First Direct withdrawing 'limited access' online banking

JuicyJesus

18cc wrote: »

Personally I think this is an excellent idea get rid of memorable information completely I want my account to be totally and utterly secure if only Nationwide would do the same

If Nationwide did the same, I'd switch.

It'd annoy me to no end. I like being able to log in to my account and check things without a card reader/secure key.

eskbanker

JuicyJesus wrote: »

If Nationwide did the same, I'd switch.

It'd annoy me to no end. I like being able to log in to my account and check things without a card reader/secure key.

It's not a case of if institutions are tightening security, it's how and when - at https://www.nationwide.co.uk/support/support-articles/security/strong-customer-authentication they're saying that you'll have a choice of authenticating with one of: app, SMS OTP or card reader....

[Deleted User]

eskbanker wrote: »

It's not a case of if institutions are tightening security, it's how and when - at https://www.nationwide.co.uk/support/support-articles/security/strong-customer-authentication they're saying that you'll have a choice of authenticating with one of: app, SMS OTP or card reader....

For basic online banking (equivalnt to FD 'limited banking') they are saying "In addition to changing the authentication options, we’ll also ask you to enter your date of birth alongside your customer number when you log into the Internet Bank – this extra step is there every time you log in." That's okay. There's no need for the card reader - apparently. It does seem, as you suggested earlier, that there are no hard and fast rules here. Each bank is doing its own thing. Some, such as FD's arrangement, are more onerous than others. I guess if the likes of FD are deluged with complaints and start losing customers they might drag themselves into the 21st century, but I wouldn't bank on it.

[Deleted User]

johnsmith1890 wrote: »

For basic online banking (equivalnt to FD 'limited banking') they are saying "In addition to changing the authentication options, we’ll also ask you to enter your date of birth alongside your customer number when you log into the Internet Bank – this extra step is there every time you log in." That's okay. There's no need for the card reader - apparently. It does seem, as you suggested earlier, that there are no hard and fast rules here. Each bank is doing its own thing. Some, such as FD's arrangement, are more onerous than others. I guess if the likes of FD are deluged with complaints and start losing customers they might drag themselves into the 21st century, but I wouldn't bank on it.

Oh no! Buried on a seaprate page, in addition to DoB you will also have to have a card reader, just to log on. So that's me done with them as well! Looks like BOS is going to become my 'main' account.

Edit: - it's uunclear from what they say whether or not a OTP via email will be an option. You'd think they could be more precise on this.

[Deleted User]

What on earth are you going to do when BoS are forced into following suit and offering the same options for login?

You'll need to find a new bank that comes with free tin-foil hats as a welcome gift!

eskbanker

johnsmith1890 wrote: »

For basic online banking (equivalnt to FD 'limited banking') they are saying "In addition to changing the authentication options, we’ll also ask you to enter your date of birth alongside your customer number when you log into the Internet Bank – this extra step is there every time you log in." That's okay. There's no need for the card reader - apparently.

johnsmith1890 wrote: »

Oh no! Buried on a seaprate page, in addition to DoB you will also have to have a card reader, just to log on. So that's me done with them as well! Looks like BOS is going to become my 'main' account.

Edit: - it's uunclear from what they say whether or not a OTP via email will be an option. You'd think they could be more precise on this.

As per my last post, I interpreted their statement (that you quoted) to mean that in order to access any online banking it'll be necessary to use one of the three authentication options shown on that page, i.e. app, SMS OTP or card reader, as well as the DoB check. Where are you seeing the reference to a requirement for the card reader to log on?

eskbanker

!!! wrote: »

What on earth are you going to do when BoS are forced into following suit and offering the same options for login?

You'll need to find a new bank that comes with free tin-foil hats as a welcome gift!

Bank of Scotland appear to be planning to offer the trusted device mechanism as one of the two factors (the other being password, etc), according to https://www.bankofscotland.co.uk/aboutonline/changes-to-internet-banking.html, so it's not clear to me that this will need to be changed if they contend that this is compliant with the new regulations, presumably after taking advice rather than simply taking a punt, unless this is challenged perhaps?

In other words, the fact that at least some other banks have taken a different approach from BoS doesn't necessarily signify that the latter is invalid or wrong....

[Deleted User]

eskbanker wrote: »

As per my last post, I interpreted their statement (that you quoted) to mean that in order to access any online banking it'll be necessary to use one of the three authentication options shown on that page, i.e. app, SMS OTP or card reader, as well as the DoB check. Where are you seeing the reference to a requirement for the card reader to log on?

Yes, the DoB thing is mentioned first, then you can click on each of the three options for further details. However, the 'text' option mentions email, but doesn't clarify if this is an option to receive the code, as per the Marcus arrangement. The card reader option mentions use of the device for online shopping "as currently used for Internet banking" or words to that effect. In this case it doesn't state that the limited banking option is being withdrawn - though maybe that's implied. The pages are a bit ambiguous. One thing to remember is that Nationwide login is already cumbersome, even without the card reader, in that you need to enter a difficult-to-remember customer number amongst other things. The card reader device is circa 18th century! Looking at the various options the banks are now introducing, I would say BOS is the easiest. There's effectively no change, except when logging on using a non-trusted device. Marcus is okay - you can have your email open, ready for the code. But FD, and possibly Nationwide, are making things more difficult. As a result, they may pay a price.


As for online shopping; I'm betting Amazon will not drop their OneClick ordering, so one has to wonder how obligatory these new protocols really are.

eskbanker

johnsmith1890 wrote: »

As for online shopping; I'm betting Amazon will not drop their OneClick ordering, so one has to wonder how obligatory these new protocols really are.

As I understand it they're obligatory for financial institutions but as Amazon are just a merchant then I wouldn't see them as being bound by them. That's not to say that their card security is adequate but ultimately they, like anyone else handling card data, has to abide by the PCI-DSS standards....

Ashen

Just to highlight that HSBC themselves are also doing this, as well as just their First Direct division. I had an email from them telling me that I hadn't used my Secure Key for ages and needed to use it to stop it being deactivated - and that it would be mandatory to use it at some point later this year.

I would much prefer to have limited access without the key (for those arguing that's insecure, I'd say using a device that has previously been authenticated via Secure Key should still be secure enough for limited access), and full service when I have access to my Secure Key.