NS&I website - going round in circles trying to log in

digger61

I have tried many times to log into my NS & I account but cannot get past the bit where they send you an authentication code as it appears that my mobile number is incorrect but I cannot get into my account to change it. I did use prize checker which was OK.

Albermarle

It's another open-source browser, that I have used before, and as I use Linux, it's installed from my distro's repository, so should be of relatively lower risk; I also thought it preferable to altering my preferred settings on my regular browser, but, each to their own.

The problem is that most people would not even understand what you are talking about. It should not be made so difficult.

SJMALBA

Albermarle said:

It's another open-source browser, that I have used before, and as I use Linux, it's installed from my distro's repository, so should be of relatively lower risk; I also thought it preferable to altering my preferred settings on my regular browser, but, each to their own.

The problem is that most people would not even understand what you are talking about. It should not be made so difficult.

I wasn't defending NS&I, merely recounting my own actions, and the thought process that led to them.

In fact, a couple pages back I said:

SJMALBA said:

It's ridiculous that NS&I's attempt at upgrading their security seemingly relies upon the individual reducing their own, existing security?! 🤦🏻‍

Section62

poppy10_2 said:

Sisyphean_Task said:

SJMALBA said:

Instead of messing about with my regular FF, I installed Chromium (with the intention of using it only for NS&I), set it up as securely as I dared, but accepting cookies, no deletion of cookies, no incognito, and... success! 2FA set up, logged in, bonds cashed out. How long that continues with future logins remains to be seen, but for now, phew!

Call me old fashioned but I'm not prepared to abandon a browser I've used for years for several financial websites, just because NS&I have broken their website. I would only risk that if I was only going to log in one final time and remove all my money, then bin the new browser.

Having so many customers download new browsers seems a security risk for them to me. What if they download a browser that some crook has managed to add something to, that makes it unsecure? NS&I are at fault, it's not me because my browser used to work there and still works everywhere else.

You should always use a separate browser for banking than you use for your day to day browsing. It's a basic security measure. If you don't want to abandon firefox you can download a standalone version of it from portableapps.com and use that to do your online banking and your regular firefox for browsing your day to day dodgy sites

How would the typical user know whether downloading a browser from that site was safe?  Also, how does it handle browser updates and security fixes?  Is the typical user meant to download and install a new version each time there is an update, or pass control of that to a third party?

Also, it appears the site only provides downloads for use with Windows, which means Liunx users would have to use Wine (or similar) as well.

Yes, answers to these questions can be found with some research, but going to a third-party to get a portable  app with their platform, to then run with a Linux compatibility layer, doesn't seem to be the best way of improving security, and I hope that wasn't what NS&I had in mind when designing their latest changes.

poppy10_2

Section62 said:

poppy10_2 said:

Sisyphean_Task said:

SJMALBA said:

Instead of messing about with my regular FF, I installed Chromium (with the intention of using it only for NS&I), set it up as securely as I dared, but accepting cookies, no deletion of cookies, no incognito, and... success! 2FA set up, logged in, bonds cashed out. How long that continues with future logins remains to be seen, but for now, phew!

Call me old fashioned but I'm not prepared to abandon a browser I've used for years for several financial websites, just because NS&I have broken their website. I would only risk that if I was only going to log in one final time and remove all my money, then bin the new browser.

Having so many customers download new browsers seems a security risk for them to me. What if they download a browser that some crook has managed to add something to, that makes it unsecure? NS&I are at fault, it's not me because my browser used to work there and still works everywhere else.

You should always use a separate browser for banking than you use for your day to day browsing. It's a basic security measure. If you don't want to abandon firefox you can download a standalone version of it from portableapps.com and use that to do your online banking and your regular firefox for browsing your day to day dodgy sites

How would the typical user know whether downloading a browser from that site was safe?  Also, how does it handle browser updates and security fixes?  Is the typical user meant to download and install a new version each time there is an update, or pass control of that to a third party?

Also, it appears the site only provides downloads for use with Windows, which means Liunx users would have to use Wine (or similar) as well.

Yes, answers to these questions can be found with some research, but going to a third-party to get a portable  app with their platform, to then run with a Linux compatibility layer, doesn't seem to be the best way of improving security, and I hope that wasn't what NS&I had in mind when designing their latest changes.

The "typical user" doesn't use linux/WINE. Windows has 80+% market share.

Portableapps can automatically keep apps up to date.

Ciprico

I havent read all the posts above but I found if the browser pre enters you name and maybe password it can fail.

I was told this by nsi. 

So you have to overwrite with same. 

It seems all their security is tied to your phone number (ie call back) so if your number changes you have to write to them to reset.... 

Swipe

Ciprico said:

I havent read all the posts above but I found if the browser pre enters you name and maybe password it can fail.

I was told this by nsi. 

So you have to overwrite with same. 

It seems all their security is tied to your phone number (ie call back) so if your number changes you have to write to them to reset.... 

It's better to use a password manager and not store bank passwords in your browser

Thumbs_Up

I haven’t read the above posts so I don’t know if this has been mentioned. Yes, I too had issues logging on with a message “You already reached you trust device limits 7 devices” This was meaningless to me because I only use the pc to log on. It turns out that I have a good habit of manually clearing out all the history, and all data by the end of the day on my pc settings. So because of this NS&I saw my pc as a new device on their system. NB, never had this problem for any other banking systems.

charybdis26

For years I've routinely used CCleaner  to flush out crud and unwanted cookies from my browser(s) and that's likely what led to my being looked out for 'reaching the allowed number of trusted devices' a week or so ago.

Since my NS&I account was reset, I've had CCleaner set to permanently retain NS&I-associated cookies whenever I clear out browsing data.

I can now access my account without getting locked out, but it's no longer 2 Factor authentication. After entering my acct number, surname and password, I go through the devices authorised stage and then straightaway gain access to my accounts without a one-time pass code being sent to my registered phone!

It's almost unbelievable how poorly and inadequately tested their "improved security" measures are. Even after some weeks since  2FA introduction, there's no mention on their website that if cookies are cleared, each successful login cranks up the number of trusted devices counter and freezes further access. Just crazy and unprofessional.

Alfrescodave

digger61 said:

I have tried many times to log into my NS & I account but cannot get past the bit where they send you an authentication code as it appears that my mobile number is incorrect but I cannot get into my account to change it. I did use prize checker which was OK.

Hi, I'm having a similar problem where I never receive the One Time Passcode on my designated phone number. Did you manage to fix the problem without having to ring their number and wait forever?