We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

MSE News: Bank customers promised access to all their accounts via one app

Options
245

Comments

  • Paul_Herring
    Paul_Herring Posts: 7,481 Forumite
    Name Dropper Photogenic First Post First Anniversary
    Options
    colsten wrote: »
    Biometric security - fingerprint, voice, face recognition

    All of which are totally unsuited to be "security" if they're being used to replace passwords. User IDs, maybe, but not passwords.

    Back to the original point of banks spending money on technology, I'd rather they be spending it on sorting out their current ancient back-ends to prevent recurrences of the Natwest and RBS fiascos when they had their DOSs.
    Conjugating the verb 'to be":
    -o I am humble -o You are attention seeking -o She is Nadine Dorries
  • colsten
    colsten Posts: 17,597 Forumite
    First Anniversary Photogenic Name Dropper First Post
    Options
    All of which are totally unsuited to be "security" if they're being used to replace passwords. User IDs, maybe, but not passwords.
    I am already using fingerprint access on a couple of mobile banking apps, and I am not the only one.
  • Ballard
    Ballard Posts: 2,863 Forumite
    First Anniversary Name Dropper Combo Breaker First Post
    Options
    Doshwaster wrote: »
    I'd like to see moving accounts made easier but I'm not sure what can be done. If sort codes were portable then you would need a central authority which tracked them and identified which bank they belonged to.

    I can't see sort codes being portable any time soon. The first thing that came to mind is cheques which are routed to the account issuing bank via the sort code. I can't think of a practical way of doing it without the sort code.

    The second thing would be the Iban which includes not only the sort code but the first four characters of the BIC and a check digit using both of these parts.
    I hate verisimilitude.
  • Paul_Herring
    Paul_Herring Posts: 7,481 Forumite
    Name Dropper Photogenic First Post First Anniversary
    Options
    colsten wrote: »
    I am already using fingerprint access on a couple of mobile banking apps,

    So how do you change that password access when someone finds out what the current password is? What do you do when it comes to the 10th time you have to do it, move onto your toes?
    and I am not the only one.

    I know it's new technology, and all nice and shiny, but it's not how they should be used.

    Passwords should be:
    1) Changeable. If the database gets hacked, your password is out there.
    2) Known only to you (but see 5) and the system you're authenticating against. Someone should not be able to casually observe your password.
    3) Anonymous. They should not be a single factor traceable to you
    4) Different on every system you use it on. If one system gets hacked (see 1) you don't want to have to change your password everywhere else (see LinkedIn)
    5) Conceivably transferable to/shared with someone else (you need to allow someone else access, you die and your next of kin can get access.)
    6) Until deliberately changed (see 1,) immutable.

    How many of those does a fingerprint satisfy?

    To reiterate, I have no objections to the use of biometrics in general, just not for the sole purpose of authentication as in a replacement for passwords.
    Conjugating the verb 'to be":
    -o I am humble -o You are attention seeking -o She is Nadine Dorries
  • colsten
    colsten Posts: 17,597 Forumite
    First Anniversary Photogenic Name Dropper First Post
    Options
    Perhaps you should be offering your consultancy to First Direct, HSBC, Atom Bank and others, who obviously got it totally wrong when they decided to implement biometric logins.
  • Anthorn
    Anthorn Posts: 4,362 Forumite
    First Post First Anniversary Combo Breaker
    edited 10 August 2016 at 5:08AM
    Options
    jamesd wrote: »
    No surprise to see banks persisting with the current account switching service approach that customers have comprehensively rejected. Maybe eventually we'll get a more useful approach instead, like easier moving of direct debits, standing orders and payments between accounts at the direction of consumers.

    The problem is not the switching service but the banks which operate it and the sometimes extreme delays in opening accounts. In my own personal experience after being with National Girobank / Girobank plc / Alliance & Leicester / Santander for donkeys years I set the ball rolling with a switch to smile. That switch completed but all my direct debits duplicated so I had two instances of every direct debit. Exactly the same happened with TSB. Lloyds Bank sorted out everything except the PIN number to go with the debit card. By the time I received the PIN I had already moved to Natwest. By far the worst was Tesco Bank which took nearly 4 weeks to get a simple savings account up and running. That caused me to shelve my plans to open a Tesco Bank current account.

    If Natwest can get a current account up and running in 3 working days and John Lewis Financial Services can do everything next working day all banks should be able to do it.

    The fact is that the framework of switches is in place but the banks fail in exactly the same way that they failed with the original basic bank accounts. This new initiative to have all accounts accessed by a single app will similarly fail. What the initiative shows is a government which is out of touch not only with the banks but also bank customers!

    I for one will definitely not be giving all my banking details to one, single organisation and if I have to do that I'll keep my money under my mattress.
  • masonic
    masonic Posts: 23,695 Forumite
    Photogenic Name Dropper First Post First Anniversary
    edited 10 August 2016 at 6:27AM
    Options
    So how do you change that password access when someone finds out what the current password is? What do you do when it comes to the 10th time you have to do it, move onto your toes?
    Your password does not need to be your fingerprint or iris. Your password can still be a password of sorts. The biometric system is used to unlock a password vault that is stored locally and possibly backed up in a pre-encrypted form. It would be quite wrong for websites to use raw bio-metric information as an ersatz password, and I have no idea if any are doing that.

    Ideally, your "password" would be a public/private keypair and would not be known to any website you use it with to log in. All they will see/store is an identity token derived from your public key and authentication will involve cryptographic signing of a !!!!!! with your private key (which is stored on a device and protected biometrically).
  • Paul_Herring
    Paul_Herring Posts: 7,481 Forumite
    Name Dropper Photogenic First Post First Anniversary
    Options
    colsten wrote: »
    Perhaps you should be offering your consultancy to First Direct, HSBC, Atom Bank and others, who obviously got it totally wrong when they decided to implement biometric logins.

    Why? They're going to pay just as much attention to it (and the various articles that repeat the exact same points) as some of their customers they're pushing this stuff onto who seem to accept their assertions that it's perfectly secure, when it's nothing of the kind.
    masonic wrote: »
    Your password does not need to be your fingerprint or iris.

    Yet.
    Your password can still be a password of sorts.

    At the moment.
    The biometric system is used to unlock a password vault that is stored locally and possibly backed up in a pre-encrypted form. It would be quite wrong for websites to use raw bio-metric information as an ersatz password, and I have no idea if any are doing that.

    You credit the banks with far too much intelligence in this area.

    These are the institutions that fall over because of outdated systems (Natwest, RBS,) that foist unacceptable products onto their customers (PPI, interest rate swaps,) that force liability back onto customers when they lose their money (chip-PIN.)

    This will be another scandal in the making when they turn around and say to people defrauded through this that "no-one could forge your fingerprint on your device - you're liable for any transactions made using it."
    Ideally, your "password" would be a public/private keypair and would not be known to any website you use it with to log in.

    Well the public bit would ;) I use that sort of authentication all the time at work.

    And while I'd welcome such innovation, I won't be holding my breath for any of the banks to implement this sort of security.
    private key (which is stored on a device and protected biometrically).

    No - we're going round in circles with that last bit. If you can't change it, it's not a password - it's a user id.
    Conjugating the verb 'to be":
    -o I am humble -o You are attention seeking -o She is Nadine Dorries
  • jamesd
    jamesd Posts: 26,103 Forumite
    Name Dropper First Post First Anniversary
    edited 10 August 2016 at 7:03AM
    Options
    masonic wrote: »
    Ideally, your "password" would be a public/private keypair and would not be known to any website you use it with to log in. All they will see/store is an identity token derived from your public key and authentication will involve cryptographic signing of a !!!!!! with your private key (which is stored on a device and protected biometrically).
    Unfortunately what would happen is that a hacked system that compromises the private key will then be used for fraud and the bank will insist that you must have authorised the transaction because the private key had to have been used. If the key itself isn't compromised a man in browser attack maybe sufficient because the key itself isn't implicitly linked to any specific transaction properties that would prevent it from being reused for a different transaction. Though a derived token might be. Which may not help because the algorithm to go from site provided information through private key to generate a token is presumably known and hence forged tokens are possible from a compromised key.

    First Direct at least has form in this area, introducing a key card to use for logging in that could then be used to assert that all transactions in the session must have been authorised by you in spite of the known existence and use of man in browser attacks. The result was a system that transferred fraud risk from bank to customer. After some fuss and a year of delay they adjusted the system to also provide transaction-specific authorisation.
  • masonic
    masonic Posts: 23,695 Forumite
    Photogenic Name Dropper First Post First Anniversary
    edited 10 August 2016 at 8:05AM
    Options
    Yet.
    At the moment.
    You assert. I don't believe this will be permitted, although Brexit is a concern here - the EU was much better about championing our privacy rights than any UK Govenment.
    You credit the banks with far too much intelligence in this area.
    No, I don't. Banks don't have a very good track record in this area. They certainly shouldn't be the architects of such systems.
    This will be another scandal in the making when they turn around and say to people defrauded through this that "no-one could forge your fingerprint on your device - you're liable for any transactions made using it."
    The bank should not be party to the unlocking of the keypair. The bank could claim, "the person making the transaction provided the correct response to our challenge, therefore you have been negligent with your device", but that is no worse than what exists currently and the bank should be providing an extra level of security for transactions to new payees.
    And while I'd welcome such innovation, I won't be holding my breath for any of the banks to implement this sort of security.
    I agree, but I am pointing out that such systems are available.
    No - we're going round in circles with that last bit. If you can't change it, it's not a password - it's a user id.
    If you need the device and your biometric and you can revoke or wipe the keys stored on the device, then you can change it.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 344.3K Banking & Borrowing
  • 250.5K Reduce Debt & Boost Income
  • 450.2K Spending & Discounts
  • 236.5K Work, Benefits & Business
  • 610K Mortgages, Homes & Bills
  • 173.6K Life & Family
  • 249.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards