📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

John Lewis credit card changes to verification

Options
2»

Comments

  • WillPS
    WillPS Posts: 5,162 Forumite
    Part of the Furniture 1,000 Posts Newshound! Name Dropper
    japitts said:
    Having taken my complaint to the Ombudsman, it appears NewDay have an unpublished 3month reversion - once you have used the mobile app, then you are forced into having app-based OTPs although other notifications and fraud-alerts are still sent over SMS.

    If you don't use the mobile app for 3months, then you revert to SMS OTPs. Be very aware if you just want to "try out" the mobile app, it has some unpublished implications.
    Feels like a flawed process - what if one decides they don't want a smartphone any more?
  • born_again
    born_again Posts: 20,513 Forumite
    10,000 Posts Fifth Anniversary Name Dropper
    japitts said:
    3 other cardholders that I know (including my additional) have not been notified of this change. So it seems to be nothing to do with security issues, and everything to do with trying to force increased use of the app.

    I'll gladly put my online purchases through another card rather than be forced to use their app, but will see whether any common sense comes out of their complaints process.
    Additional Cardholders won't get notified, as they are not the account holder. It is up to the account holder to inform them.
    Life in the slow lane
  • japitts
    japitts Posts: 119 Forumite
    Part of the Furniture 100 Posts
    WillPS said:
    japitts said:
    Having taken my complaint to the Ombudsman, it appears NewDay have an unpublished 3month reversion - once you have used the mobile app, then you are forced into having app-based OTPs although other notifications and fraud-alerts are still sent over SMS.

    If you don't use the mobile app for 3months, then you revert to SMS OTPs. Be very aware if you just want to "try out" the mobile app, it has some unpublished implications.
    Feels like a flawed process - what if one decides they don't want a smartphone any more?

    Exactly, and this was one point I made in my Ombudsman complaint. Because that didn't apply in my case, there was no ruling - but presumably this is why NewDay have allowed an unpublished 3month get-out.

    Their complaints handling leaves a lot to be desired, from my experience.
  • japitts said:
    WillPS said:
    japitts said:
    Having taken my complaint to the Ombudsman, it appears NewDay have an unpublished 3month reversion - once you have used the mobile app, then you are forced into having app-based OTPs although other notifications and fraud-alerts are still sent over SMS.

    If you don't use the mobile app for 3months, then you revert to SMS OTPs. Be very aware if you just want to "try out" the mobile app, it has some unpublished implications.
    Feels like a flawed process - what if one decides they don't want a smartphone any more?

    Exactly, and this was one point I made in my Ombudsman complaint. Because that didn't apply in my case, there was no ruling - but presumably this is why NewDay have allowed an unpublished 3month get-out.

    Their complaints handling leaves a lot to be desired, from my experience.
    RBS do something similar but let you use SMS for codes after the first attempt or if their app is blocked for any reason.
    Perhaps something along those lines will work?
  • japitts
    japitts Posts: 119 Forumite
    Part of the Furniture 100 Posts
    edited 30 April 2024 at 5:24PM
    japitts said:
    WillPS said:
    japitts said:
    Having taken my complaint to the Ombudsman, it appears NewDay have an unpublished 3month reversion - once you have used the mobile app, then you are forced into having app-based OTPs although other notifications and fraud-alerts are still sent over SMS.

    If you don't use the mobile app for 3months, then you revert to SMS OTPs. Be very aware if you just want to "try out" the mobile app, it has some unpublished implications.
    Feels like a flawed process - what if one decides they don't want a smartphone any more?

    Exactly, and this was one point I made in my Ombudsman complaint. Because that didn't apply in my case, there was no ruling - but presumably this is why NewDay have allowed an unpublished 3month get-out.

    Their complaints handling leaves a lot to be desired, from my experience.
    RBS do something similar but let you use SMS for codes after the first attempt or if their app is blocked for any reason.
    Perhaps something along those lines will work?

    NewDay's position seems to be, that once you've used the app for any purpose, you must use it for all OTP's, irrespective of whether you want to or not. If you can't receive the in-app notification, then you'd either need to troubleshoot that or not be able to complete the transaction.

    They're quite happy for transaction updates and fraud queries to be sent by SMS, but apparently it's "insecure" for OTP's to be texted once app-usage has been triggered.

    I still can't fathom their logic, except that it's the only way they can encourage uptake of their app. It's done the opposite in my case.
  • SMS OTP is no longer considers secure. If you want to have an easy nights sleep, heres some details:

    https://securityboulevard.com/2021/12/why-using-sms-authentication-for-2fa-is-not-secure/

    As much as it hurts to change, this is likly ot be the future, you can stuggle and resist and get upset and stressed, or you can move with the times and accept it and an easy life.


  • WillPS
    WillPS Posts: 5,162 Forumite
    Part of the Furniture 1,000 Posts Newshound! Name Dropper
    edited 24 October 2023 at 10:27AM
    pmartin86 said:
    SMS OTP is no longer considers secure. If you want to have an easy nights sleep, heres some details:

    https://securityboulevard.com/2021/12/why-using-sms-authentication-for-2fa-is-not-secure/

    As much as it hurts to change, this is likly ot be the future, you can stuggle and resist and get upset and stressed, or you can move with the times and accept it and an easy life.


    We're talking about payment card fraud here - it's a system with a huge amount of built in mitigation already in terms of fraud detection, ability for transactions to be undone etc. The typical way of making payment card fraud pay on an industrial scale is by procuring massive amounts of card details (often 'skimmed' from a compromised ecommerce website) and getting as much charged through it and delivered as possible (expecting a certain attrition rate), then turning those goods/services back in to currency. Rinse and repeat. The amount of effort it'd take to additionally hack a cardholder's device or socially manipulate them in to giving up an SMS code would not be compatible with the volumes of fraud attempts needed to make it pay; if you're doing that you might as well go for the better loot that comes with fraudsters emptying peoples bank accounts.
    Even ignoring this, there are ways of achieving a secure 2 factor authentication process which don't depend entirely on an up-to-date app installed on a compatible smartphone. If NewDay are dead-set on disabling SMS codes permanently for any customer they perceive as not needing them, they need to implement some other fall-back option.
    I'm not saying this change is financially motivated, but it's worth considering too that SMS text messages cost money for businesses to send out. Not much, but something. Asking them to log in and tap a button in an app costs nothing other than the costs they will already have of providing an app of some sort.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351.1K Banking & Borrowing
  • 253.2K Reduce Debt & Boost Income
  • 453.6K Spending & Discounts
  • 244.1K Work, Benefits & Business
  • 599.1K Mortgages, Homes & Bills
  • 177K Life & Family
  • 257.5K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.