Strong Customer Authentication - **Now delayed** changes to online verification

colsten

eskbanker wrote: »

Perhaps you hadn't noticed but we haven't left yet, but in any case, if you choose to subscribe to the school of thought that this is something imposed on us against our will by that big bad nasty bureaucratic EU, what evidence do you offer that the UK would have chosen a different path had it not long since committed to implementing PSD2 from well before the referendum? Do you believe it'll be repealed at some stage in the future and if so, why?

I think banks will have a big interest in keeping 2FA, for the simple reason that it helps to further reduce their liabilities in case of alleged fraud. For example, a fraudulent payment to an existing payee can be made by anyone who has access to the account, and the bank might find it difficult to proof that it wasn't the account holder who made the payment. 2FA significantly reduces the likelihood that anyone but the account holder could make such a payment, thereby reducing the risk for the bank of having to investigate and potentially having to refund .

I am beginning to wonder whether some of the [few] people who so strongly oppose 2FA are upset that fraud will now become more difficult.

masonic

Rich2808 wrote: »

What happens when people go away on holiday for two weeks in the Uk or abroad - make sure you pack all your secure keys, readers, debit cards (for devices) and more for all your accounts? Really - just to check all is ok and the balances are as they should be? Some people have many such accounts - and hand luggage allowances aren't that big on most airlines!

Enjoy your holiday and leave the admin tasks such as checking your balances until you get back. Two weeks is not an excessively long period to go between logging in to all your accounts to check all is ok and the balances are as they should be.

eskbanker

colsten wrote: »

I think banks will have a big interest in keeping 2FA, for the simple reason that it helps to further reduce their liabilities in case of alleged fraud. For example, a fraudulent payment to an existing payee can be made by anyone who has access to the account, and the bank might find it difficult to proof that it wasn't the account holder who made the payment. 2FA significantly reduces the likelihood that anyone but the account holder could make such a payment, thereby reducing the risk for the bank of having to investigate and potentially having to refund .

I am beginning to wonder whether some of the [few] people who so strongly oppose 2FA are upset that fraud will now become more difficult.

I'm sure you're right that 2FA is expected to reduce fraud and therefore that ultimately this should reduce the banks' exposure, but this will only further antagonise those who choose to see the whole thing as an industry stitch-up designed primarily to inconvenience customers!

As above, my perspective is that it's futile to rail against this and demand explanations or concessions - the law is what it is and moaning about it isn't going to change it, unless there are seriously concerted efforts to lobby parliament, etc (and even then it's not as if there's a particularly strong case to reverse this initiative, given the deliberate positioning taken along the security versus convenience spectrum).

I believe that there will eventually be convergence on preferred technical solutions though, given the range of approaches adopted thus far, and the questions raised by the EBA about how some are unlikely to be compliant with the technical standards. Whether or not this activity will ultimately permit access to online facilities without a phone is unclear though....

colsten

eskbanker wrote: »

I'm sure you're right that 2FA is expected to reduce fraud and therefore that ultimately this should reduce the banks' exposure, but this will only further antagonise those who choose to see the whole thing as an industry stitch-up designed primarily to inconvenience customers!

I agree with you entirely. It also seems futile to explain that in the end it is us customers who pay for the refunds banks have to make for some of the fraudulent transactions, and that therefore it is in our own, direct, interest if further fraud-reducing matters get implemented.

spot1034

In my case, and I'm sure there are many others in a similar situation, it isn't that I object to any additional security checks that are deemed necessary, but that the execution of these involves me using a device that I do not possess - i.e. a mobile phone.

It is like me using my bank branch quite happily for many years and arriving on foot or by bus, and suddenly the bank tells me that they will only allow me in if I arrive in a car.

DragonQ

This really !!!!es me off. No consideration for people who cannot use their mobile phones at work. I don't want to carry around a dozen chip and pin readers and debit cards just to access my accounts. The current system of requiring stronger authentication to send money to a new payee is surely sufficient!

eskbanker

spot1034 wrote: »

In my case, and I'm sure there are many others in a similar situation, it isn't that I object to any additional security checks that are deemed necessary, but that the execution of these involves me using a device that I do not possess - i.e. a mobile phone.

It is like me using my bank branch quite happily for many years and arriving on foot or by bus, and suddenly the bank tells me that they will only allow me in if I arrive in a car.

DragonQ wrote: »

This really !!!!es me off. No consideration for people who cannot use their mobile phones at work. I don't want to carry around a dozen chip and pin readers and debit cards just to access my accounts. The current system of requiring stronger authentication to send money to a new payee is surely sufficient!

There are potentially two issues being conflated here!

My fundamental point is that the legislation is what it is, it was initiated many years ago, went through endless consultations and so on, and is finally about to be enacted, although there is every likelihood that the implementation date will be delayed. As with any other legislation, people can moan about it but that doesn't really achieve anything - it's much the same as asserting that it's daft that UK motorways are restricted to 70mph but that this was set when braking systems were pitiful compared to modern equivalents, and that it should be 80mph or more. All justifiable statements but saying them doesn't actually make any difference (and there is a counter argument involving safety in any case).

On the other hand, it's clear from the list in post #1 that banks are adopting different approaches to implementation, some of which are less convenient than others. Here there is something that can be done, i.e. if you don't like what your bank is doing then move to one that meets your requirements. You may resent having to do so, but it's a practical step to accommodate what's happening, and one that's likely to be far more productive than sounding off about it on here or to your bank.

I'll probably be accused of trying to defend the initiative here but that's not really what I'm saying - my purpose in starting this thread was to collate a reasonably comprehensive reference of what's happening, rather than looking to debate why it's happening, but it's just human nature that the latter comes into play I suppose!

candlebreeze

Thank you for posting this. I found it very useful

Nicholas

spot1034 wrote: »

In my case, and I'm sure there are many others in a similar situation, it isn't that I object to any additional security checks that are deemed necessary, but that the execution of these involves me using a device that I do not possess - i.e. a mobile phone.

It is like me using my bank branch quite happily for many years and arriving on foot or by bus, and suddenly the bank tells me that they will only allow me in if I arrive in a car.

There are still a few banks that don't insist on a landline or mobile phone. Indeed Nationwide and Nat West will let you use a card reader, HSBC group and Yorkshire Bank one of their security tokens.

I think the banks recognise that most people do have a smart phone these days for other things so they are utilising it for banking security.

I guess the answer is to change to one of the banks that don't insist on having a mobile (or landline) and do your banking there.:) Or don't bother with online banking at all - after all, we never had it 25 years ago. I do mean this in the nicest possible way.:) There are still choices, albeit limited choices.

lightbulb2760

spot1034 wrote: »

In my case, and I'm sure there are many others in a similar situation, it isn't that I object to any additional security checks that are deemed necessary, but that the execution of these involves me using a device that I do not possess - i.e. a mobile phone.

It is like me using my bank branch quite happily for many years and arriving on foot or by bus, and suddenly the bank tells me that they will only allow me in if I arrive in a car.

I've been researching ways around not having a mobile phone, and have come up with a Plan B.


As far as I understand it, mobile broadband USB dongles come with a sim card, so they can receive text messages, including the verification codes. As far as I can see the only provider selling dongles is O2, for £49.99. It comes with 12GB of data, which will last for up to a year. I assume that if I were to give the sim card phone number to the bank as my mobile number, and don't tell them it's a dongle, this could be a reasonable workaround...