We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Why do banks use SMS over app for OTP?
Options
janeskips2
Posts: 53 Forumite
Why do banks send OTP codes as a text message if the customer has the app installed? The app is obviously optional for traditional banks say Lloyds but once I install it surely my bank has that on record. So why doesn't the bank use this for the OTP and instead uses SMS which we are frequently reminded is insecure and easily hacked? Paypal confirms they will be doing the same to meet SCA requirements, they want me to log into the app and confirm my phone number is correct so they can send me OTP using SMS. Why not generate the code inside the app?
0
Comments
-
Because it is cheaper for them to invest in one system that covers the maximum number of their customers. SMS provides the best coverage, it certainly does not provide the best security.
1 -
I broadly agree that using an app would be more secure and I would prefer that route but the customer would need a data plan or Wi-Fi to use the app whereas receiving a text message is always (afaik) free. Overseas use would potentially be an obstacle.0
-
How would one log in without data or wi-fi access? Do you mean for those who have a computer or laptop with a wired internet connection and no wi-fi?Ballard said:I broadly agree that using an app would be more secure and I would prefer that route but the customer would need a data plan or Wi-Fi to use the app whereas receiving a text message is always (afaik) free. Overseas use would potentially be an obstacle.
0 -
Good question. I once had a text message from a bank to check whether it was me trying to withdraw cash from an ATM. I had to reply Yes or No to get the card unlocked. I was in South Korea at the time (2014) and didn’t have a data plan so wouldn’t have received anything via an app.masonic said:
How would one log in without data or wi-fi access? Do you mean for those who have a computer or laptop with a wired internet connection and no wi-fi?Ballard said:I broadly agree that using an app would be more secure and I would prefer that route but the customer would need a data plan or Wi-Fi to use the app whereas receiving a text message is always (afaik) free. Overseas use would potentially be an obstacle.
1 -
Interesting, I've never heard of 2 factor authentication for an ATM transaction before! The SCA rules apply to logging in to online banking websites and apps, and authorising online transactions, so don't cover things like that or contactless payments etc.Ballard said:
Good question. I once had a text message from a bank to check whether it was me trying to withdraw cash from an ATM. I had to reply Yes or No to get the card unlocked. I was in South Korea at the time (2014) and didn’t have a data plan so wouldn’t have received anything via an app.masonic said:
How would one log in without data or wi-fi access? Do you mean for those who have a computer or laptop with a wired internet connection and no wi-fi?Ballard said:I broadly agree that using an app would be more secure and I would prefer that route but the customer would need a data plan or Wi-Fi to use the app whereas receiving a text message is always (afaik) free. Overseas use would potentially be an obstacle.
0 -
They very much do apply to contactless payments - although there are specific exemptions for certain types of contactless payments.masonic said:The SCA rules apply to logging in to online banking websites and apps, and authorising online transactions, so don't cover things like that or contactless payments etc.0 -
Ballard said:I broadly agree that using an app would be more secure and I would prefer that route but the customer would need a data plan or Wi-Fi to use the app whereas receiving a text message is always (afaik) free. Overseas use would potentially be an obstacle.
You could use a third party 2FA code generator, such as Google's, without the need for data, and doesn't need to the bank to send anything. I'd much prefer that as an option to SMS, which is open to abuse.
It can be a faff to set up, which your 'average' person, may be less inclined to do. But it could be made an option for those that want it.2 -
binaryuniverse said:
You could use a third party 2FA code generator, such as Google's, without the need for data, and doesn't need to the bank to send anything. I'd much prefer that as an option to SMS, which is open to abuse.
I use a code generator app (I prefer 'AndOTP' on Android) for several logins I have.
The problem is, nearly all of them also offer SMS - either as an alternative or, more commonly, as a default (Amazon, i'm looking at you!)
So they send you an SMS but gives you the option of using the code generator if you want to, there's no way to say 'Don't ever send an SMS'.0 -
It won't have been 2FA it will have been a simple security check given the poster was out of the UK.masonic said:
Interesting, I've never heard of 2 factor authentication for an ATM transaction before! The SCA rules apply to logging in to online banking websites and apps, and authorising online transactions, so don't cover things like that or contactless payments etc.Ballard said:
Good question. I once had a text message from a bank to check whether it was me trying to withdraw cash from an ATM. I had to reply Yes or No to get the card unlocked. I was in South Korea at the time (2014) and didn’t have a data plan so wouldn’t have received anything via an app.masonic said:
How would one log in without data or wi-fi access? Do you mean for those who have a computer or laptop with a wired internet connection and no wi-fi?Ballard said:I broadly agree that using an app would be more secure and I would prefer that route but the customer would need a data plan or Wi-Fi to use the app whereas receiving a text message is always (afaik) free. Overseas use would potentially be an obstacle.Life in the slow lane0 -
Ok, so perhaps not relevant to the SCA discussion.born_again said:
It won't have been 2FA it will have been a simple security check given the poster was out of the UK.masonic said:
Interesting, I've never heard of 2 factor authentication for an ATM transaction before! The SCA rules apply to logging in to online banking websites and apps, and authorising online transactions, so don't cover things like that or contactless payments etc.Ballard said:
Good question. I once had a text message from a bank to check whether it was me trying to withdraw cash from an ATM. I had to reply Yes or No to get the card unlocked. I was in South Korea at the time (2014) and didn’t have a data plan so wouldn’t have received anything via an app.masonic said:
How would one log in without data or wi-fi access? Do you mean for those who have a computer or laptop with a wired internet connection and no wi-fi?Ballard said:I broadly agree that using an app would be more secure and I would prefer that route but the customer would need a data plan or Wi-Fi to use the app whereas receiving a text message is always (afaik) free. Overseas use would potentially be an obstacle.
0
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards