to go for all banks.

It's hard to do biometrics when the verifier (the party who is taking the biometric to verify the prover's identify) can't supervise both the hardware and the actual taking of the biometric. It's not impossible, but most of the solutions involve trusted, tamper-resistant hardware, and even then it's quite tricky. Remember: although you might not be willing to use a piece of equipment with wires hanging out of it plugged into another computer, the villains don't have those qualms, so tamper-evidence isn't enough.

It also requires the verifier to hold good quality copies of the fingerprint (iris scans, whatever), not just the crude hash that is used for school dinner payment systems, and that opens up a whole other can of problems.

Yes, you can outsource your security, and rely on the security infrastructure within an iPhone being enough: you can get the user to present their fingerprint to their iPhone, and the phone then attests the match to the bank. Technically I can see how that might work, but legally it's going to be scary, as if it goes wrong, who's to blame?

I suspect what banks will do is roughly what Lloyds have done: allow you to complete two-step authentication using your phone, and encourage you to lock your phone with your fingerprint. Then the second factor is actually "something you have" (your phone) but it sort-of looks like "something you are" (the fingerprint you used to unlock the phone).

diamonds

Westie983 wrote: »

You will find you have accepted T&Cs online with a virtual signature and a signature capture form posted or will be captured in the future as part of upgrade to systems.
As CNP is used predominantly in branches most of the time which supersedes signature, if this fails you will be asked for signature and ID if it not present to capture.

I know, but while we are on the subject of security I have opened TSB and Clydesdale online, NONE sent a signature form, I'm sure my recent Halifax didnt either, I dont use branches either, very rarely branch...none have seen ID nor signatures. I passed a credit check, but anybody could apply online and use C&P in branch as me, its quite strange online security can be strict but not account opening.


What happened to fraud and money laundering checks ?
This was standardised allegedly...


RBS I know open online but ask you to pop in to branch and show photo ID.



Tesco and M&S wanted a signature, Tesco even for my Internet Saver, before my current account.


It is all a bit inconsistent in a day and age where fraud, scamming and laundering is prevalent.


Even in branch at TSB on my first visit years after account opening and doing C&P I was asked what benefit I was paid as a security check but never asked for a signature specimen - quite amateur security really for a industry that beefed up severely years ago.


In my time as retail management over twenty years ago, security was higher, I even had staff use a business signature not the same as their personal (and held both on file) as to protect themselves, signing off banking collections from Securicor their signature was leaving control of their possession.


Not complaining - made opening accounts easier, just observations of poor security... in a age where IS exist, its quite shockingly poor standard thats all, and thats 1 EU country, I hope the mainland EU do better than us here :eek:

Huskyrunner

Natwest use the card reader system also

Westie983

No need to provide ID if banks can verify you using electronic verification,

This could be why you haven't needed to provide ID or you have been a customer before and ID has been captured previously.

This doesn't mean you haven't had a signature on your applications as you accept the T&Cs and agree to a credit search on your applications and therefore this consequently a virtual signature if you agree by ticking the box and clicking apply.

When you visited TSB you used CNP so no need for additional ID if you were just getting a statement print out as I have said before no need to provide a signature if you have CNP and its accepted for transactions, signature is required for large withdrawal amounts and high value transfers.

If and when you get to this stage you will need to provide a signature specimen and ID, from what I read you are attempting a mortgage next year so I would expect this will be captured before any large payment are needed if using a branch to transfer or complete a mortgage application.

In relation to your business management it wouldn't have mattered which signature as securor don't have record of signatures just branch signed off I have just put initials they don't care as long as it's signed, and there is CCTV to prove who signed anyway, but my point stands that both signatures were on file (your admission) so it's checked to one of those if needed, my point about signature capture will happen in the future in addition to CNP.

If you don't visit branches and use CNP is wont matter about a signature but for reassurance it's not just CNP that is checked when a withdrawal or transaction is made, a visual age check is performed along with gender and security questions asked if CNP has failed and no signature captured or indeed the card has not got CNP facility enabled, as you are aware you have been asked security questions in a branch as additional security on transactions so yes someone could go into a branch with your card, PIN number but they would also have to intercept your post as online applications would have gone to your registered address which was automatically verified as part of the application

. If it's used fraudulently then the bank refunds you, but would more likely someone you know like a sibling of partner that has opened account in your name.

diamonds

Westie983 wrote: »

No need to provide ID if banks can verify you using electronic verification,

This could be why you haven't needed to provide ID or you have been a customer before and ID has been captured previously.

This doesn't mean you haven't had a signature on your applications as you accept the T&Cs and agree to a credit search on your applications and therefore this consequently a virtual signature if you agree by ticking the box and clicking apply.

When you visited TSB you used CNP so no need for additional ID if you were just getting a statement print out as I have said before no need to provide a signature if you have CNP and its accepted for transactions, signature is required for large withdrawal amounts and high value transfers.

If and when you get to this stage you will need to provide a signature specimen and ID, from what I read you are attempting a mortgage next year so I would expect this will be captured before any large payment are needed if using a branch to transfer or complete a mortgage application.

In relation to your business management it wouldn't have mattered which signature as securor don't have record of signatures just branch signed off I have just put initials they don't care as long as it's signed, and there is CCTV to prove who signed anyway, but my point stands that both signatures were on file (your admission) so it's checked to one of those if needed, my point about signature capture will happen in the future in addition to CNP.

If you don't visit branches and use CNP is wont matter about a signature but for reassurance it's not just CNP that is checked when a withdrawal or transaction is made, a visual age check is performed along with gender and security questions asked if CNP has failed and no signature captured or indeed the card has not got CNP facility enabled, as you are aware you have been asked security questions in a branch as additional security on transactions so yes someone could go into a branch with your card, PIN number but they would also have to intercept your post as online applications would have gone to your registered address which was automatically verified as part of the application

. If it's used fraudulently then the bank refunds you, but would more likely someone you know like a sibling of partner that has opened account in your name.

I would hope you had to sign at least for the mortgage and show ID in branch, one rogue lawyer and it can easily become highly dodgy... again for instance to assume a IS supporter is only of lower classes is well as they say poppycock.

Given shared accommodation (HB changes) and thus mail will have been pushed back to a time where the average man could not buy via a mortgage.



When I came back to the UK years ago the ID rules were strict, one from this list, two from this list. Account opening via electronic means seems to have dropped considerable security checks at a time in society when checks need to be upping them.


I mean checking photo ID within a month of opening by electronic means is not out the reach of most of society nor financial institutions, but it doesn't happen.


So UK society as a whole wants easier online security with minimal
opening security with refunds of fraud, and people wonder how radical persons of interest flow under the radar around EU - they all probably all have 'electronic' UK bank accounts funding them.

Of EU and other places abroad, I have found UK account opening and online security to be minimal in comparison.

fifeken

Heng_Leng wrote: »

Nationwide acts differently if you login with memorable data vrs card reader.

That's interesting. I usually log in with memorable data rather than card reader, just due to laziness.

What am I missing out on by doing this?

grumbler

Everything is the same, but can't make a payment to a new payee and changes to the existing ones. I think there are other restrictions.

gingercordial

grumbler wrote: »

Everything is the same, but can't make a payment to a new payee and changes to the existing ones. I think there are other restrictions.

You also can't view or change personal information.

securityguy

The problem with systems that permit you to make payments to existing recipients without strong authentication is that it permits "you" (ie, someone logged on as you) to make payments to international money transfer services. I can't remember the exact examples, but take MSE favourite Transferwise (see here). If you have previously set up Transferwise as a recipient, you will be able to make further transfers to it, but beyond that one recipient, a whole world (literally) of possible end-recipients exists. Or it might just be recipients in the same currency; either way, it's not as simple as "I'm safe, I'm only paying people I trust".

I am careful to prune my list of recipients, to remove people I am unlikely to need again, or to need again for a while. If I used Transferwise or similar, I would delete them as soon as I had used them.

grumbler

securityguy wrote: »

The problem with systems that permit you to make payments to existing recipients without strong authentication is that it permits "you" (ie, someone logged on as you) to make payments to international money transfer services. I can't remember the exact examples, but take MSE favourite Transferwise (see here). If you have previously set up Transferwise as a recipient, you will be able to make further transfers to it, but beyond that one recipient, a whole world (literally) of possible end-recipients exists. Or it might just be recipients in the same currency; either way, it's not as simple as "I'm safe, I'm only paying people I trust".

I don't see any problem here as even if it's the same bank account for all customers, the reference is essential and you can't change it without the second 'factor'.