PrincipalityBS: Strong Customer Authentication for mobilephones

pafpcg

My partner and I have both received a email this morning from the PrincipalityBS about their plan to introduce further measures under "Strong Customer Authentication".  Here's the relevant text:

New security measures for shared mobile numbers

You’ll be aware that in the past year or so, all UK banks and building
societies have been carrying out extra security checks to help keep you
safe when managing your finances online.  It’s called Strong Customer
Authentication, or SCA for short.

In order to keep your accounts safe, from March onwards, the mobile phone
number you use to log into Your Account must be yours and not shared with
another Principality customer. If you use the same mobile number as
another customer, you won’t be able to log into Your Account.

If you think you share a mobile number with another Principality customer,
you’ll need to change your mobile number. ..........

If you don’t have another mobile number, don’t worry you can call us
to manage your Principality accounts. We would still encourage you to
remove the shared mobile from Your details, as if a shared mobile number
continues to be registered with us, neither customer will be able to
access Your Account.

Our problem is that we have only one mobile phone between us because that's all we need!  My partner is partially deaf and the arthritis in her fingers makes using a mobilephone impractical. (We're both of course well into our retirement years.) She's replying to her email that unless Principality can make other arrangements, she'll have to close all her accounts with them - neither I nor her certainly don't want to switch to a phone-based service with associated call charges!

someone

You may find page 39 and 40 of this document useful UK Finance Industry Guidance on Strong Customer Authentication under PSD2

eskbanker

I'm not sure that the above is particularly relevant, as it relates specifically to concessions for chip & signature and session timeout rather than the broader issue of those who have issues with using mobile phones.

However, in the FCA's document about their approach to SCA implementation, there is reference to:

20.21 We encourage firms to consider the impact of strong customer authentication solutions on different groups of customers, in particular those with protected characteristics, as part of the design process. Additionally, it may be necessary for a PSP to provide different methods of authentication, to comply with their obligation to apply strong customer authentication in line with regulation 100 of the PSRs 2017. For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations.

so the regulator clearly expects SCA to be available to those either unable or unwilling to use mobile phones.

Having said that, the vast majority of institutions who've implemented SCA have chosen to use phone-based authentication, although some do allow landlines and others support the principle of trusting devices such as individual computers.  The implementation dates kept slipping but SCA for accessing online banking should have been completed by last March, while its introduction for online purchasing had already been deferred to September 2021 by last April, so in all likelihood will push out further to the right as a result of the ongoing Covid crisis.

It's obviously OP's partner's prerogative to take her savings elsewhere if she's unhappy with Principality's SCA approach but as above she'll need to be careful with her choice in order to avoid jumping from frying pan to fire.  Putting to one side the matter of principle, might a dual-SIM phone (i.e. supporting two numbers) be a pragmatic solution?

General_Grant

pafpcg said:

My partner and I have both received a email this morning from the PrincipalityBS about their plan to introduce further measures under "Strong Customer Authentication".  Here's the relevant text:

New security measures for shared mobile numbers

You’ll be aware that in the past year or so, all UK banks and building
societies have been carrying out extra security checks to help keep you
safe when managing your finances online.  It’s called Strong Customer
Authentication, or SCA for short.

In order to keep your accounts safe, from March onwards, the mobile phone
number you use to log into Your Account must be yours and not shared with
another Principality customer. If you use the same mobile number as
another customer, you won’t be able to log into Your Account.

If you think you share a mobile number with another Principality customer,
you’ll need to change your mobile number. ..........

If you don’t have another mobile number, don’t worry you can call us
to manage your Principality accounts. We would still encourage you to
remove the shared mobile from Your details, as if a shared mobile number
continues to be registered with us, neither customer will be able to
access Your Account.

Our problem is that we have only one mobile phone between us because that's all we need!  My partner is partially deaf and the arthritis in her fingers makes using a mobilephone impractical. (We're both of course well into our retirement years.) She's replying to her email that unless Principality can make other arrangements, she'll have to close all her accounts with them - neither I nor her certainly don't want to switch to a phone-based service with associated call charges!

I have only one working mobile phone.  I bought it less than 2 years ago and principally so that I could use the text message security feature for online banking.  It is a basic mobile phone (eg calls and texts only) which cost about £12 and I have yet to use the first lot of airtime which I purchased (£10 plus £5 boost from the phone company).  I need to spend something like just 2p per quarter to maintain this. 

Though I fully understand that you do not otherwise need a second phone, I would recommend getting a second mobile - it may prove its worth later on if your current phone develops a fault.  You also wouldn't have to be concerned about calling the Principality 0330 numbers (though these "local tariff" numbers may be included in your "bundle" at certain operating times of day).

MaxiRobriguez

SCA here is just implementing two-factor authentication. Saying you need to login with the number associated to the account is because they're going to use an automated program to either send a text message with a code in it that you'll need to enter on screen, or call you and ask you to type in the numbers that you get displayed on screen.

Having 2 SIM cards for the same phone will work (just need to remember to swap it out before you do your online banking). Alternatively if you have a landline that could work as well, as many are geared up to read out text messages sent to them. 

And finally, talk to your bank, who may be able to offer a different method of 2FA - something a bit more old school like a card reader.

polymaff

Does a dual SIM phone satisfy:

" ‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data"

MaxiRobriguez

No, but Principality wouldn't be able to tell the device was shared.

bowlhead99

polymaff said:

Does a dual SIM phone satisfy:

" ‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data"

A dual sim phone shared between two users means that both have access to the incoming texts, so not something that 'only' the user possesses, because the phone itself is held by either of the two people from time to time. But the financial institution at the other end doesn't know that, so if the individuals are happy with the risk of their spouse being able to receive and use the verification text messages which were intended for the other person, it wouldn't seem to be a barrier to doing business with the financial institution through that method.

Wouldn't help the OP, if one of them wasn't willing or able to use the phone to check texts on it and didn't want to have to ask their partner to do it for them.

mikb

MaxiRobriguez said:

Alternatively if you have a landline that could work as well, as many are geared up to read out text messages sent to them.

Correct -- I get SMS-to-speech calls on my BT landline. However, be aware that some companies are too smart for their own good, and will not accept a landline number, because it's not a mobile phone -- it will fail the automated check when submitting e.g. on their website.

polymaff

EU Directives - dontcha luv 'em.

happybagger

Plenty of building society online logins permit a voice call automated code to landlines; though I have a mobile I prefer to have them call the home phone as most of the time the mobile is in the car...
So there is no reason PBS should have that as the ONLY method

I had the principality message when I tried to log on yesterday just to get the interest amount for the spreadsheet, got the message "you haven't given us your mobile number" so left it be; can't really be bothered