The amount of security checks are becoming ridiculous.

DullGreyGuy

flaneurs_lobster said:

DullGreyGuy said:

flaneurs_lobster said:

eskbanker said:

AstonSmith said:

The second half (phone call etc) seems a bit weird. Surely the company doesn't have liability since the SCA process was followed (CVV, 2nd factor auth)?

SCA is there to protect the bank's interests, and/or arguably the customer's, but not the merchant's, so the latter may have their own fraud prevention measures to suit their own risk assessment.

But the "merchant" emailed @[Deleted User] asking them to call, I'd be wanting the "merchant" to prove who they are rather than vice versa. 

Why when you are the one calling them? Easy enough to get the company's telephone number from their website if you dont trust the one in the email and the OP clearly trusts the company enough to give them £400 of their hard earned money on the promise of goods/services in return after.

I take your point but many people would just call the number quoted in the email. It's a common enough phishing scam to pretend to be an email from your bank quoting a number to ring or a link to click.

Lets say you do just call the number in the email and we take your approach... what are you going to ask the "random person on the phone" to tell you that will get you comfortable that they really do work for John Lewis or Elite Singles or whatever random company it is?

For one, plenty of companies outsource and so Betty "from Sky" could well be sitting in a BT Syncordia call centre and will be Betty from The TrainLine on her next call. Even if it's an insourced operation asking questions like "who is your CEO?" is likely to get a shrug from most genuine call centre employees let alone outsourced. And yes have had customers ask that type of Q back in my call centre days (plus the more racist ones saying the girl I was sitting next to certainly wasn't in Leeds but somewhere in Bombay and he knew they were trained to be able to describe Leeds city centre, its schools etc)

born_again

[Deleted User] said:

tacpot12 said:

You need more layers than you might imagine. The criminals are resouceful, persistent and merciless. 

Yes but it remains the case that many websites to do not need authentication to be completed. So the criminals will just use those sites. Secondly they are removing the ease which made electronic payments benefit over cash. 

Most fraud is committed to well known sites selling high value goods. 

[Deleted User]

born_again said:

[Deleted User] said:

tacpot12 said:

You need more layers than you might imagine. The criminals are resouceful, persistent and merciless. 

Yes but it remains the case that many websites to do not need authentication to be completed. So the criminals will just use those sites. Secondly they are removing the ease which made electronic payments benefit over cash. 

Most fraud is committed to well known sites selling high value goods. 

I was fraud twice a while back, these security systems did nothing to prevent it . The bank just have the money back. 

grumbler

                       

jamesmorgan

I broadly agree with the OP that security systems seem to have gone to excess.  I appreciate the good intent, but it does make it more and more difficult to do simple things - esp if you are in area with patchy mobile signal.  I bank with Natwest.  Every time I want to logon to my account on my PC, it insists on sending a OTP to me phone.  To access the OTP, I need to logon to the Natwest app on the phone.  Assuming the mobile signal is good enough to enable me to do this, once I have logged on the Natwest app on the phone I might  as well do what I intended to do on the PC.  I have complained to Natwest, but they just say they have no choice with how 2FA is implemented.

I am about to go abroad in an area with no mobile signal.  I can almost guarantee that if I try to use my cards for purchases, I will be blocked unless I respond to a text that I can't receive!  I have tried to notify the card companies I am going abroad, but their systems no longer enable them to store this type of information.  It is a constant maze of trying to work out how their security systems will stop you doing what you want.

Mr.Generous

DullGreyGuy said:

MattMattMattUK said:

DullGreyGuy said:

SVts said:

Transferring money from one bank to another seems to come with many possible fraud warnings before you eventually get to transfer. 

When paying my HMRC bills I could say "yes" to at least half of the red flag warning points they raise.

I find it particularly odd when you've selected something like HMRC from their list of pre-setup account details that they show the same warnings

I find this odd as well, I mean one would have to be the dumbest kind of stupid to pay one's personal (or business) tax bill with a stolen credit card or illegally accessed bank account.

No, the warnings for a FasterPay transfer are all about if you can trust the recipient is who they say, not paying under duress etc... so not about you doing the naughty but the recipient... hence HMRC can tick boxes 

To be fair I always feel like I've been scammed after paying HMRC

dealyboy

Hi @jamesmorgan ...

jamesmorgan said:

I broadly agree with the OP that security systems seem to have gone to excess.  I appreciate the good intent, but it does make it more and more difficult to do simple things - esp if you are in area with patchy mobile signal.  I bank with Natwest.  Every time I want to logon to my account on my PC, it insists on sending a OTP to me phone.  To access the OTP, I need to logon to the Natwest app on the phone.  Assuming the mobile signal is good enough to enable me to do this, once I have logged on the Natwest app on the phone I might  as well do what I intended to do on the PC.  I have complained to Natwest, but they just say they have no choice with how 2FA is implemented.

I am about to go abroad in an area with no mobile signal.  I can almost guarantee that if I try to use my cards for purchases, I will be blocked unless I respond to a text that I can't receive!  I have tried to notify the card companies I am going abroad, but their systems no longer enable them to store this type of information.  It is a constant maze of trying to work out how their security systems will stop you doing what you want.

... I'm puzzled by your comments highlighted.

Logging on for online banking for me requires:
. customer no.
. 3 digits from my pin
. 3 characters from my password

... also why would you need to logon to the app to receive a text?

flaneurs_lobster

dealyboy said:

Hi @jamesmorgan ...

jamesmorgan said:

I broadly agree with the OP that security systems seem to have gone to excess.  I appreciate the good intent, but it does make it more and more difficult to do simple things - esp if you are in area with patchy mobile signal.  I bank with Natwest.  Every time I want to logon to my account on my PC, it insists on sending a OTP to me phone.  To access the OTP, I need to logon to the Natwest app on the phone.  Assuming the mobile signal is good enough to enable me to do this, once I have logged on the Natwest app on the phone I might  as well do what I intended to do on the PC.  I have complained to Natwest, but they just say they have no choice with how 2FA is implemented.

I am about to go abroad in an area with no mobile signal.  I can almost guarantee that if I try to use my cards for purchases, I will be blocked unless I respond to a text that I can't receive!  I have tried to notify the card companies I am going abroad, but their systems no longer enable them to store this type of information.  It is a constant maze of trying to work out how their security systems will stop you doing what you want.

... I'm puzzled by your comments highlighted.

Logging on for online banking for me requires:
. customer no.
. 3 digits from my pin
. 3 characters from my password

... also why would you need to logon to the app to receive a text?

I'm also puzzled by anyone complaining that their bank make it hard to get at their money.

If all this convenience is too hard then just revert to printed statements in the post once a month and writing cheques.

Seriously, if the phone signal is too poor then just revert to accessing the bank online only, the verification can all be done with a card reader, no need for the app.  

jamesmorgan

dealyboy said:

Hi @jamesmorgan ...

jamesmorgan said:

I broadly agree with the OP that security systems seem to have gone to excess.  I appreciate the good intent, but it does make it more and more difficult to do simple things - esp if you are in area with patchy mobile signal.  I bank with Natwest.  Every time I want to logon to my account on my PC, it insists on sending a OTP to me phone.  To access the OTP, I need to logon to the Natwest app on the phone.  Assuming the mobile signal is good enough to enable me to do this, once I have logged on the Natwest app on the phone I might  as well do what I intended to do on the PC.  I have complained to Natwest, but they just say they have no choice with how 2FA is implemented.

I am about to go abroad in an area with no mobile signal.  I can almost guarantee that if I try to use my cards for purchases, I will be blocked unless I respond to a text that I can't receive!  I have tried to notify the card companies I am going abroad, but their systems no longer enable them to store this type of information.  It is a constant maze of trying to work out how their security systems will stop you doing what you want.

... I'm puzzled by your comments highlighted.

Logging on for online banking for me requires:
. customer no.
. 3 digits from my pin
. 3 characters from my password

... also why would you need to logon to the app to receive a text?

Because Natwest implement 2FA so once you have given all of the above you need to provide a 6 digit code sent as a text to your phone.  Not all providers fully implement 2FA so many don't require this yet, however, it is the direction of travel.  It is fairly clear that most banks want to move fairly quickly to biometrics as the only method of security and do away with cards/pins etc.  It is a sensible move, but does require all the population to have access to a fairly new smart phone in order to access financial services.

MEM62

[Deleted User] said:

How many layers of security do you need?

You need sufficient so that your next post does not start "I was defrauded and my bank's security measures were not good enough"