Mobile phones and one time passwords

OPENSPACES

We are a retired couple in our 70s and we have one current mobile phone between us which happens to be registered in my wife's name. We have banked with Santander for 30 years and I have three accounts with them and a joint account . I have for years used my wife's old mobile number for OTPs and this has worked perfectly OK. However this phone has eventually died a death and I sought to update our details and register the new phone. However in order to do this on line part of the process involves sending a OTP to the old number which was of course not possible. I therefore had to ring them up and explain the situation. However they refused to do this as I happened to say it was my wife's phone and they explained that it had to be registered in my name. When I asked but how do you check they said we cant but you've told us and that's enough. So I then asked you have two systems i.e. registering it on line which has no checks re phone ownership and works on sending a OTP and another (via them which does have a check) i.e. by asking if its my phone which only requires a yes answer but no other possible check. That's correct they said, two ways of changing your number and different processes. All requests to seek supervisory authority to make an exception were refused. Is this the sort of thing that should be referred to the FCA?

Neil_Jones

When a phone dies the number doesn't die with it.

You could have just got a replacement SIM-free phone (or one locked to a suitable network) and put your old SIM into there and there's your number in full working order. You wouldn't even had had to speak to Santander, they don't know what phone you're using its all about the number.

agrinnall

As Neil says, or simply put the old SIM card into current phone (assuming it's the same size) until the OTP has been received to allow you to confirm the change of number, then revert to the current SIM.

OPENSPACES

My wife is two steps ahead of you guys and we have succeeded in changing matters. My original issue was about the fact that when doing it manually they say they ask the question "is it your phone" and wont do it if it isn't whereas when doing it on line the only test is that you input the OTP. The tests should be consistent. When I asked where does it say in your terms and conditions that the phone used must be registered to you they refused to answer. Their answer was unwavering ie you cannot register a mobile for OTP unless it is owned by you despite the fact that they cant check that fact ! I understand there needs to be security but this is a "sorry but them is the rules" scenario and not about customer service

Carrot007

OPENSPACES wrote: »

My wife is two steps ahead of you guys and we have succeeded in changing matters. My original issue was about the fact that when doing it manually they say they ask the question "is it your phone" and wont do it if it isn't whereas when doing it on line the only test is that you input the OTP. The tests should be consistent. When I asked where does it say in your terms and conditions that the phone used must be registered to you they refused to answer. Their answer was unwavering ie you cannot register a mobile for OTP unless it is owned by you despite the fact that they cant check that fact ! I understand there needs to be security but this is a "sorry but them is the rules" scenario and not about customer service

Yes they messed up, but so did you!


I cannot even see why the question of who owns the phone came up!


However if it did and it is your account the only sane answer is it is yours!


The right answer in the odd situation you created was for them to say go into branch with ID or wait for a code to be sent though the post for a manual reset.


Anyway at least you now know a phone number has nothing to do with a specific phone. All is good.

Takmon

OPENSPACES wrote: »

My wife is two steps ahead of you guys and we have succeeded in changing matters. My original issue was about the fact that when doing it manually they say they ask the question "is it your phone" and wont do it if it isn't whereas when doing it on line the only test is that you input the OTP. The tests should be consistent. When I asked where does it say in your terms and conditions that the phone used must be registered to you they refused to answer. Their answer was unwavering ie you cannot register a mobile for OTP unless it is owned by you despite the fact that they cant check that fact ! I understand there needs to be security but this is a "sorry but them is the rules" scenario and not about customer service

It's pretty obvious that if you are being sent a OTP which allows you to transfer money from an account only in your name the phone needs to belong to you!.

If you tell them that someone else owns the phone that your OTP are sent to then it would irresponsible for them allow that to continue because it is a security issue.
If they allowed you to continue using someone eases phone they could be liable for any money lost due to this.

Surely you must understand this?

brianposter

Takmon wrote: »

It's pretty obvious that if you are being sent a OTP which allows you to transfer money from an account only in your name the phone needs to belong to you!.

If you tell them that someone else owns the phone that your OTP are sent to then it would irresponsible for them allow that to continue because it is a security issue.
If they allowed you to continue using someone eases phone they could be liable for any money lost due to this.

Surely you must understand this?

Actually it doesnt make much sense. My mobile phone no longer has coverage when I am at home, so I use my OHs phone when necessary. It would be pointless giving my own mobile number to the bank.

18cc

Get your wife to sell you the phone for 1p the phone then becomes yours

However because in your marriage vows you promised 'with all my goods I thee endow' then it would also become hers so either of you could use it for the OTP

Takmon

brianposter wrote: »

Actually it doesnt make much sense. My mobile phone no longer has coverage when I am at home, so I use my OHs phone when necessary. It would be pointless giving my own mobile number to the bank.

That doesn't really change anything i said it is still a security issue to have OTP'S sent to a phone that doesn't belong to you and you aren't in control of.

Have you looked into getting a femtocell or wi-fi calling on your mobile, all the major networks offer this so you may be able to get signal.

But it doesn't really make sense why you would have a mobile phone that couldn't get signal when at home where you probably spend a lot of your time.

OPENSPACES

There can always be an argument as to what phone users should use. The issue here is that if you change numbers on line you can use any number and the banks will not and do not challenge you. If however you do matters over the phone then they do challenge you. Both systems should be the same. Having said that as the banks cannot verify ownership what difference does it make? The requirement is that the account holder is able to receive a text message containing the OTP i.e. the phone should be in his possession and not necessarily owned by him. That's how I see it

Takmon

OPENSPACES wrote: »

There can always be an argument as to what phone users should use. The issue here is that if you change numbers on line you can use any number and the banks will not and do not challenge you. If however you do matters over the phone then they do challenge you. Both systems should be the same. Having said that as the banks cannot verify ownership what difference does it make?

The difference is that if you ring up and tell them that it isn't your phone then they would be irresponsible to let you continue because it is a security risk.

Just like if you rang them up and you make a comment about being forced to change this number by someone else they shouldn't let you continue even thought it doesn't ask online if your being forced.

If you give them information that makes them doubt the security then they should be stopping you from continuing.

OPENSPACES wrote: »

The requirement is that the account holder is able to receive a text message containing the OTP i.e. the phone should be in his possession and not necessarily owned by him. That's how I see it

That's the wrong way to look at it. The phone is used as a two factor authentication device so it should be a device you share with no one else. If the phone is owned by someone else they can take the phone away and then a third party could have access to the code and use it to take money from your account.