First Direct confirmed customers without Mobile (coverage) now can't use cards online

telemarks

After many secure messages to and fro from First Direct they have today confirmed to me that if you do not have a mobile and coverage to receive a One Time Password (OTP) via text message (SMS) you may not be able to use First Direct Debit and Credit cards online.

First_Direct_message wrote:

If you do not have a mobile phone, you may not be able to complete online purchases going forward. The OTP system has now been implemented.

For customers like us with no mobile signal at home (and unreliable Wifi calling that can delay SMS up to a day), this makes First Direct unworkable. For others it means you can't use cards on WiFi, when in a place without mobile signal.
First Direct do currently offer a option of OTP via email. I have request this, but First Direct have not applied it for us.

First_Direct_message wrote:

we might be able to send the OTP to the email address listed on your customer profile for a short period of time. However, as email is not going to be available in the long term, we haven't promoted this as an alternative.

Needless to say I'm not happy about this, and will be taking my complaint on to the Financial Ombudsman Service as I have got nowhere with First Direct (despite been a customer of 20+ years).


However during the correspondence I have discovered that the mobile number First Direct are using, is not one a customer can easily review. It is not for instance the mobile number used in "Text message banking" in First Direct Online banking.
In fact the mobile number First Direct use for OTP is stored on their "central systems" that only they can update. It is held in a "cardholders customer profile" for each "individual cardholder." In the case of joint account I believe there are several "individual cardholders".
In my case the mobile number stored in my customer profile was 9 years out of date.
The learning for me here is I should have been telling First Direct whenever any personal details change. Doesn't sound too bad until you realise what they expect you to tell them.:eek:

First_Direct_message wrote:

In line with our Terms and Conditions it is your responsibility to let us know when any of your personal details change. We will then amend them on our central system.
Things that are likely to change are your address details, telephone numbers, employer's details, salary etc. If you need to change any of this information you can call, write to us or send a Secure Message.

So I'd suggest all First Direct customers check ASAP, what mobile number First Direct have centrally stored on your Customer Profile.

As for salary etc, I'll leave it up to you if you tell them that ...

colin79666

I don’t understand why they can’t do a otp in the app like they do for logging into the website or authorising a new payee. SMS isn’t all that secure.

telemarks

colin79666 wrote: »

I don’t understand why they can’t do a otp in the app like they do for logging into the website or authorising a new payee. SMS isn’t all that secure.

Totally agree, SMS is so last millennium.

The reply from First Direct on using the App. was:

First_direct_message wrote:

We are hoping to provide a way of receiving the OTP via our App, but this is still in development and we may not be able to do so.

sausage_time

Does seem a bit of a backward step. I'm amazed how complex FD make security with their web/app/phone - SecureKey, password, memorable answer, memorable address, memorable date, PIN, .....!



I guess not being able to use your card on-line at all improves security for them considerably.



Suggest you move bank, or get an additional card from someone that can support your situation.

Herbalus

I would suggest that nobody uses a debit card online anyway. Credit cards offer more protection.

I know you said it applies to credit cards also, but it’s easier to just get another brand of credit card if you don’t want to change banks.

Worth noting that a number of providers are switching to otp verification as a replacement for verified by visa or MasterCard secure, so check before you apply.

TrickyDicky101

I think the person who owned my house before me was a fully paid up member of the tin foil hat brigade - I get no mobile signal inside the house and could swear the last owner lined all the walls with lead. Step outside and the mobile signal is a full 5 bars...

I would find this very inconvenient assuming FD apply it to me (and I have seen the various warning messages that this is coming). I only use a debit car occasionally online but I wouldn't want to have to jump through hoops (or, quite literally, windows) to get the OTP.

I agree that FD is awful in terms of their security. I used to like NatWest much better for their internet banking. No idea what they're like now though. Maybe time for a change - that £125 from FD to switch is a very distant memory now

telemarks

TrickyDicky101 wrote: »

I would find this very inconvenient assuming FD apply it to me (and I have seen the various warning messages that this is coming). I only use a debit car occasionally online but I wouldn't want to have to jump through hoops (or, quite literally, windows) to get the OTP.

I'm in the same boat as you.


I'd seen the warnings from First Direct, and complained at the time of the warnings. At that time in summer FD said with was developing alternates to SMS, via email or App. but didn't have these ready yet or a long term plan for them. FD said they would warn me before introducing OTP via SMS.


Fast forward to a month ago (with not a whisper from FD) when I tried to use my Credit Card online for the first time in a while, and lo and behold up popped a box replacing the Verified by Visa saying they were about to send me a Password via SMS, and offering no options.


Since then I been trying to get a straight answer from FD to questions on how SMS passwords work for joint accounts. Its got to the point when now all they do is repeat the same information back to my questions, even though the replies they are repeating are directly contradictory.:mad:

As others have said its time to move my main bank (I also have secondary switching accounts obviously). All banks will have to introduce OTP passwords within the year, but I believe the way they do it is up to the Bank.


Therefore I'll keep an eye on the market, and choose my future main bank that offers a solution to online payments that works without Mobile signal.


In the meantime I'll just use Paypal and my backup Halifax account online. Its a shame as I've had 20 years of Great service from First Direct, but it appears they have shot themselves in the foot here.

Mr.Saver

There has been a lots of news about the security issue behind SMS based authentication / password reset / etc., why do they use this 90s tech?

From what I can tell, the best option in terms of security is a card reader. It requires the physical present of the card and the knowledge of the PIN, and can ask for the payment amount and partial account number to generate the OTP. Pretty hard (if not impossible) to cheat.

Butch_Dingle

telemarks wrote: »

unreliable Wifi calling that can delay SMS up to a day

Wifi calling - when used with a compatible handset & network - works flawlessly providing you have a decent wifi signal indoors. On both of my iphones (1 with BT Mobile, other with EE), texts over wifi calling are delivered almost instantaneously, so clearly there's an issue on your side. Now I'm not saying you splash out £1000 on the latest & greatest smartphone just to get wifi calling working, however a second hand/refurbished iphone 6 (unlocked) will cost you around £150 - I would have thought this investment would be worth it to get a working signal indoors.

Butch_Dingle

colin79666 wrote: »

SMS isn’t all that secure.

What makes you say that? On my phone when a SMS arrives, i just get a notification - the actual content can only be read once I unlock the phone. I imagine you can do the same on most smartphones.

Butch_Dingle

TrickyDicky101 wrote: »

. I used to like NatWest much better for their internet banking.

What, you like to faff around with physical card readers when setting up new payees? One of the great things about Firstdirect (and HSBC) is that you can choose to have a 'digital' secure key on your smartphone app which negates the need to have a physical authentication device. Considering nearly every man & his dog have a smartphone these days, this means vast majority of FD customers can simply do without a physical device - if they choose to do so.