Santander - onerous security checks

Frequentlyhere

Just a random suggestion but I'm wondering whether Santander might be more trigger-happy with the fraud checks when going via the internet vs the app?

That certainly seems the case for me with Halifax, which seemed to hate me setting up almost any new payees, but via the phone app now seems intensely relaxed with it.

Bridlington1

Frequentlyhere said:

Just a random suggestion but I'm wondering whether Santander might be more trigger-happy with the fraud checks when going via the internet vs the app?

That certainly seems the case for me with Halifax, which seemed to hate me setting up almost any new payees, but via the phone app now seems intensely relaxed with it.

I suppose with the app it's an extra layer of security as you can only access it from your phone, whereas internet banking can be accessed from any device anywhere around the world. Moreover most people have some sort of pin or something they need to get through to log into your phone adding an additional layer of security.

Band7

Frequentlyhere said:

Just a random suggestion but I'm wondering whether Santander might be more trigger-happy with the fraud checks when going via the internet vs the app?

That certainly seems the case for me with Halifax, which seemed to hate me setting up almost any new payees, but via the phone app now seems intensely relaxed with it.

There is less chance that a 3rd party hacks your app, and app users could possibly be considered to be more security conscious, rightly or wrongly.

But app users are not immune to fraud checks, at any bank. I only use apps for my payments. Where you use Open Banking to pull money out of a bank, this can only be done via app banking, and is much less likely to fraud because setting up an Open Banking payment facility can't be done by any old Tom, !!!!!! or Harry. Yet Santander's crude fraud checks don't appear to make any allowance for the added security that comes with Open Banking.

k_man

Band7 said:

Frequentlyhere said:

Just a random suggestion but I'm wondering whether Santander might be more trigger-happy with the fraud checks when going via the internet vs the app?

That certainly seems the case for me with Halifax, which seemed to hate me setting up almost any new payees, but via the phone app now seems intensely relaxed with it.

There is less chance that a 3rd party hacks your app, and app users could possibly be considered to be more security conscious, rightly or wrongly.

But app users are not immune to fraud checks, at any bank. I only use apps for my payments. Where you use Open Banking to pull money out of a bank, this can only be done via app banking, and is much less likely to fraud because setting up an Open Banking payment facility can't be done by any old Tom, !!!!!! or Harry. Yet Santander's crude fraud checks don't appear to make any allowance for the added security that comes with Open Banking.

Isn't an Open Banking payment actually a push, from the banking app, but with with the payee details automatically entered via Open Banking?

The underlying process is still faster payments, and the payment can be made by anyone with access to the banking app.
Is it really any different for fraudster to force/ask a user (or do on a malware controlled device)

To send money to account/sort code owned by the fraudster.
To send money via an open banking link from the fraudsters account app

In both cases a fraudster controlled recipient account is required.
Most frauds (especially the ones blocked/targeted like this) are not someone else trying to send money, but someone else trying to get the user to send money.

maisie_cat

Every time I see a newspaper article where somebody has willingly transferred money then claimed it back successfully I know that means more checks for everybody else.
Santander does appear quite often and having asked the questions still gets lambasted when the customer goes to the papers with the sad face.
I couldn't make an 89p purchase the other day via paypal because I rarely use it and could not remember the security answers I created decades ago. As annoying as I found it, it was my fault and I simply closed the paypal account.

Band7

k_man said:

Band7 said:

Frequentlyhere said:

Just a random suggestion but I'm wondering whether Santander might be more trigger-happy with the fraud checks when going via the internet vs the app?

That certainly seems the case for me with Halifax, which seemed to hate me setting up almost any new payees, but via the phone app now seems intensely relaxed with it.

There is less chance that a 3rd party hacks your app, and app users could possibly be considered to be more security conscious, rightly or wrongly.

But app users are not immune to fraud checks, at any bank. I only use apps for my payments. Where you use Open Banking to pull money out of a bank, this can only be done via app banking, and is much less likely to fraud because setting up an Open Banking payment facility can't be done by any old Tom, !!!!!! or Harry. Yet Santander's crude fraud checks don't appear to make any allowance for the added security that comes with Open Banking.

Isn't an Open Banking payment actually a push, from the banking app, but with with the payee details automatically entered via Open Banking?

The underlying process is still faster payments, and the payment can be made by anyone with access to the banking app.
Is it really any different for fraudster to force/ask a user (or do on a malware controlled device)

To send money to account/sort code owned by the fraudster.
To send money via an open banking link from the fraudsters account app

In both cases a fraudster controlled recipient account is required.
Most frauds (especially the ones blocked/targeted like this) are not someone else trying to send money, but someone else trying to get the user to send money.

I consider an Open Banking payment a pull, from the target app. E.g. Tandem or CHIP connect you to your current account app and pull money from the current account. Sure, it uses Faster Payment technology under the covers to "hand over" the money but it works without the account owner needing to know a sort code and account number for the target account.

In order to offer Open Banking Payments, you need to be a PISP, or use the services of a PISP. Just alone getting the necessary PISP registration will likely be beyond the capabilities of even the most sophisticated fraudster. A PISP won't just offer, or be allowed to offer anyone who asks access to their service. Nothing is ever impossible but your typical fraudster won't bother with Open Banking payments.

k_man

Band7 said:

k_man said:

Band7 said:

Frequentlyhere said:

Just a random suggestion but I'm wondering whether Santander might be more trigger-happy with the fraud checks when going via the internet vs the app?

That certainly seems the case for me with Halifax, which seemed to hate me setting up almost any new payees, but via the phone app now seems intensely relaxed with it.

There is less chance that a 3rd party hacks your app, and app users could possibly be considered to be more security conscious, rightly or wrongly.

But app users are not immune to fraud checks, at any bank. I only use apps for my payments. Where you use Open Banking to pull money out of a bank, this can only be done via app banking, and is much less likely to fraud because setting up an Open Banking payment facility can't be done by any old Tom, !!!!!! or Harry. Yet Santander's crude fraud checks don't appear to make any allowance for the added security that comes with Open Banking.

Isn't an Open Banking payment actually a push, from the banking app, but with with the payee details automatically entered via Open Banking?

The underlying process is still faster payments, and the payment can be made by anyone with access to the banking app.
Is it really any different for fraudster to force/ask a user (or do on a malware controlled device)

To send money to account/sort code owned by the fraudster.
To send money via an open banking link from the fraudsters account app

In both cases a fraudster controlled recipient account is required.
Most frauds (especially the ones blocked/targeted like this) are not someone else trying to send money, but someone else trying to get the user to send money.

I consider an Open Banking payment a pull, from the target app. E.g. Tandem or CHIP connect you to your current account app and pull money from the current account. Sure, it uses Faster Payment technology under the covers to "hand over" the money but it works without the account owner needing to know a sort code and account number for the target account.

In order to offer Open Banking Payments, you need to be a PISP, or use the services of a PISP. Just alone getting the necessary PISP registration will likely be beyond the capabilities of even the most sophisticated fraudster. A PISP won't just offer, or be allowed to offer anyone who asks access to their service. Nothing is ever impossible but your typical fraudster won't bother with Open Banking payments.

I was more thinking that the fraudster just uses an Open Banking connection from their bank.
E.g. coerce/ask target to install app for bank X, and then ask user to pull (in your terms) money in.
They use Open Banking from their bank, no need to setup their own

In APP fraud, money doesn't go/via to fraudulent banks, but fraudulent accounts at legitimate banks.
Legitimate banks that have gone through the Open Banking process.

Band7

k_man said:

Band7 said:

k_man said:

Band7 said:

Frequentlyhere said:

Just a random suggestion but I'm wondering whether Santander might be more trigger-happy with the fraud checks when going via the internet vs the app?

That certainly seems the case for me with Halifax, which seemed to hate me setting up almost any new payees, but via the phone app now seems intensely relaxed with it.

There is less chance that a 3rd party hacks your app, and app users could possibly be considered to be more security conscious, rightly or wrongly.

But app users are not immune to fraud checks, at any bank. I only use apps for my payments. Where you use Open Banking to pull money out of a bank, this can only be done via app banking, and is much less likely to fraud because setting up an Open Banking payment facility can't be done by any old Tom, !!!!!! or Harry. Yet Santander's crude fraud checks don't appear to make any allowance for the added security that comes with Open Banking.

Isn't an Open Banking payment actually a push, from the banking app, but with with the payee details automatically entered via Open Banking?

The underlying process is still faster payments, and the payment can be made by anyone with access to the banking app.
Is it really any different for fraudster to force/ask a user (or do on a malware controlled device)

To send money to account/sort code owned by the fraudster.
To send money via an open banking link from the fraudsters account app

In both cases a fraudster controlled recipient account is required.
Most frauds (especially the ones blocked/targeted like this) are not someone else trying to send money, but someone else trying to get the user to send money.

I consider an Open Banking payment a pull, from the target app. E.g. Tandem or CHIP connect you to your current account app and pull money from the current account. Sure, it uses Faster Payment technology under the covers to "hand over" the money but it works without the account owner needing to know a sort code and account number for the target account.

In order to offer Open Banking Payments, you need to be a PISP, or use the services of a PISP. Just alone getting the necessary PISP registration will likely be beyond the capabilities of even the most sophisticated fraudster. A PISP won't just offer, or be allowed to offer anyone who asks access to their service. Nothing is ever impossible but your typical fraudster won't bother with Open Banking payments.

I was more thinking that the fraudster just uses an Open Banking connection from their bank.
E.g. coerce/ask target to install app for bank X, and then ask user to pull (in your terms) money in.
They use Open Banking from their bank, no need to setup their own

Not sure if you mean the fraudster would ask a potential victim to log into an app with the fraudster's credentials? If so, it would take an immensely gullible person to fall for such a scam. Not impossible, but significantly less likely to happen. The first hurdle would be to get the app working with the fraudster's credentials on a device that's not the fraudster's. Even if taken, the next hurdle would be to register the current account of the potential victim against the fraudster's app. All this assuming the gullible person can throughout all this still be entertained with whatever story the fraudster has cooked up. I maintain, this is all significantly less less likely than the traditional APP scams.

k_man

Band7 said:

k_man said:

Band7 said:

k_man said:

Band7 said:

Frequentlyhere said:

Just a random suggestion but I'm wondering whether Santander might be more trigger-happy with the fraud checks when going via the internet vs the app?

That certainly seems the case for me with Halifax, which seemed to hate me setting up almost any new payees, but via the phone app now seems intensely relaxed with it.

There is less chance that a 3rd party hacks your app, and app users could possibly be considered to be more security conscious, rightly or wrongly.

But app users are not immune to fraud checks, at any bank. I only use apps for my payments. Where you use Open Banking to pull money out of a bank, this can only be done via app banking, and is much less likely to fraud because setting up an Open Banking payment facility can't be done by any old Tom, !!!!!! or Harry. Yet Santander's crude fraud checks don't appear to make any allowance for the added security that comes with Open Banking.

Isn't an Open Banking payment actually a push, from the banking app, but with with the payee details automatically entered via Open Banking?

The underlying process is still faster payments, and the payment can be made by anyone with access to the banking app.
Is it really any different for fraudster to force/ask a user (or do on a malware controlled device)

To send money to account/sort code owned by the fraudster.
To send money via an open banking link from the fraudsters account app

In both cases a fraudster controlled recipient account is required.
Most frauds (especially the ones blocked/targeted like this) are not someone else trying to send money, but someone else trying to get the user to send money.

I consider an Open Banking payment a pull, from the target app. E.g. Tandem or CHIP connect you to your current account app and pull money from the current account. Sure, it uses Faster Payment technology under the covers to "hand over" the money but it works without the account owner needing to know a sort code and account number for the target account.

In order to offer Open Banking Payments, you need to be a PISP, or use the services of a PISP. Just alone getting the necessary PISP registration will likely be beyond the capabilities of even the most sophisticated fraudster. A PISP won't just offer, or be allowed to offer anyone who asks access to their service. Nothing is ever impossible but your typical fraudster won't bother with Open Banking payments.

I was more thinking that the fraudster just uses an Open Banking connection from their bank.
E.g. coerce/ask target to install app for bank X, and then ask user to pull (in your terms) money in.
They use Open Banking from their bank, no need to setup their own

Not sure if you mean the fraudster would ask a potential victim to log into an app with the fraudster's credentials? If so, it would take an immensely gullible person to fall for such a scam. Not impossible, but significantly less likely to happen. The first hurdle would be to get the app working with the fraudster's credentials on a device that's not the fraudster's. Even if taken, the next hurdle would be to register the current account of the potential victim against the fraudster's app. All this assuming the gullible person can throughout all this still be entertained with whatever story the fraudster has cooked up. I maintain, this is all significantly less less likely than the traditional APP scams.

Many of the recent APP scam involve coercion to install remote control software, to help the victim take the necessary actions.

Currently his often involves use of a mule account (often with one of the newer banks that allow these accounts to be created quickly) that the victim is asked to transfer money to, sometimes using a login to the mule account (to make it seem more legit).

If using open banking is known to avoid bank detection, this model just changes slightly.

My point is not that Open Banking is not more secure, just that it shouldn't be expected to not trigger fraud checks.

Similar to the claims that the payment passed CoP, or is to my own name, so should not be blocked. Many APP frauds pass CoP, and are often even in the victim's name.

There is no single/simple way (e.g. use Open Banking, CoP etc) to prevent legitimate payments being blocked, but each help in their own way.

That said there is no excuse for impolite behaviour from bank staff, albeit I suspect they are as unhappy with having to ask all these questions from customers who are usually already unhappy!

k_man

Forgot to add (before we need to move on):

It is also possible for an Open Banking pull (or initiated push) payment to be from just a web link/url or QR code, using something like the Natwest PayMe/PayIt system (there are probably others).

So currently, the benefits of Open Banking payments seems to be convenience, and avoiding mistyping, rather than security specifically