back to article Banks don’t give a 2FA

The online security of a majority of UK banks is failing customers. Tests by consumer group Which? found that only five out of the 11 providers it tested offered two-step authentication for logins. Lloyds and Santander were among the banks faulted for not doing enough to protect consumers from ID theft and banking fraud. In …

  1. Anonymous Coward
    Anonymous Coward

    Whoops!

    It's a shame that while (rightly) castigating banks for their failings, Which? couldn't even get the link to the results of their tests right on the webpage the article links to, so I still don't know how individual banks compare. At least they have a nice custom 404 page, though. :)

    1. Adze

      Re: Whoops!

      Barclays have a reasonable 2fa system. This is not a recommendation for Barclays as a bank, nor does it constitute financial advice.

      1. Anonymous Coward
        Anonymous Coward

        Re: Whoops!

        Who to answer first?? Lets try both at once.

        Yesterday I had the dubious pleasure of trying to log in to a Barclays business account for the first time; despite the assistance of their help line, it just WOULD NOT work, throwing up a "Details not found" error.

        "No, No, it isnt case sensitive" the poor girl is telling me, which it patently IS, because the first time I enter my name using lower case only, the buggering thing works.

        But only if I use a specific one of the three possible account identification options; so why have the other two then??

        "It isnt case sensitive, but lower case is best, as is using account identity option 1" she burbles.

        Fuckwits.

        1. stephenhartley

          Re: Whoops!

          "It isnt case sensitive, but lower case is best"

          -- best laugh I've had all week :-) Thanks for sharing!

    2. Dan 55 Silver badge

      Re: Whoops!

      Santander still bringing up the rear, they got last place in 2013. Why am I not surprised.

      There's a copy of the list here

      1. Steve Foster

        Re: Whoops!

        Although Santander don't use 2FA at that point, their login pages do include a personalised display as an anti-phishing measure (I haven't seen any other bank doing that).

        And Santander do use 2FA for approving new payees (by sending a OTP to your mobile).

        Personally, I think 2FA just to login is probably excessive, and there are reasonably some functions that could be done without it (eg requests that require delivery fulfillment or branch collection [replacement cheque books and such]).

  2. Nick Ryan Silver badge

    Blah. Whatever. In my experience (personal and observed), most of the bank security problems had no source related to whether or not there was two factor authentication in place or not - most of them were outside this as they were evidently inside jobs of some form or external systems such as 3rd party card readers. None of which a 2FA system on their website would have helped with at all.

  3. Anonymous South African Coward Silver badge

    Capitec Bank (in South Africa) offers a reasonable secure system - you can link your account to your mobile device (NOT SIM card) so whenever you need to transfer money or log into your account from a computer, you will need to enter your PIN on your mobile device.

    The plus thing of this is that your PIN can be longer than the usual 4 digits.

    Mobile device got blagged by a ne'er-do-well? No fear, just give them a call on a 24-hour line and stop your card.

    Also, said ne'er-do-well only have 3 chances of inputting the correct PIN, if he/she/it doesn't, the app deauthenticates itself, and only by going into a branch will you be able to re-establish authentication again.

  4. heyrick Silver badge

    More problems than that

    My bank (a French one, as that's where I live) took away my password (that was a suitably long foreign word) and replaced it with a five digit number for the braindead retards my security.

    Also, when I purchase online things from France I get an SMS asking me to confirm the transaction. Buying a Pi Zero from the UK? Transaction accepted with no hitches. Now won't fraud likely be from another country? {facepalm}

  5. Cynical Shopper

    Lloyds 2FA

    They do have 2FA, but only when you want to perform some action. A bit like lazy vs. eager password entry on sites like Amazon. Works better for me than one of those stupid calculators that you have to carry everywhere.

    Admittedly, it's not providing much security when the second factor is calling the same phone that the app or website is running on.

    1. Adam 52 Silver badge

      Re: Lloyds 2FA

      Which do make that point, it just didn't make it the the Reg article.

  6. Anonymous Coward
    Anonymous Coward

    Smile Bank / Cooperative Bank's new facelift is an utter disaster

    Smile had pretty much the same system since 1999, it was matter of fact, but crucially it worked, was never offline, there was never a mistake on the account. You could phone, use a branch of the Cooperative Bank if you really had to. When all you had was 2G data, you could still log and make a transfer/payment. It was a frugal interface in terms of data exchange. It was great.

    Cooperative decided on one of those useless glossy revamps, and boy, is it the biggest load of convoluted shit ever. It adds absolutely nothing and destroys everything in the process.

    Each box, takes 2-3 seconds between each entry screen to become typeable.

    You now need to remember your Sort Code, Account Number, the original 4 Digit Pin for Telephone support

    The new Online Sign on process...

    You need Sort Code, Account Number followed by the original 4 Digit Pin. (old system)

    This now gets you a deleteable cookie stored on the device to access the new system. Delete this you needs the above again.

    Then you need a new case sensitive 8+ character password, plus a new six digit password. Then..

    Mother maiden name, First School, Last School, Fathers name, Memorable date, or some combo of.

    When it all fails (it does because the system can't keep up with your typing), you can use the Generic Card Reader with your Debit Card + a different 4 Digit Card Pin to reset everything online with no system checks and gain full access (and subsequently empty the account if you had got hold of someone else's Pin + Debit Card, + have a Generic Card Reader.

    It's actually quicker to fail the Password system three times, and use the Card Reader + Pin every time to log on!

    All in the name of Progress. Oh, and phoning Smile/Cooperative now, you'll be lucky if the phone is answered in any time short of 30 minutes.

    1. Anonymous Coward
      Anonymous Coward

      Re: Smile Bank / Cooperative Bank's new facelift is an utter disaster

      I missed out the username. There is also added username to remember too, to replace the Sort Code and Account Number, but you still need to remember those, anyway.

  7. HailAJ

    What about case-sensitive passwords?

    The fact that many don't offer 2FA is not surprising,

    Halifax's online banking website does not even use Case Sensitive passwords FFS

  8. Trollslayer

    More gadgets

    I manage without this by using non dictionary dual factors, one of which uses two random letters at a time.

    Nothing written down an no numeric sequences.

  9. Rob Kendrick

    The Lloyds system is better

    I have the 2FA device I have to use with HSBC/FirstDirect: it's a huge keyring thing that I never have near me when I use it.

    The Lloyds system is far superior: doing anything that might cost you money makes a robot ring you on your mobile, which you're much more likely to have on you. You then type the number on-screen into your mobile, and you're done.

    A much better balance of convenience vs. security.

  10. streaky

    U2F

    Been saying for years I'll move all my accounts to the first bank to offer U2F and also scores A+ on the qualys checker. All banks are technically incompetent and only refresh their sites like once every 10 years (my current bank only just did theirs and didn't improve any of their security when they did).

  11. Anonymous Coward
    Anonymous Coward

    no comment about using your fingerprint

    when using an iPhone.

    my iPhone 5S makes using RBS easy. Use my fingerprint and I'm in. Any new payees use 2FA including their cardreader (kept locked away at home) and an SMS.

    By contract Santander is a POS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon