Strong Customer Authentication - **Now delayed** changes to online verification

2gins

I've just had a 'secure key' pushed to me by my bank, I don't understand the use of these new secure keys at all and this seems as good a place as any to ask: What's the point?


I'm glad the banks are taking security and fraud seriously and I certainly don't want any undue risks taken with my money/banking but this just seems like a total farce. Currently if anyone wishes to access my online banking they need to know my username, an 8-character passcode and the answer to a security question, which seems pretty secure to me. I have other banks for other things and they are so secure I usually can't log on myself.



Now with this secure key I have to either go into the app and generate a OTP or do the same via a device I will need to keep with me, logically in my wallet or (if I were a lady or that way inclined) in a handbag. So suppose I lose my handbag or get mugged, or have my phone stolen?


A would be thief would only have to crack the 4 - digit pin to get into my phone, then they just need the single password to generate the OTP for either app or pocket device.


How is this any more secure than the current multi-factor authentication? It just looks like a load of hassle for no gain, this online stuff was supposed to make stuff easier but I'm seriously thinking about binning off internet banking and going back to the 1990s relying on ATMs and telephone banking.


[/rant]


TLDR, secure keys don't seem any more secure than two-factor authentication and it's all a lot of fuss for no gain.

eskbanker

2gins wrote: »

Currently if anyone wishes to access my online banking they need to know my username, an 8-character passcode and the answer to a security question, which seems pretty secure to me.

[...]

A would be thief would only have to crack the 4 - digit pin to get into my phone, then they just need the single password to generate the OTP for either app or pocket device.

How is this any more secure than the current multi-factor authentication? It just looks like a load of hassle for no gain, this online stuff was supposed to make stuff easier but I'm seriously thinking about binning off internet banking and going back to the 1990s relying on ATMs and telephone banking.

[/rant]

TLDR, secure keys don't seem any more secure than two-factor authentication and it's all a lot of fuss for no gain.

Perhaps I'm misunderstanding what you're saying but "username, an 8-character passcode and the answer to a security question" isn't multi-factor authentication!

Multi-factor authentication, in the context of this exercise, entails more than one of:
(a) something known only by the payment service user ("knowledge");
(b) something held only by the payment service user ("possession");
(c) something inherent to the payment service user ("inherence");

Your three elements are all within the first of these and therefore don't count as strong customer authentication, so this is why SCA involves possession of apps or codes or card readers, to be used in conjunction with knowledge of passwords, PINs, etc.

18cc

In some ways it may seem that having to enter a username password and some bit of memorable information would be quite secure - and of course indeed it is particularly if if what you use is unguessable

the problem is that if anyone gets hold of them (for example by putting a keylogger on your PC or or other means) then they have complete access to a bank account

that is why in addition to those you need to have something physical from now on - for example a secure key or or a card reader code generator or something like that

this means that even if someone does manage to intercept your logon details they still cannot get on unless they also get hold of your your security device

Doc_N

Keith18002 wrote: »

Just had an email from Santander telling me in the future I will have to use OTP or their mobile app. I do all my online banking from home where I have poor internet and no mobile phone signal. Have tried to get an OTP by driving 2 miles up the road but it has timed out by the time I return. Registration for the app requires OTP, the same thing applies.

"What's changing

You already enter your security details to gain access to Online Banking, for example your Personal ID and Security Number, Registration Number or 5-digit PIN.

The new regulation asks us to add an additional check to confirm it’s you. You can do this one of the following two ways:


By having our personal mobile banking app. When you log on to Online Banking you’ll be referred to the mobile app, which will simply ask you to use your fingerprint, face or Security Number as the additional check that it’s you. You can then continue to use Online Banking as you normally do.


By using One Time Passcode (OTP). If you don’t have a smart phone, we’ll send an OTP to your mobile phone as the additional check that it’s you.

Whichever way you choose, we’re only using the mobile banking app or the OTP to help confirm it’s you. You can continue to use your personal Online Banking as normal once the check has been completed."


I agree with you - this is going to make online banking with Santander even more of a pain in the neck than it is already.

Banking via an app may be fine for occasional transactions, but if you're doing any serious reconciliation work with an account it's hopeless.

I see apps as a backward step in many ways but we're being forced onto it by banks too lazy to find other ways of dealing with security.

18cc

You know sometimes some of these replies make me quite angry

just pause for a moment and think what you are doing. you are accessing your bank account in a few seconds at anytime of the day or night 365 days a year and have the ability to check balances, make payments, set up standing orders - whatever you want

is it too much to ask that you go through a bit of enhanced security before you do that

you would be the first to come on here whinging if some fraudster got access to your account and drained all the money

Doc_N

18cc wrote: »

You know sometimes some of these replies make me quite angry

just pause for a moment and think what you are doing. you are accessing your bank account in a few seconds at anytime of the day or night 365 days a year and have the ability to check balances, make payments, set up standing orders - whatever you want

is it too much to ask that you go through a bit of enhanced security before you do that

you would be the first to come on here whinging if some fraudster got access to your account and drained all the money

I think you're forgetting a couple of points:

1 There are various ways of achieving the required levels of security. Some banks are doing it without major inconvenience to the customers they need to stay in business. Some aren't - and they'll be the losers, at least in terms of a customer base.

2 Unless you've been grossly negligent (quite a high bar) it's the bank that carries the responsibility for any money taken from your account - not you.

masonic

Presumably this will create an opportunity for companies using open banking. I for one would like read-only access to my account information without the hassle of going through 2FA.

londoninvestor

eskbanker wrote: »

Perhaps I'm misunderstanding what you're saying but "username, an 8-character passcode and the answer to a security question" isn't multi-factor authentication!

This is quite true - but the banks do have themselves partly to blame if they get that kind of response.

Much of the reason why some customers believe that "mother's maiden name", "memorable place", "first school you attended" etc makes them more secure, is that the banks themselves have spent years telling them that it does!

eskbanker

Doc_N wrote: »

Banking via an app may be fine for occasional transactions, but if you're doing any serious reconciliation work with an account it's hopeless.

You seem to be missing the significance of some of the text you quoted:

Doc_N wrote: »

By having our personal mobile banking app. When you log on to Online Banking you’ll be referred to the mobile app, which will simply ask you to use your fingerprint, face or Security Number as the additional check that it’s you. You can then continue to use Online Banking as you normally do.

In other words, there's no need to do any 'banking via an app', the app is used purely as a means of authentication and then once logged in you can use online banking as before (i.e. not on the app)....

Ergates

Doc_N wrote: »

1 There are various ways of achieving the required levels of security. Some banks are doing it without major inconvenience to the customers they need to stay in business

Such methods include?