Online Savings Security

whambamvandamme

Hi,


I have recently tested a number of online savings accounts and I thought it would be interesting to share the experience regarding the security. MSE recommends a number of offers based on the highest payers but some of them have shameful security.



For example - Marcus, Goldman Sachs - uses two factor authentication, payment only to and from linked account. Very solid platform. Time and datestamp from last login. I had had automated emails regarding information and it works very slick, also the call handlers know the product and the platform very well.



Post Office - No time and datestamp from last login. You cannot create a password, only a 6 digit code. From this 6 digit code, they only let you input 3 of the digits, so a 1 in 1000 chance of someone cracking as opposed to a 16 digit password made up of upper, lower case letters, numbers, symbols etc.



The main page you are presented with then gives you the option right at the top, in your face, to change your nominated account, they then process this change and transfer within 1 day. Who thought of this ???? They send you an automated email to tell you this change though but if you did not catch this within the timeframe then tough. When I called in to query security I was not even identified as a Post Office user.



This has not taken me long to test 8 platforms, they all can be ranked etc - due to this I am thinking about moving to fixed savings or something else but some of them are really bad, I expect users can make up their own mind but the example I have shown above shows how bad some can be.

DrSyn

So what are the names of the other 6 you tested & what do you consider wrong with those?

Where is the ranking you mention is the post?

Why have you not already supplied this info?

pafpcg

whambamvandamme wrote: »

I have recently tested a number of online savings accounts and I thought it would be interesting to share the experience regarding the security. MSE recommends a number of offers based on the highest payers but some of them have shameful security.

For example - Marcus, Goldman Sachs - uses two factor authentication, payment only to and from linked account. Very solid platform. Time and datestamp from last login. I had had automated emails regarding information and it works very slick, also the call handlers know the product and the platform very well.

I'm not sure what to make of your "testing". What two factor authentication? I've made several withdrawals from my Marcus account during the last few months - all I've been asked to provide is my username (email address) and my password.

whambamvandamme wrote: »

Post Office - No time and datestamp from last login. You cannot create a password, only a 6 digit code. From this 6 digit code, they only let you input 3 of the digits, so a 1 in 1000 chance of someone cracking as opposed to a 16 digit password made up of upper, lower case letters, numbers, symbols etc.

I'll agree that the Post Office (Bank of Ireland) system leaves a lot to be desired but you'll find it a lot harder to get money out of the Post Office Savings accounts than you might think! To start with, to login you have to supply your customer number (seven numeric digits) so that's a value known only to you and the Post Office, then your birthdate before supplying three of the six digits in your passcode number. To make a withdrawal, it can only go to either the associated external account or to another of your Post Office Savings accounts (from where it could be sent to that account's external account) and each transfer requires three digits from your passcode (and it's unlikely that you'll be asked for the same three digits asked at login!) Then there's the problem of how an intruder would be able to send funds to an external account under his control ....

I, too, would be interested in the results of the rest of your testing.

badger09

pafpcg wrote: »

.............

I'll agree that the Post Office (Bank of Ireland) system leaves a lot to be desired but you'll find it a lot harder to get money out of the Post Office Savings accounts than you might think! To start with, to login you have to supply your customer number (seven numeric digits) so that's a value known only to you and the Post Office, then your birthdate before supplying three of the six digits in your passcode number. To make a withdrawal, it can only go to either the associated external account or to another of your Post Office Savings accounts (from where it could be sent to that account's external account) and each transfer requires three digits from your passcode (and it's unlikely that you'll be asked for the same three digits asked at login!) Then there's the problem of how an intruder would be able to send funds to an external account under his control ....
................

You forgot to mention the ongoing consistent 'error/we have a problem, please try later messages';)

Alexland

badger09 wrote: »

You forgot to mention the ongoing consistent 'error/we have a problem, please try later messages';)

It took me about a month and a formal complaint to get money out of my AA branded Bank of Ireland savings account. Never again.

greenglide

What two factor authentication? I've made several withdrawals from my Marcus account during the last few months - all I've been asked to provide is my username (email address) and my password.

My understanding is that it recognises the device you are logging in from by using a cookie. If it doesn't recognise the device it requires additional data (text or email).

pafpcg

greenglide wrote: »

My understanding is that it recognises the device you are logging in from by using a cookie. If it doesn't recognise the device it requires additional data (text or email).

That's why I asked! Can interrogation of a stored cookie be regarded as two factor authentication?

greenglide

It is "something you have" (the PC with a cookie on it) and something you know (the username and password).


Quite a number of companies use this although it isn't always obvious.


Whether it is "enough" is a matter of opinion. Most companies don't use two factor and the move to card readers seems to have died.

bowlhead99

pafpcg wrote: »

That's why I asked! Can interrogation of a stored cookie be regarded as two factor authentication?

Ignoring technicalities of cookies vs soft tokens, the 'two factor' security is basically verifying you with both something you know, and something you have.

In Marcus's case you are only being asked to give your user ID and password (things you know) but they are only letting you access your account because they've silently checked you've got the token they issued to you (things you have).

The fact that your device has the token is a decent 'factor' to show that it's you. If it was me... I wouldn't have your token or know any of your details If it was your friend, who did know your ID because he saw you wrote it down, and he guessed your password because you use it for everything... he can't log in to Marcus via his phone while traveling back to his house because his phone doesn't have your token. Your family member doesn't have the token either. Presumably you have some sort of password to get into the device that has the token.

There have been some grumbles on some of the Marcus threads that it's a pain to need soft token authentication because if I use my home PC to register but want to administer the account from my tablet or work PC, that other device didn't have the token. From security point of view, that's good.

It means that (for example) if I was away from my desk at work and hadn't locked my screen, and someone who somehow knew my Marcus ID and password sneaked onto my work PC with the aim of logging into my account and moving my funds with a trail that only leads back to myself... actually they could be thwarted, as my work PC doesn't have the important token/cookie.

So, "something you have" and "something you know" are two decent factors which reduce risk compared to single factor. The 'something you have' could be software-based instead of physical hardware, while still serving a purpose.

pafpcg

greenglide wrote: »

It is "something you have" (the PC with a cookie on it) and something you know (the username and password).
Quite a number of companies use this although it isn't always obvious.
Whether it is "enough" is a matter of opinion. Most companies don't use two factor and the move to card readers seems to have died.

Santander use the same cookies technique but I'm not aware that they have claimed it's 2FA. With my curiosity piqued, I went looking for the recent Which? investigation into "How safe is online banking?" covering twelve online banks. The article castigates Santander and six other banking groups for not yet implementing 2FA, so the authors must have a narrower definition of two factor authentication. https://www.which.co.uk/money/banking/banking-security-and-new-ways-to-pay/online-banking-security/how-safe-is-online-banking-ayvfj7p8cctc

greenglide

Santander provide the customer with a picture and text which you have previously chosen so you know that you are logged into the correct site.


I have never come across anything else.