We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Virgin Money Current Account 2FA by text code or app approval
Comments
-
A more appropriate term would be 'disabled' in favour of a more secure 2FA option, but if a system specifically enables 2FA via SMS as an alternative when you won't or can't access the app, there is nothing you can do. You personally avoiding the use of SMS does not disable the option for a third party attempting to gain access to your account.RG2015 said:400ixl said SMS was best avoided.
I didn't understand and asked how I could avoid it.
Now you are saying it makes no difference.
Is there any wonder that I am confused by the madness surrounding me?1 -
RG2015 said:400ixl said SMS was best avoided.
I didn't understand and asked how I could avoid it.
Now you are saying it makes no difference.
Is there any wonder that I am confused by the madness surrounding me?Virgin Money have created the weakness by adding the SMS option.You not using it when you log in yourself doesn't prevent a criminal from using it if they are trying to log in.All you gain is the ability to say "that isn't the way I normally log in", after the event.The advice to avoid SMS as an option should be directed to Virgin Money, rather than Virgin Money customers.2 -
But it's not just Virgin Money, other banks use SMS for 2FA.
Presumably they are not aware of this weakness, which is somewhat disturbing.1 -
RG2015 said:But it's not just Virgin Money, other banks use SMS for 2FA.
Presumably they are not aware of this weakness, which is somewhat disturbing.Indeed.I suspect most banks and building societies are aware of the issues (there was some debate on the issue when PSD2 was new), but they possibly see the risk as more theoretical than practical.Or perhaps it would be closer to the truth that they may see the risk of loss from refunding some people who get hacked as cheaper than the cost of implementing some alternative system, or the loss of customers if they switched to App-only authentication.0 -
Elon Musk's decision to remove SMS 2FA from free Twitter was still roundly criticised because even the weakest form of 2FA is better than none at all.
What the UK banking industry could do well to implement is customer choice, not on whether to have 2FA enabled (because that decision has already been made), but which methods to use and also not use (without compromising security). Obviously, the diverse needs of every single customer must be considered and many won't bother to choose, so a set of defaults are already implemented based on the contact details provided. In addition, there should be further options for customers to increase their security beyond regulatory standards, if they so desire.
I'm also flabbergasted there aren't stronger countermeasures available from mobile network operators against SIM swapping, where bad actors can bypass you completely and simply socially engineer their way past some hapless overworked agent. I understand there was a push for consumer rights towards simplifying the process of leaving your network for another, but that seemingly opened the floodgates to abuse with no user-configured mitigative measures in place for customers to protect themselves.
0 -
https://ee.co.uk/help/help-new/getting-started-and-upgrading/activate-a-new-sim/what-is-a-sim-pin
This may be of use for those concerned about sim swapping - steps may be different with different network providersIf you want me to definitely see your reply, please tag me @forumuser7 Thank you.
N.B. (Amended from Forum Rules): You must investigate, and check several times, before you make any decisions or take any action based on any information you glean from any of my content, as nothing I post is advice, rather it is personal opinion and is solely for discussion purposes. I research before my posts, and I never intend to share anything that is misleading, misinforming, or out of date, but don't rely on everything you read. Some of the information changes quickly, is my own opinion or may be incorrect. Verify anything you read before acting on it to protect yourself because you are responsible for any action you consequently make... DYOR, YMMV etc.0 -
Banks are 100% aware, but as above, it is a risk/reward consideration.RG2015 said:But it's not just Virgin Money, other banks use SMS for 2FA.
Presumably they are not aware of this weakness, which is somewhat disturbing.
Many users prefer convenience over security (e.g don't use strong unique passwords, a password manager 😉), so banks are in a difficult position.
Imagine the uproar on here if banks that did offer SMS removed it and forced users to use an app!
Virgin may have even introduced SMS because of negative customer feedback.
But even though choosing app rather than SMS 2FA does stop criminals potentially taking advantage of the weaknesses, if hardly anyone uses SMS, then banks are more likely to remove it (and this will happen eventually).
But as above, it would be better for security if SMS could be disabled as an option.
Just to reiterate though, SMS 2FA/OTP is still much much better than no 2FA.
0 -
k_man said:
But even though choosing app rather than SMS 2FA does stop criminals potentially taking advantage of the weaknesses, if hardly anyone uses SMS, then banks are more likely to remove it (and this will happen eventually).
But as above, it would be better for security if SMS could be disabled as an option.Unfortunately that is potentially misleading to people who don't fully understand the issues involved.Individual customers not using SMS 2FA does not change the risk of a criminal or other unauthorised person accessing their account. Nobody should go away from this thread thinking that avoiding using SMS authentication improves the security of their personal accounts - that would be a false sense of security.The effect you are describing - mass abandonment of SMS 2FA - might lead to banks withdrawing it as an option, but unless the banks provide a free/cheap alternative to buying a £100+ smart phone/device (and periodically buying a replacement when the current one is no longer suitable) then there will be a strong consumer lobby fighting against its withdrawal. The argument is similar to the one made about the removal of cheques (and to some extent cash) as transaction options - the idea that "few people use it so we can get rid of it" only works if there are reasonable alternative options which don't penalise people who are vulnerable or disadvantaged. Given SMS 2FA exists in the regulatory framework, it will take a lot more than individual's choices before it is entirely removed as an option.People writing a letter/email/secure message to their bank, or writing to their MP, would be a more effective strategy than just personally avoiding using SMS 2FA.2 -
SMS aren't very secure and someone could pull it out of the air. It would require a rather targeted attack, so you're probably safe.
I use SMS when its more convenient for me.0
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.9K Banking & Borrowing
- 253.9K Reduce Debt & Boost Income
- 454.7K Spending & Discounts
- 246K Work, Benefits & Business
- 602K Mortgages, Homes & Bills
- 177.8K Life & Family
- 259.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards