First Direct wants email keyed in for extra protection

[Deleted User]

I'm curious as to know how the present system of using OTP codes is being amended to now include having to type in one's email address.  No problem with that.  However I am left scratching my head re the following info on the FD site

"Why do I need to enter my email address as well as my one-time passcode?

We use a third party, Callsign, who help us protect your payments from fraud by recording how you enter your email address (including key strokes). This data is collected from your browser and stored by Callsign for 3 months. We use this biometric data with other information like your location and how you use your device to help us check it’s you making the card payment and not someone else."

It is the bit in bold that I cannot fathom.  BTW I use a PC to logon (+ a physical secure key) rather than a mobile (because I am a luddite and don't possess a smart one just a cruddy old embarrasing phone with no smart capability).  What if you are using a VPN to logon?  Thoughts?

[Deleted User]

A VPN wouldn't change your keystrokes, so the same system applies.

Zanderman

Have a read of this thread:

https://forums.moneysavingexpert.com/discussion/6326381/tsb-the-unique-way-you-type

[Deleted User]

Deleted_User said:

A VPN wouldn't change your keystrokes, so the same system applies.

But it would change your location wouldn't it?

[Deleted User]

Zanderman said:

Have a read of this thread:

https://forums.moneysavingexpert.com/discussion/6326381/tsb-the-unique-way-you-type

Thanks for that link.  Seems like absolute rubbish to me.  My typing is not great and the older I get the more inclined I am to hit the wrong key so have to go back and delete an erroneous keystroke etc

Migster

[Deleted User] said:

Thanks for that link.  Seems like absolute rubbish to me.  My typing is not great and the older I get the more inclined I am to hit the wrong key so have to go back and delete an erroneous keystroke etc

But that's the whole point. If you often make a mistake and (for example) take around 10 seconds to type your email, the system will be suspicious if suddenly it gets a mistake-free email typed in 5 seconds, as this could indicate that it's not you doing the typing. 

cx6

I have my browser set to 'clear cookies on exit' so unless they have found another way to store you keystroke patterns this will not work with me

PRAISETHESUN

cx6 said:

I have my browser set to 'clear cookies on exit' so unless they have found another way to store you keystroke patterns this will not work with me

Odds are they'll gather the data and store it on their end as a part of your online profile somehow - it wouldn't make sense to use this kinda of thing as a security tool if all it takes to defeat it is to clear your cookies!

cx6

Yes I think you are right. Weird system though.

Wonder what happens if you try and log on and they say the keystroke pattern doesn't match?!

[Deleted User]

They won't say that.  They'll go through further verification.

PRAISETHESUN

cx6 said:

Yes I think you are right. Weird system though.

Wonder what happens if you try and log on and they say the keystroke pattern doesn't match?!

I would imagine that it'll be one of many factors they use to determine if it is you logging in - it might just prompt for extra security (eg. a OTP even if you've already authorised the device in the past) or at worst just lock you out. I doubt they'll ever really explain how it works because that will then give fraudsters the knowledge to be able to try and circumvent the system.