Card/account use controls
sounds just like what Revolut have been doing for a year or so.
Three in five Brits reckon that fewer than three security steps – including passwords, card readers or letters from a memorable word – are insufficient to assure their bank account is secure and not accessible by other people. The online survey, conducted by YouGov and sponsored by credit reference agency Equifax, found just …
OneBlade - Alternatively you could buy a safety razor and use a Feather blade (the same make blade maker as the OneBlade). The Feather razor and blades are cheaper, ~$50 for 200. I have a coarse beard and have been shaving for the last 55+ years, each blade lasts me a week, and so far I have bought >400 blades. Warning: They are very sharp and take a couple of weeks to get used to them.
I'm not saying who (not Santander) but one of my bank/building socs keeps nagging me to install Trusteer. As far as I can see this is just another bit of software that can be compromised / spy on me. I don't know what it does but their website says "Trusteer Rapport stops all financial malware". Even Domestos only kills 99% of all known bugs. It seems a bit arrogant for Trusteer to claim 100% success, hence I do not trust them.
BTW, wax is much better and cheaper than a razor - though to be fair it does hurt.
@Kevin Johnston "Abbey (OK, Santander) [...] also try to encourage you to install Trusteer but anything with a name like that has to be Fake News, Facebook told me so."
@ Swiss Anton "I'm not saying who (not Santander) but one of my bank/building socs keeps nagging me to install Trusteer. As far as I can see this is just"
I'm with Yorkshire Building Society (i.e not the Bank with the similar name) and their system is always nagging me to install Trusteer. A quick check shows Trusteer is owned by IBM (redirects to here) so I'll leave it up to you if you want to install what is almost likely to be a steaming pile of Ginny turd.
Funnily enough I've always declined their frustratingly repeated "invitations" to download and install their free
snooping monetisation spyware helpful security software on my desktop. As the saying goes: If it's free, you're the product not the customer.
Not using a mobile phone would figure highly on my list of how to keep my bank a/c safe. Next: not to login there from a MS Windows machine.
It would help a lot of the banks stopped 'phoning their customers about whatever and as a first step ask the customer to verify who they were by answering security questions!
It would help if bank marketing departments didn't send emails or televise ads that looked like Scams. I've had legit emails that had a "click here" link to access new features. And that Halifax/Thunderbirds ad where Parker wins a lottery he didn't seem to have entered would be good starts.
Please explain, as malware and keyloggers are very rare on mobile, but much more at home on windows and Mac...
If anything, a half decent, recent mobile is pretty secure, and using your mobile as part of 2FA even more so.
Using android pay is far more secure that a regular contactless payment method,. You have biometric (fingerprint) device lock, unique one time card numbers, your dumb contactless card has none of these.
If anything using mobile for the most part increases security in many cases... Most people don't have a clue... (I overheard someone saying cheques were more secure than that online banking.... Lol)
@alain williams "It would help a lot of the banks stopped 'phoning their customers about whatever and as a first step ask the customer to verify who they were by answering security questions!"
I've been banging my head against that one for years - if you call me and claim to be from "Acme Bank" I need a way to verify you really are calling from "Acme Bank" about my account; you know, just like you do when I call you at the bank. It's only in the last few years there's been a thawing of the "You must answer all our invasive security questions before we can discuss anything" to a slightly more pragmatic "If you're expecting us to call you back you can give us a password the agent calling you back will give you before they ask the security questions" but even that is unofficial and if it fails it's my fault not theirs. When offered a call back I usually opt to hold - it avoids the incoming call problem and keeps them focused on sorting out the problem in hand.
Frankly, banks (indeed any organisation that calls customers but expects to confirm personal details before starting the conversation) needs a clear and formal way to confirm the call is genuinely from that organisation at the start of the call. Unfortunately there is a bit too much "Computer says no" because Data protection, in that discussion to make any serious progress.
Barclays still make you have a debit card in order to use PIN-Sentry for online banking - even if you have an "ATM only" card. The debit card authentication allows access to all your accounts online. You can disable the card for remote transactions - but not stop its use in shops.
The silly thing is that the "ATM only" account cards will also generate authentication codes with PIN-Sentry - but the online banking system apparently won't accept them.
So I have to have a separate debit card account with a couple of quid in it - just so I can do online banking with my main account which has an "ATM only" card.
So, you have a card that lets someone withdraw cash from your account, secured with a PIN and yet you are inexplicably angry at the concept of having to have a card that allows someone to buy something in a shop, if they know that same PIN?
Yep, sounds like standard bizarre Register comments tin-foil hat nonsense.
I mean, I guess there's some kind of logic there - everyone has their own threshold on the convenience vs. security threshold, but I can only assume this means that you spend a large proportion of your time walking around with not-insignificant amounts of cash in your pockets. I would think that's a far greater risk. Personally, I'm much happier only having a piece of plastic which can be rendered useless in seconds with a phone call than a few days' worth of cash to be stolen, lost, put through the washing machine, etc, etc.
"but I can only assume this means that you spend a large proportion of your time walking around with not-insignificant amounts of cash in your pockets."
I also have a credit card with a very low limit for when I purchase something in a shop without cash. If a fraud is committed on that card - then a) the limit is low b) there is still money in my bank account paying my bills while I argue the toss with the credit card company.
My lifestyle is very frugal. There can come a point when life's pleasures are simple and inexpensive.
Not true, I have a pale blue card with "Authentication" on the top right which only works for PIN-Sentry, not ATM or Debit. It may be that you can't use a non-debit ATM card, but you definitely could get an Authentication-only card in the past at least. Contact your Barclay's branch ...
"[...] but you definitely could get an Authentication-only card in the past at least. "
Thanks for that - I will enquire. When the problem first arose - it was the bank who implemented the circumvention by giving me two separate current accounts. The main one with only an ATM card and an auxiliary one with debit/ATM.
However - whenever they did something about the problem they had to cancel all the existing cards first. So there was an inconvenient gap before I had any usable cards again.
Particularly if doing from an online interface - you can get to the airport and while away the time telling your bank that you'll be out of the country for a few days...
At least Barclaycard had the grace, when I was doing lots of small trips abroad, to allow me to not cancel the card, but phone them every time I used it after someone started trying CNP fraud on it (which they caught and cancelled anyway)... I couldn't give them a long enough window for them to cancel my card, and issue a new one before my next trip. For some reason they couldn't just issue a new one and cancel the old one once I said I had it...
This post has been deleted by its author
@ Shadmeister "Stopping contactless sounds like a good idea - unfortunate that they cannot stop this."
That's bollocks. There is a very easy way to block contactless purchases - demand a non-contactless card from your financial institution. I've done this for all my cards - they will provide one when asked. If they cannot provide a non-contactless card I suggest you move your business to one that can.
That's The Virgin One account trick. If you need to transfer more than 1K to a person you have to do it in 1k chunks. After about the third one you get a call from them asking you to identify yourself. At least you hope it's from them and not just some random scammer who called you just as you have moved some cash.
Perhaps the person who devised it is proud of their achievement, but to me it's very inconvenient, increases the risk of me making a payment to the wrong person, and increases the chances of someone getting my verification details.
It isn't mentioned in the article.
However, it is common practice among many UK companies (banks, utilities and others) when calling you on the home/mobile telephone number they have on file (and often from a number that has CallerID suppressed/ or is clearly bogus) to insist that you have to answer "security questions" to verify your identity before they will talk to you. It is one of the most idiotic concepts ever.
Having read all the stuff about payment scams on the BBC this morning and my father-in-law having been taken in by a scam, I feel that better, user configurable, payment limits might work better. It's not authenticated users that seem to be the current problem.
For example I don't want my account accessible in any way from Russia, China, Syria or the United States. If I'm not at home I don't want to transfer more than £500. If I am home I want to be able to transfer £lots to my accounts at other banks or to my solicitor, £1000 to family members, £100 to UK bank account holders or £500 if my girlfriend seconds the payment and nothing to anyone else.
Changing these rules should involve a wait, or a phone call. I can't see that any of that would be too hard to implement.
I believe I did see a post the other week stating 2FA is easily broken through intercetion techniques and as such is phsudo security.As to validation Id like the bank to actually use part of a specified phrase given by myself, to identify themselves to me not assume valid identification is all one sided.
"That's what Verified By Visa do:"
I set up those for my Visa and Mastercards many years ago - "a personal greeting" or "nth letters from my string". However nowadays - even when an online transaction goes to the "Verify" page - they never prompt me in any way. Just a few seconds pause - then it authorises the transaction.
Same for me, actually. It's been so long since I've seen the prompt that, even though I still remember the greeting, I'd probably be unable to provide the "nth letters from my string". I assume they now consider that my transactions don't need extra checking, as I always do online purchases from the same very few computers.
While 21% said they had accounts hacked, I would estimate that a much higher percentage have had their accounts/passwords compromised but are just not aware.
If your phone is used for 2fA via SMS then we know that is not secure thanks to the S7 protocol on mobile networks and it's being used to take funds from German banks already.
Personally I think a credit card with a digital changing number similar to RSA SecureID should be used as an additional authentication method. Doesn't matter if phones or pc's get compromised and keylogged if this code is needed for each transaction. Saying that, no doubt criminals would find a way to make use of the 30 second window and piggy back of an existing transaction. Always a cat and mouse game.
"Saying that, no doubt criminals would find a way to make use of the 30 second window and piggy back of an existing transaction. "
I queried with Barclays that their Pin-Sentry always seemed to give the same code at the same time of each day. They never answered the query. You would have expected them to use a much longer cycle than 24 hours.
Even the more security-concious people don't actually understand security at all. Demanding more steps to log in meaningless if they're all essentially the same thing - having a password and a memorable word just means you have two passwords. Even in the best case that's not meaningfully different from having a single slightly longer password, but given that memorable words tend to be easily discovered things like "mother's maiden name", it barely even manages that.
The reason two factor authentication works is not simply that two is bigger than one and therefore twice as hard to guess, it's because the two factors are of different kinds; traditionally something you know and something you have. Adding lots of extra things you know and/or have doesn't make things more secure if they can still be compromised in the same way - needing two keys to get in your house doesn't make it harder to break in if you keep both keys on the same keyring.
Good work by Equifax, asking 2000 Brits what security should be applied to on-line banking. I mean there's no way I could find 2000 people qualified to answer questions about secure system design, and I'm in the business.
Sure, I guess it could be that they just asked 2000 random idiots, but what would be the point of that? If you're going to ask a large number of people questions that they're not qualified to answer, at least do something useful with it like deciding the future of the country.
All banking portals use behaviour analytics as a backup to password authentication.
It baselines your behaviour where and when you access, how you flow through the site etc
Then throws up aditional authentication if somethings not right.
Also if the anyone rings you and ask for verification, and are un willing to verify themselves, hang up and call their organisation on an independantly sourced number.
SMS OTP has not been a recommended factor for a while and OAUTH TOTP is cheaper and easier to impliment, so why people are still using SMS i dont know.
the other issue is the x y and z letter trick is no better security, in fact its worse than asking for you password. As the passwords have to be stored with two way encryption instead of Complex hashes. plus it takes most people a while to work out what the x y and zth characters are, but they will rember their password/phrase/convoluted mess of symbols, substitutions, and cases that has a Capital at the start, special on the end and a number before that.
People are bad at chosing passwords, pins etc the most common pin is always 1234...n of up to 10 digits and all 0s and all 1s are not far behind.
Biting the hand that feeds IT © 1998–2022