Strong Customer Authentication (SCA) gone mad - we need standardisation

born_again

mar7t1n said:

Strong Customer Authentication or 2 Factor Authentication is a wonderful thing to keep digital systems secure. And means the banks can now trust the instruction with a high degree of confidence which means they tend to do it rather than block you moving your own money and insist you call them. I know for sure even if someone finds my password, they still cannot access my account or use my card. But we need some industry standardisation on how it's achieved for everyone's sanity. Every bank now insists I download and install their bespoke authenticator app and set it up. For my main bank that's fine I want the app, but for accounts I'll setup now and and leave for 1 year or more it's just OTT. The simplest systems are just send me an SMS or call me with a code whenever I login. Google Authenticator is an alternative which stores all your 2FA codes in one place. Soon I'll need an app for every system I use - it could be hundreds.

The need for bank specific apps is a barrier to anyone born last centaury to setting this up, and means people feel forced into keeping their money with fewer financial institutions to avoid the authenticator app faff.

Mr Lewis we need a campaign to standardise and simplify or least insist the banks provide multiple ways of doing it so that you can choose the one which suits you best. It's simply good customer service. But the banks that provide that unfortunately don't pay very good interest rates.

What bespoke authenticator app?
Santander do not, Halifax do not to name but 2 I use..

It's all done through their banking app. Which is NOT a bespoke authenticator app.

I hate this "barrier to anyone born last century" Vast majority of the country fall into that bracket. 

God knows how a forum like this works... 😂

uk1

I attempted a large online transfer from Santander.  It rejected it straightaway because I had exceeded something or other but I then received an automated phone call asking for confirmation that it was me that had attempted the transaction.  It first asked for proof that I was me and the pieces of identity the bot asked for was my year of birth and then my month of birth.  I would have thought that any scammer worth his weight would do a basic births search.  Even a  free search at companies house can take a few moments and be quite useful for many people. 

nyermen

Be even more careful when travelling abroad too.  I booked a hotel in paris (HSBC - Mastercard), but whatever method used to transfer the details to the hotel means I couldn't do the SCA.  When they then put a pre-auth through, the SCA blocked every attempt by the hotel.  I think the hotel were doing it wrong (maybe saying its an online payment rather than telephone payment, or something like that), but it didn't help that the hotel nearly cancelled my booking as a result.

username

penners324 said:

In app authentication is vastly more secure than text message code. 
I'd prefer all banks did it through their app.

How can in app authentication vastly more secure than SMS?

Understood that with the right technology you can intercept SMS (either OTA or on the phone itself if it is hacked) and there is a risk of sim-swap fraud (due to the lack of security at mobile networks/bent staff).

However, in reality what is likelihood of such things happening given the technical hurdles. Also, surely phone companies should have more barriers in place to make it harder to swap a subscriber's sim card, or there to be some delay/warning message sent to the existing sim that it is being swapped out.

My gripe with the SCA regulations is that some card providers have rather stupid systems.

I can understand the SCA coming into play if what you are doing is out of the ordinary compared to your normal spend pattern and going "whoa there let's see if it is really you spending £150 at ultimate widgets".

But if a payment is made each and every week to the same place online, it should have the capability to "learn" and not request an OTP each and every time.

uk1

The technology certainly exists because on my Amex card  on the first time you use a new site you can included it in a “trusted  merchant” list and so further approvals aren’t required.

username

Yes I have seen this on my Amex, it is quite a handy feature. They seem to be fairly ahead of the curve technology wise in general, however, the acceptance isn't always there which is a shame.

uk1

 I offloaded  nearly 2m BA miles a couple of years back at the start of the pandemic and exchanged them all for some pretty decent  champers and now I’ve offloaded all my traffic from Amex to Chase as I don’t see any point in being tied to Amex for any flights I may or may not take in the future.  I really like the idea of cash rather than miles … but I do wish I needn’t open the app for each order. 

mar7t1n

For all those saying, but I just use the banks app to authenticate. This is exactly my gripe. That you now have to download that banks specific app. It may be more useful that just the an authenticator but many aren't and that's pretty much all they do. The 2FA codes on Microsoft Authenticator and Google Authenticator and devices you get sent in the post apply a standard algorithm. The service your want to connect to sends a unique code to your device and then the code shown is based on that code and the time. Both sides know what the code is so can determine the same number. Whether you actually read it off and type it in or it's sent digitally it's all pretty much the same thing. Unlike a traditional password you cannot just tell someone what it is and they walk away and use it sometimes later. The "code" held on your device is a long code kept secure by your operating system. My gripe however remains every bank or building society now wants to do it differently, they all insist you download their app. Once you've got more than a couple of accounts it's a right pain.

sassy_one

mar7t1n said:

For all those saying, but I just use the banks app to authenticate. This is exactly my gripe. That you now have to download that banks specific app. It may be more useful that just the an authenticator but many aren't and that's pretty much all they do. The 2FA codes on Microsoft Authenticator and Google Authenticator and devices you get sent in the post apply a standard algorithm. The service your want to connect to sends a unique code to your device and then the code shown is based on that code and the time. Both sides know what the code is so can determine the same number. Whether you actually read it off and type it in or it's sent digitally it's all pretty much the same thing. Unlike a traditional password you cannot just tell someone what it is and they walk away and use it sometimes later. The "code" held on your device is a long code kept secure by your operating system. My gripe however remains every bank or building society now wants to do it differently, they all insist you download their app. Once you've got more than a couple of accounts it's a right pain.

I disagree with you; having a few apps doesn’t cause any pain whatsoever.

Simple enough to use and most people these days have mobile phones and even if they don’t you can get a physical secure key which again isn’t too much bother.

I fail to see your point entirely you are trying to make.

Daliah

mar7t1n said:

For all those saying, but I just use the banks app to authenticate. This is exactly my gripe. That you now have to download that banks specific app. It may be more useful that just the an authenticator but many aren't and that's pretty much all they do. The 2FA codes on Microsoft Authenticator and Google Authenticator and devices you get sent in the post apply a standard algorithm. The service your want to connect to sends a unique code to your device and then the code shown is based on that code and the time. Both sides know what the code is so can determine the same number. Whether you actually read it off and type it in or it's sent digitally it's all pretty much the same thing. Unlike a traditional password you cannot just tell someone what it is and they walk away and use it sometimes later. The "code" held on your device is a long code kept secure by your operating system. My gripe however remains every bank or building society now wants to do it differently, they all insist you download their app. Once you've got more than a couple of accounts it's a right pain.

Not sure but I think you might assume that people use online banking rather than the banking apps? I much prefer the apps as just about everything is much easier and faster to do in the apps than in online banking. I also much prefer that authentication is integral to my respective banking apps, making most of the authentication transparent. On the rare occasions I am using online banking, I am very happy to refer to the bank's app for authentication. So far, I have 48 banking apps on my iPhone (with backup on iPad for most) and I consider them anything but a pain. Some providers are, of course, app only. Sadly, one or two of the financial institutions I use still don't have an app, but as soon as they do, I will add those as well.

If I was using online banking instead of the apps, I would feel uneasy if all banks used the same authenticator as it would be a single point of failure for all my banks. I also have used the standard Google / Post Office / Digidentity / Barclays authenticators where I was / am forced to use them (e.g. for HMRC) and I find none of them particularly user friendly, or reliable, for that matter.