Virgin Money Current Account 2FA by text code or app approval

k_man

Section62 said:

k_man said:

But even though choosing app rather than SMS 2FA does stop criminals potentially taking advantage of the weaknesses, if hardly anyone uses SMS, then banks are more likely to remove it (and this will happen eventually).
But as above, it would be better for security if SMS could be disabled as an option.

Unfortunately that is potentially misleading to people who don't fully understand the issues involved.

Individual customers not using SMS 2FA does not change the risk of a criminal or other unauthorised person accessing their account.  Nobody should go away from this thread thinking that avoiding using SMS authentication improves the security of their personal accounts - that would be a false sense of security.

The effect you are describing - mass abandonment of SMS 2FA - might lead to banks withdrawing it as an option, but unless the banks provide a free/cheap alternative to buying a £100+ smart phone/device (and periodically buying a replacement when the current one is no longer suitable) then there will be a strong consumer lobby fighting against its withdrawal.  The argument is similar to the one made about the removal of cheques (and to some extent cash) as transaction options - the idea that "few people use it so we can get rid of it" only works if there are reasonable alternative options which don't penalise people who are vulnerable or disadvantaged.  Given SMS 2FA exists in the regulatory framework, it will take a lot more than individual's choices before it is entirely removed as an option.

People writing a letter/email/secure message to their bank, or writing to their MP, would be a more effective strategy than just personally avoiding using SMS 2FA.

Sorry, yes I missed out the not from the statement (as implied by the But....).
Corrected.

 And I agree, abandonment of SMS by users won't force it's removal, which is why I stated more likely.
 However if everyone continues to choose it, while other more secure options are available to most, then it is less likely to be removed.

It is also more likely to become optional, or at least disabled by default, but stay an option, if fewer users use it.

RG2015

Do the comments here mean that it is always safer to use the app rather than the internet for banking?

Section62

RG2015 said:

Do the comments here mean that it is always safer to use the app rather than the internet for banking?

Some would unhesitatingly say "yes".  Others would point the word "always" making it impossible to say one way or another (i.e. it depends on individual circumstances).

Thinking about it a bit more, I wonder whether the SMS option has been added as a step in the process of VM/CYBG phasing out their security token.  I think there was an option to make FP authorisations (up to £500 per transaction & £1000/day) using SMS, with larger payments needing 2FA with the App or security token. This is what the VM site currently says, I'm not sure that has been changed.

But the £500/£1000 limits (for SMS) are very low in comparison to other banks and building societies, so I wonder whether VM/CYBG might be starting to embrace SMS as being OK (if not ideal)? The old CYBG security token doesn't really fit with the VM image... so if anything got dropped I think it more likely it would be this method. (Edit: which would be a disbenefit for those living in areas with poor mobile reception and not wanting to use the App)

phillw

RG2015 said:

Do the comments here mean that it is always safer to use the app rather than the internet for banking?

Assuming your phone hasn't been infected with malware and the bank's systems are secure.

Neither of which are easily knowable by you.

k_man

Section62 said:

RG2015 said:

Do the comments here mean that it is always safer to use the app rather than the internet for banking?

Some would unhesitatingly say "yes".  Others would point the word "always" making it impossible to say one way or another (i.e. it depends on individual circumstances).

Thinking about it a bit more, I wonder whether the SMS option has been added as a step in the process of VM/CYBG phasing out their security token.  I think there was an option to make FP authorisations (up to £500 per transaction & £1000/day) using SMS, with larger payments needing 2FA with the App or security token. This is what the VM site currently says, I'm not sure that has been changed.

But the £500/£1000 limits (for SMS) are very low in comparison to other banks and building societies, so I wonder whether VM/CYBG might be starting to embrace SMS as being OK (if not ideal)? The old CYBG security token doesn't really fit with the VM image... so if anything got dropped I think it more likely it would be this method. (Edit: which would be a disbenefit for those living in areas with poor mobile reception and not wanting to use the App)

As above.
Not always, but probably usually, assuming the mobile device has a strong screen lock/passcode and is still getting security updates (and these are being installed).

A few reasons:

The app developers only have to maintain 2 versions of the app (Apple and Android) and can force users to always be on the latest.

Websites have to support all the different browser versions across different operating systems.
This make the vulnerability surface area much bigger.

Browsers also allow use of plug ins and extensions (which could also potentially be installed maliciously), further increasing the possible vectors if compromise.

Most users on computers/PCs run as a local administrator, and often have weak, or no local user password requirement.

PCs (and mobile devices) are not always kept up to date by users, or used long past their use by date, but websites continue to function, even in browsers with known vulnerabilities.

[Deleted User]

They've always had SMS 2FA as an option when you didn't have the mobile app installed.

SMS can be useful for landlines or if your mobile isn't suitable for their app. 

RG2015

Deleted_User said:

They've always had sms 2FA as an option when you didn't have the mobile app installed. 

Yes, but previously it was not available for those that didn't have the app installed anywhere.

Now it is an option to choose either SMS or the app for the second factor authorisation.