Strong Customer Authentication - **Now delayed** changes to online verification

lightbulb2760

colsten wrote: »

What's wrong with people? Why all the opposition to keeping your data and your money safer?

Even if the banks did it all just to reduce their liabilities for fraudulent transactions, the advantages to account holders appear obvious to me: starting with not having the hassle of chasing missing money, not having to prove that the fraudster wasn't actually yourself or that you haven't been in cahoots with the fraudster, and ending with banks not needing to up their charges in an effort to recoup the money they need to reimburse for some fraudulent transactions.

Besides, smart phones are now so prevalent that those who really cannot deal with OTPs can simply use the app for their banking. But presumably that is unacceptable, too, as the main objective is just to moan.

I'm not opposed to keeping my data and money safer. What I do object to is the assumption that everyone who banks online has a phone - whether smartphone, mobile, or landline. There should be alternatives in place for those in this situation.

Nicholas

OP:

Just had an email from Yorkshire Bank detailing their changes to security from 14 September.

When does it change?
These changes will happen on 14th September 2019.

What's changing?
Soon, to access your account online you'll need to use either:


Our mobile banking app. Using your passcode or fingerprint ID, you'll be able to log in to the app and tap to verify payments.

A one-time passcode we send to your mobile or landline. You'll be asked to enter this to go through to your account and complete a transaction.

Your security token (if you have one). You'll use the 8-digit number displayed on the token to log in to internet banking and verify payments.

I can't find a link on their website yet, but this should be enough info for you to update your list.

colsten

Rich2808 wrote: »

I have no objection to the changes for making payments and setting up new payees - requiring readers or keys to simply view balances and transactions is another matter. People are less likely potentially to notice fraud quickly - if you make it harder to simply check balances and transactions.

It isn't exactly hard to use an app to check your balance. In fact, it takes me a few seconds now to do it, and I don't even have to go anywhere near my laptop to do it. A simple "Siri, open Santander", or "Siri, open Barclays" etc, and a look at my phone is all I need now to log in. Obviously, I need a smartphone for starters - but I have one of those anyway as there are dozens of reasons why I have one, despite being of near dinosaur age now (in fact, getting older is even more reason for me to have a smartphone as I only need to look after one gadget now, as opposed to a dumb phone, a calendar, a pen, a diary, a phone directory, a step counter, a radio, a wallet bulging with debit, credit and loyalty cards, a camera, an alarm, a stopwatch etc etc etc)

Rich2808 wrote: »

Long removed are we from the days people had one bank account - many now have several and use them for savings in effect. Making it harder to simply to monitor those accounts isn't good - easier to go overdrawn and not notice and more likely for fraud to be picked up later rather than sooner!

You don't need to tell me about people having several accounts. I used to have nearly 3 dozens current accounts, and a similar number of savings accounts. The only reason I have fewer accounts now is that drop of current account interest rates and a shrinking number of good regular savers. I appreciate it could be a little bit more difficult for those who refuse to use a smartphone but that is their choice, and my view is that they are making their lives unnecessarily difficult for themselves. I also appreciate that their view varies with mine, and that is fine, too. There alternatives for those who choose not to adopt modern technology.

colsten

Uxb1 wrote: »

Then there is the problem which seems to be unappreciated all over the web mostly by city dwellers that many places n the UK simply do not have mobile phone cover.

I am not a city dweller and my mobile reception is hit and miss at home. That's why I use WiFi calling at home (actually, my phone uses it automatically). Problem solved.

I appreciate you may not want to use WiFi calling for banking when away from home. I solve that issue by simply not doing any banking over WiFi when away from home, or only on networks that I trust (e.g. home of a family member who I know has a secure network).

lightbulb2760

colsten wrote: »

There are alternatives for those
who choose not to adopt modern technology.

That's the whole point of my post: there aren't any alternatives for those who choose not to use phones.

Ergates

lightbulb2760 wrote: »

These changes, along with the end of First Direct's Internet Banking Plus, will mean the end of being able to manage my banking online, as (by choice) I don't have a mobile phone or a landline. I don't fancy using a payphone, so the only option for me will be in branch banking, and with around 40 accounts spread over 15 institutions, that's going to be almost impossible.

You don't have a mobile *or* landline and you have 40 accounts spread over 15 institutions.

Are you deliberately going out of your way to make your life as complicated as possible?

lightbulb2760 wrote: »

I'm not opposed to keeping my data and money safer. What I do object to is the assumption that everyone who banks online has a phone - whether smartphone, mobile, or landline. There should be alternatives in place for those in this situation.

It's not an unreasonably assumption on their part though. How many people in the UK don't have *any* kind of phone *and* do their banking online?

If you don't want a phone, fine, but don't be surprised that when you intentionally put yourself into a tiny minority bracket that many organisations won't be willing to jump through hoops to suit your needs.

eskbanker

lightbulb2760 wrote: »

These changes, along with the end of First Direct's Internet Banking Plus, will mean the end of being able to manage my banking online, as (by choice) I don't have a mobile phone or a landline. I don't fancy using a payphone, so the only option for me will be in branch banking, and with around 40 accounts spread over 15 institutions, that's going to be almost impossible.

lightbulb2760 wrote: »

I'm not opposed to keeping my data and money safer. What I do object to is the assumption that everyone who banks online has a phone - whether smartphone, mobile, or landline. There should be alternatives in place for those in this situation.

lightbulb2760 wrote: »

That's the whole point of my post: there aren't any alternatives for those who choose not to use phones.

There are some banks offering alternatives, such as those listed at post #1 with physical secure key options, or even authentication via email (with its attendant security risks), but they're undoubtedly the exception rather than the rule and personally I don't see such mechanisms being retained in the long term.

How do you suggest banks should be able to contact customers in real time when needing to fulfil their new statutory obligations to verify your identity with a second factor of authentication?

eskbanker

Rich2808 wrote: »

Most people aren't setting up new payees or making payments daily - but this change will also apply if you simply want to login to review transactions, check balances or ensure you aren't going overdrawn online and via apps. Now with HSBC I will need my secure key to do the latter - indeed i noticed today they have already made the change so cannot login to internet banking without one (just made the change without notifying me when) with the app no doubt soon to follow.

Why can't banks still allow the viewing of latter online/via apps - and simply require secure keys/readers for payments? No issue with the changes in terms of new payees - seems over the top to require it as well simply to view and review transactions quickly (which could mean people actually discover identiy fraud and dodgy transactions more slowly if they don't want to carry card readers everywhere etc).

RBS and NatWest appear to be offering restricted access without 2FA, but section 100.1(a) of the Payment Services Regulations 2017 doesn't make any distinction regarding what the customer does once logged in, so gut feel would be that RBS/NatWest will be forced into line with the others, rather than the other way round.

http://www.legislation.gov.uk/uksi/2017/752/regulation/100/made:

Authentication

100.—(1) A payment service provider must apply strong customer authentication where a payment service user—

(a) accesses its payment account online, whether directly or through an account information service provider;
(b) initiates an electronic payment transaction; or
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Rich2808 wrote: »

This is an EU directive - I thought we were supposed to be leaving..........

Perhaps you hadn't noticed but we haven't left yet, but in any case, if you choose to subscribe to the school of thought that this is something imposed on us against our will by that big bad nasty bureaucratic EU, what evidence do you offer that the UK would have chosen a different path had it not long since committed to implementing PSD2 from well before the referendum? Do you believe it'll be repealed at some stage in the future and if so, why?

Rich2808

colsten wrote: »

It isn't exactly hard to use an app to check your balance. In fact, it takes me a few seconds now to do it, and I don't even have to go anywhere near my laptop to do it. A simple "Siri, open Santander", or "Siri, open Barclays" etc, and a look at my phone is all I need now to log in. Obviously, I need a smartphone for starters - but I have one of those anyway as there are dozens of reasons why I have one, despite being of near dinosaur age now (in fact, getting older is even more reason for me to have a smartphone as I only need to look after one gadget now, as opposed to a dumb phone, a calendar, a pen, a diary, a phone directory, a step counter, a radio, a wallet bulging with debit, credit and loyalty cards, a camera, an alarm, a stopwatch etc etc etc)

.

I agree - it isn't hard to review balances and transactions on most banking apps now.

But HSBC - and presumably M&S and First Direct as they have the same parent - are soon removing all access to their app even just to view transactions and balances unless you have a secure key with you. That is being made very clear every time I logon now - same for my relatives. Internet banking without a secure key has already gone for me - and them as well. You can ask for a digital secure key - but it only works on newer smartphone devices. And not everyone therefore can use the app - and internet banking is blocked without the physical secure key.

What happens when people go away on holiday for two weeks in the Uk or abroad - make sure you pack all your secure keys, readers, debit cards (for devices) and more for all your accounts? Really - just to check all is ok and the balances are as they should be? Some people have many such accounts - and hand luggage allowances aren't that big on most airlines!

Perhaps you don't fully appreciate the changes some banks are making - and the impact it will have for some people such as the elderly and housebound!

Payments and transfers - fine we need the security - but just to check balances and transactions to ensure you are in credit and haven't been robbed - its overkill!

colsten

Rich2808 wrote: »

What happens when people go away on holiday for two weeks in the Uk or abroad - make sure you pack all your secure keys, readers, debit cards (for devices) and more for all your accounts? Really - just to check all is ok and the balances are as they should be? Some people have many such accounts - and hand luggage allowances aren't that big on most airlines!

Are you actually serious - the hand luggage allowance would be affected by people taking their physical gadgets for online banking with them? :rotfl: And they are checking their accounts ever so often whilst they are on holidays? And they don't have a mobile on which they can be contacted whilst on holidays? And they can check their banks accounts but not their emails (which can be used by many banks for the 2FA)? You are really scraping the bottom of the barrel now.

Rich2808 wrote: »

Perhaps you don't fully appreciate the changes some banks are making - and the impact it will have for some people such as the elderly and housebound!

Elderly and/or housebound with no phone and no email but doing online banking. Yeah. How many such people could you find?

Rich2808 wrote: »

Payments and transfers - fine we need the security - but just to check balances and transactions to ensure you are in credit and haven't been robbed - its overkill!

Well, if you say so. You don't seem to read the stories of the people who had money gone missing from their accounts. Just in the last couple of days there's some bloke (Daryl) claiming he was scammed by somebody who could blag their way through setting up a large payment over the phone, in part because they could quote transactions and DD details from his account. It's also not only a matter of balance checking - it could be that an abusive partner is trying to snoop on your finances, for instance. 2FA would make this more difficult.

I would support the idea that banks should be allowed to offer customers a bypass of the 2FA, on condition that those customers agree that they assume sole liability for all monies leaving their account. Though I bet you wouldn't be happy with that, either.