The amount of security checks are becoming ridiculous.

jamesmorgan

MEM62 said:

[Deleted User] said:

How many layers of security do you need?

You need sufficient so that your next post does not start "I was defrauded and my bank's security measures were not good enough"  

I think it is a bit more nuanced than that - your banks need sufficient so that when you are defrauded they can say they put in reasonable measures to prevent it so they are not liable.

flaneurs_lobster

jamesmorgan said:

MEM62 said:

[Deleted User] said:

How many layers of security do you need?

You need sufficient so that your next post does not start "I was defrauded and my bank's security measures were not good enough"  

I think it is a bit more nuanced than that - your banks need sufficient so that when you are defrauded they can say they put in reasonable measures to prevent it so they are not liable.

And then the next post will start "I was defrauded and my bank won't refund my money".

AmityNeon

jamesmorgan said:

dealyboy said:

Logging on for online banking for me requires:

. customer no.
. 3 digits from my pin
. 3 characters from my password

... also why would you need to logon to the app to receive a text?

Because Natwest implement 2FA so once you have given all of the above you need to provide a 6 digit code sent as a text to your phone. Not all providers fully implement 2FA so many don't require this yet, however, it is the direction of travel. It is fairly clear that most banks want to move fairly quickly to biometrics as the only method of security and do away with cards/pins etc. It is a sensible move, but does require all the population to have access to a fairly new smart phone in order to access financial services.

@dealyboy was talking about NatWest. 2FA via SMS OTP is required when logging in from an untrusted session (e.g. cleared cookies, different browser, new device).

jamesmorgan

AmityNeon said:

jamesmorgan said:

dealyboy said:

Logging on for online banking for me requires:

. customer no.
. 3 digits from my pin
. 3 characters from my password

... also why would you need to logon to the app to receive a text?

Because Natwest implement 2FA so once you have given all of the above you need to provide a 6 digit code sent as a text to your phone. Not all providers fully implement 2FA so many don't require this yet, however, it is the direction of travel. It is fairly clear that most banks want to move fairly quickly to biometrics as the only method of security and do away with cards/pins etc. It is a sensible move, but does require all the population to have access to a fairly new smart phone in order to access financial services.

@dealyboy was talking about NatWest. 2FA via SMS OTP is required when logging in from an untrusted session (e.g. cleared cookies, different browser, new device).

When I spoke to Natwest, they said that certain devices may be treated as trusted but they wouldn't share their algorithms for a trusted device.  They suggested that if I logged on from the same device daily for a week it may become trusted, but they couldn't guarantee it.  I have used the same device for 5 years, same browser etc but it is still not treated as trusted.  They say there is nothing they can do - system working as designed...

It never used to do this - I think it started to happen when I installed the Natwest app on my phone, but I'm not certain of this.

dealyboy

jamesmorgan said:

AmityNeon said:

jamesmorgan said:

dealyboy said:

Logging on for online banking for me requires:

. customer no.
. 3 digits from my pin
. 3 characters from my password

... also why would you need to logon to the app to receive a text?

Because Natwest implement 2FA so once you have given all of the above you need to provide a 6 digit code sent as a text to your phone. Not all providers fully implement 2FA so many don't require this yet, however, it is the direction of travel. It is fairly clear that most banks want to move fairly quickly to biometrics as the only method of security and do away with cards/pins etc. It is a sensible move, but does require all the population to have access to a fairly new smart phone in order to access financial services.

@dealyboy was talking about NatWest. 2FA via SMS OTP is required when logging in from an untrusted session (e.g. cleared cookies, different browser, new device).

When I spoke to Natwest, they said that certain devices may be treated as trusted but they wouldn't share their algorithms for a trusted device.  They suggested that if I logged on from the same device daily for a week it may become trusted, but they couldn't guarantee it.  I have used the same device for 5 years, same browser etc but it is still not treated as trusted.  They say there is nothing they can do - system working as designed...

It never used to do this - I think it started to happen when I installed the Natwest app on my phone, but I'm not certain of this.

Tags: @jamesmorgan, @AmityNeon

As discussed and thanks, I was referring to my NatWest account, but I am required by some banks to enter an OTP e.g. when setting up a new payee or during 2FA.

I was surprised you needed to visit the app. I always receive OTP requests, be they automated calls or texts on my 20 year old Nokia (non-smart). I don't remember ever needing to log in to an app. edit: I do have all the banks' apps.

[Deleted User]

flaneurs_lobster said:

jamesmorgan said:

MEM62 said:

[Deleted User] said:

How many layers of security do you need?

You need sufficient so that your next post does not start "I was defrauded and my bank's security measures were not good enough"  

I think it is a bit more nuanced than that - your banks need sufficient so that when you are defrauded they can say they put in reasonable measures to prevent it so they are not liable.

And then the next post will start "I was defrauded and my bank won't refund my money".

https://forums.moneysavingexpert.com/discussion/6258550/keep-being-subject-to-card-fraud/p1

flaneurs_lobster

So less than two years ago you were the victim of card fraud, are you not then grateful that your bank is now taking robust steps to ensure that your accounts are being operated by yourself and not by fraudsters?

[Deleted User]

flaneurs_lobster said:

So less than two years ago you were the victim of card fraud, are you not then grateful that your bank is now taking robust steps to ensure that your accounts are being operated by yourself and not by fraudsters?

My point is that all these security systems did not prevent fraud. I can’t remember if all the banks had 2FA for card payments in April 2021. But it didn’t protect me. They are over the top. One security check should be sufficient.

dealyboy

If I may put my point of view ...

Are the amount of security checks becoming ridiculous? No, not ridiculous, but in some cases onerous or possibly excessive.

I can remember when Santander had 7 steps of security: card, numbers, passwords, pins, pictures, words, and OTP, and it felt ridiculous but in reality it was just onerous.

I can't remember when a man with a red flag walked in front of horseless carriages, but I'm sure that it was ridiculous and excessive.

It's a matter of risk and our tolerance. There will be failures whatever our mitigation. It is also a matter of who bears the risk, the customer or the service provider, in a free market you makes your choice and suffer the consequences.

Descrabled

RBS / NatWest

The  2F system used by this bank when I log on using the laptop is most peculiar. The message states that the 6 digit code has been sent to my phone (as a text). In reality the code is sent to the notification on my app that is, incidentally, on my tablet. Very confusing.

If I then indicate that the code has "not been received" the bank then sends a code by text to my phone. I can then log in without use of the app.

Ms Descrabled has none of these problems, suffered by this Mr Big, as she can log on to her account(s) without any 2F nonsense.

Incidentally the notification area of my app has thousands of notices because I am paying my water bill at the rate of £1.01 a shot for the double roundup. I don't want any scam expert ruining that little trick.