We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
John Lewis credit card changes to verification
Options
Comments
-
Feels like a flawed process - what if one decides they don't want a smartphone any more?japitts said:Having taken my complaint to the Ombudsman, it appears NewDay have an unpublished 3month reversion - once you have used the mobile app, then you are forced into having app-based OTPs although other notifications and fraud-alerts are still sent over SMS.If you don't use the mobile app for 3months, then you revert to SMS OTPs. Be very aware if you just want to "try out" the mobile app, it has some unpublished implications.1 -
Additional Cardholders won't get notified, as they are not the account holder. It is up to the account holder to inform them.japitts said:3 other cardholders that I know (including my additional) have not been notified of this change. So it seems to be nothing to do with security issues, and everything to do with trying to force increased use of the app.I'll gladly put my online purchases through another card rather than be forced to use their app, but will see whether any common sense comes out of their complaints process.Life in the slow lane0 -
WillPS said:
Feels like a flawed process - what if one decides they don't want a smartphone any more?japitts said:Having taken my complaint to the Ombudsman, it appears NewDay have an unpublished 3month reversion - once you have used the mobile app, then you are forced into having app-based OTPs although other notifications and fraud-alerts are still sent over SMS.If you don't use the mobile app for 3months, then you revert to SMS OTPs. Be very aware if you just want to "try out" the mobile app, it has some unpublished implications.Exactly, and this was one point I made in my Ombudsman complaint. Because that didn't apply in my case, there was no ruling - but presumably this is why NewDay have allowed an unpublished 3month get-out.Their complaints handling leaves a lot to be desired, from my experience.0 -
RBS do something similar but let you use SMS for codes after the first attempt or if their app is blocked for any reason.japitts said:WillPS said:
Feels like a flawed process - what if one decides they don't want a smartphone any more?japitts said:Having taken my complaint to the Ombudsman, it appears NewDay have an unpublished 3month reversion - once you have used the mobile app, then you are forced into having app-based OTPs although other notifications and fraud-alerts are still sent over SMS.If you don't use the mobile app for 3months, then you revert to SMS OTPs. Be very aware if you just want to "try out" the mobile app, it has some unpublished implications.Exactly, and this was one point I made in my Ombudsman complaint. Because that didn't apply in my case, there was no ruling - but presumably this is why NewDay have allowed an unpublished 3month get-out.Their complaints handling leaves a lot to be desired, from my experience.
Perhaps something along those lines will work?0 -
[Deleted User] said:
RBS do something similar but let you use SMS for codes after the first attempt or if their app is blocked for any reason.japitts said:WillPS said:
Feels like a flawed process - what if one decides they don't want a smartphone any more?japitts said:Having taken my complaint to the Ombudsman, it appears NewDay have an unpublished 3month reversion - once you have used the mobile app, then you are forced into having app-based OTPs although other notifications and fraud-alerts are still sent over SMS.If you don't use the mobile app for 3months, then you revert to SMS OTPs. Be very aware if you just want to "try out" the mobile app, it has some unpublished implications.Exactly, and this was one point I made in my Ombudsman complaint. Because that didn't apply in my case, there was no ruling - but presumably this is why NewDay have allowed an unpublished 3month get-out.Their complaints handling leaves a lot to be desired, from my experience.
Perhaps something along those lines will work?NewDay's position seems to be, that once you've used the app for any purpose, you must use it for all OTP's, irrespective of whether you want to or not. If you can't receive the in-app notification, then you'd either need to troubleshoot that or not be able to complete the transaction.They're quite happy for transaction updates and fraud queries to be sent by SMS, but apparently it's "insecure" for OTP's to be texted once app-usage has been triggered.I still can't fathom their logic, except that it's the only way they can encourage uptake of their app. It's done the opposite in my case.0 -
SMS OTP is no longer considers secure. If you want to have an easy nights sleep, heres some details:
https://securityboulevard.com/2021/12/why-using-sms-authentication-for-2fa-is-not-secure/
As much as it hurts to change, this is likly ot be the future, you can stuggle and resist and get upset and stressed, or you can move with the times and accept it and an easy life.
0 -
pmartin86 said:SMS OTP is no longer considers secure. If you want to have an easy nights sleep, heres some details:
https://securityboulevard.com/2021/12/why-using-sms-authentication-for-2fa-is-not-secure/
As much as it hurts to change, this is likly ot be the future, you can stuggle and resist and get upset and stressed, or you can move with the times and accept it and an easy life.We're talking about payment card fraud here - it's a system with a huge amount of built in mitigation already in terms of fraud detection, ability for transactions to be undone etc. The typical way of making payment card fraud pay on an industrial scale is by procuring massive amounts of card details (often 'skimmed' from a compromised ecommerce website) and getting as much charged through it and delivered as possible (expecting a certain attrition rate), then turning those goods/services back in to currency. Rinse and repeat. The amount of effort it'd take to additionally hack a cardholder's device or socially manipulate them in to giving up an SMS code would not be compatible with the volumes of fraud attempts needed to make it pay; if you're doing that you might as well go for the better loot that comes with fraudsters emptying peoples bank accounts.Even ignoring this, there are ways of achieving a secure 2 factor authentication process which don't depend entirely on an up-to-date app installed on a compatible smartphone. If NewDay are dead-set on disabling SMS codes permanently for any customer they perceive as not needing them, they need to implement some other fall-back option.I'm not saying this change is financially motivated, but it's worth considering too that SMS text messages cost money for businesses to send out. Not much, but something. Asking them to log in and tap a button in an app costs nothing other than the costs they will already have of providing an app of some sort.
0
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.1K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244.1K Work, Benefits & Business
- 599.1K Mortgages, Homes & Bills
- 177K Life & Family
- 257.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards