Virgin Money Current Account 2FA by text code or app approval

RG2015

I have just logged in to my Virgin Money current account online, and was given the option of SMS or App approval for the two factor authorisation.

I believe that the SMS code is a new option, and very welcome in my opinion.

400ixl

SMS is insecure and best avoided. It can also be exploited by SIM transfer activities as well.

Us an app for 2 factor authentication if an option.

RG2015

400ixl said:

SMS is insecure and best avoided. It can also be exploited by SIM transfer activities as well.

Us an app for 2 factor authentication if an option.

It is listed as an option on the Virgin Money log in screen.

How would I go about avoiding it?

400ixl

Use the app approval option not the SMS option.

RG2015

400ixl said:

Use the app approval option not the SMS option.

Forgive my ignorance, but what is the risk in using an SMS code as the second factor authorisation when logging in on my laptop?

 

400ixl

It is a clear text system. It can show on the lock screen so you don't need to have unlocked the phone to see it.

Criminals can also get your number transferred to another sim card and therefore hijack the messages.

Its just less secure than using the app method. Better than nothing but always use the most secure method.

k_man

400ixl said:

It is a clear text system. It can show on the lock screen so you don't need to have unlocked the phone to see it.

Criminals can also get your number transferred to another sim card and therefore hijack the messages.

Its just less secure than using the app method. Better than nothing but always use the most secure method.

Also as a general benefit of app Vs SMS based 2FA, the app based authentication is protected by passcode to login to the the mobile device, and a possible passcode on the app.
So even if the mobile is stolen/left unattended accessing the authentication is much harder.
With SMS, even if the device isn't showing SMS codes on the lockscreen, the SIM can just be removed, and inserted into an unlocked mobile.

RG2015

Thanks, and I do understand. It's just that as I am sitting in my house no one is looking at my phone other than me.

And surely the chances of a criminal hijacking my messages at the precise moment I am logging in to Virgin Money are infinitesimal. I am genuinely wanting to understand the risks but at the moment it is sounding paranoid to me.

I am a very careful, risk averse person but what I am hearing is that my security measures are woefully poor.

• Using SMS for 2FA
• Using a password protected Excel file for my sensitive data
• Not using a password manager
• Not using complex passwords
• Storing passwords on Google Chrome

I just don't see how this leaves me open to attacks. Who exactly is going to be doing this?

I am not being gratuitously argumentative, but have genuinely never heard of anyone who takes reasonable care falling foul of a data security attack.    

 

400ixl

I can name over a dozen people I know who have fallen foul one way or another who all believed they were taking reasonable precautions. That's just in my circle of known people.

Using SMS is not a wrong answer, but they are offering a better option with the app 2FA, so take the better option which has next to no extra effort.

Using Chrome for a password manager over and Excel spreadsheet will better, but a password manager is better.
Using complex passwords is better than non complex, especially if you are cutting and pasting from a spreadsheet or using some sort of password management.

All of these additional things do not make things more complex, but do make it more secure. That is the point. Follow best practice where available, not just do the minimum.

Its like saying I have a door lock and an alarm available to secure my house, but I only lock the door. its secure, but not as secure with minimal extra effort.

RG2015

Thanks again 400ixl and also k_man

Your advice is very much appreciated.

Section62

RG2015 said:

400ixl said:

SMS is insecure and best avoided. It can also be exploited by SIM transfer activities as well.

Us an app for 2 factor authentication if an option.

It is listed as an option on the Virgin Money log in screen.

How would I go about avoiding it?

Unless there is a way of disabling the SMS facility you won't gain much by avoiding using it, especially if you normally log in using the same device and always at home.

You avoiding using the SMS option doesn't prevent a criminal using it if they get access to all your other log in details.

The best you could achieve by avoiding using the SMS option would be arguing with the bank/Ombudsman that you never use the SMS option and therefore they should believe you that a fraudulent login/transaction wasn't done by you. (whether that is a convincing argument or not is open to discussion)

But if you always log in at home on the same device then that would make just as a convincing argument (or not) if someone with fraudulent intent logs in elsewhere.

The concerns expressed about the security of the SMS system are valid, but unless there is a way you can disable it, there is little to be gained by not using it yourself.