back to article Realistic Brits want at least 3 security steps on bank accounts

Three in five Brits reckon that fewer than three security steps – including passwords, card readers or letters from a memorable word – are insufficient to assure their bank account is secure and not accessible by other people. The online survey, conducted by YouGov and sponsored by credit reference agency Equifax, found just …

  1. TRT Silver badge

    Card/account use controls

    sounds just like what Revolut have been doing for a year or so.

  2. Dr_N Silver badge

    Like Razors ...

    3 is okay, but surely 4 would be better. Or even 5 !

    (Are there 6 blades now ...?)

    1. Anonymous Coward
      Anonymous Coward

      Re: Like Razors ...

      Six is old... we're back to OneBlade (tm) by Philips.

      For the banking stuff, I'm happy with what I have: 2FA based on what I have and what I know.

      1. Tim99 Silver badge
        IT Angle

        Re: Like Razors ...

        OneBlade - Alternatively you could buy a safety razor and use a Feather blade (the same make blade maker as the OneBlade). The Feather razor and blades are cheaper, ~$50 for 200. I have a coarse beard and have been shaving for the last 55+ years, each blade lasts me a week, and so far I have bought >400 blades. Warning: They are very sharp and take a couple of weeks to get used to them.

    2. frank ly

      Re: Like Razors ...

      You are so behind the times.

      http://www.dorcousa.com/pace-7-sva1000/

      1. Kevin Johnston

        Re: Like Razors ...

        Abbey (OK, Santander) have 7 each time you try to login from a different PC or if you refuse to allow them to store cookies.

        They also try to encourage you to install Trusteer but anything with a name like that has to be Fake News, Facebook told me so.

        1. Swiss Anton

          Re: Like Razors ...

          I'm not saying who (not Santander) but one of my bank/building socs keeps nagging me to install Trusteer. As far as I can see this is just another bit of software that can be compromised / spy on me. I don't know what it does but their website says "Trusteer Rapport stops all financial malware". Even Domestos only kills 99% of all known bugs. It seems a bit arrogant for Trusteer to claim 100% success, hence I do not trust them.

          BTW, wax is much better and cheaper than a razor - though to be fair it does hurt.

          1. paulf
            Childcatcher

            Re: Like Razors ...

            @Kevin Johnston "Abbey (OK, Santander) [...] also try to encourage you to install Trusteer but anything with a name like that has to be Fake News, Facebook told me so."

            @ Swiss Anton "I'm not saying who (not Santander) but one of my bank/building socs keeps nagging me to install Trusteer. As far as I can see this is just"

            I'm with Yorkshire Building Society (i.e not the Bank with the similar name) and their system is always nagging me to install Trusteer. A quick check shows Trusteer is owned by IBM (redirects to here) so I'll leave it up to you if you want to install what is almost likely to be a steaming pile of Ginny turd.

            Funnily enough I've always declined their frustratingly repeated "invitations" to download and install their free snooping monetisation spyware helpful security software on my desktop. As the saying goes: If it's free, you're the product not the customer.

      2. MarkSitkowski

        Re: Like Razors ...

        This is even better...

        https://www.linkedin.com/pulse/choice-second-authentication-factor-mark-sitkowski

    3. Frumious Bandersnatch

      Re: Like Razors ...

      http://www.theonion.com/blogpost/fuck-everything-were-doing-five-blades-11056

  3. alain williams Silver badge

    Stop using your mobile 'phone

    Not using a mobile phone would figure highly on my list of how to keep my bank a/c safe. Next: not to login there from a MS Windows machine.

    It would help a lot of the banks stopped 'phoning their customers about whatever and as a first step ask the customer to verify who they were by answering security questions!

    1. Steve Davies 3 Silver badge

      Re: Stop using your mobile 'phone

      Banks phoning customers.

      Yep an obvious ploy to get your details so give them the wrong ones and then make a call to the bank yourself.

    2. Terry 6 Silver badge

      Re: Stop using your mobile 'phone

      It would help if bank marketing departments didn't send emails or televise ads that looked like Scams. I've had legit emails that had a "click here" link to access new features. And that Halifax/Thunderbirds ad where Parker wins a lottery he didn't seem to have entered would be good starts.

    3. Anonymous Coward
      Anonymous Coward

      Re: Stop using your mobile 'phone

      Please explain, as malware and keyloggers are very rare on mobile, but much more at home on windows and Mac...

      If anything, a half decent, recent mobile is pretty secure, and using your mobile as part of 2FA even more so.

      Using android pay is far more secure that a regular contactless payment method,. You have biometric (fingerprint) device lock, unique one time card numbers, your dumb contactless card has none of these.

      If anything using mobile for the most part increases security in many cases... Most people don't have a clue... (I overheard someone saying cheques were more secure than that online banking.... Lol)

    4. paulf
      Facepalm

      Re: Stop using your mobile 'phone

      @alain williams "It would help a lot of the banks stopped 'phoning their customers about whatever and as a first step ask the customer to verify who they were by answering security questions!"

      I've been banging my head against that one for years - if you call me and claim to be from "Acme Bank" I need a way to verify you really are calling from "Acme Bank" about my account; you know, just like you do when I call you at the bank. It's only in the last few years there's been a thawing of the "You must answer all our invasive security questions before we can discuss anything" to a slightly more pragmatic "If you're expecting us to call you back you can give us a password the agent calling you back will give you before they ask the security questions" but even that is unofficial and if it fails it's my fault not theirs. When offered a call back I usually opt to hold - it avoids the incoming call problem and keeps them focused on sorting out the problem in hand.

      Frankly, banks (indeed any organisation that calls customers but expects to confirm personal details before starting the conversation) needs a clear and formal way to confirm the call is genuinely from that organisation at the start of the call. Unfortunately there is a bit too much "Computer says no" because Data protection, in that discussion to make any serious progress.

  4. Anonymous Coward
    Anonymous Coward

    Barclays still make you have a debit card in order to use PIN-Sentry for online banking - even if you have an "ATM only" card. The debit card authentication allows access to all your accounts online. You can disable the card for remote transactions - but not stop its use in shops.

    The silly thing is that the "ATM only" account cards will also generate authentication codes with PIN-Sentry - but the online banking system apparently won't accept them.

    So I have to have a separate debit card account with a couple of quid in it - just so I can do online banking with my main account which has an "ATM only" card.

    1. DaveyDaveDave

      So, you have a card that lets someone withdraw cash from your account, secured with a PIN and yet you are inexplicably angry at the concept of having to have a card that allows someone to buy something in a shop, if they know that same PIN?

      Yep, sounds like standard bizarre Register comments tin-foil hat nonsense.

      1. Anonymous Coward
        Anonymous Coward

        The pin is only in my head - if it was compromised at a cash machine then it can only draw £300 a day. A debit card is more open to fraud of unlimited amounts.

        1. DaveyDaveDave

          I mean, I guess there's some kind of logic there - everyone has their own threshold on the convenience vs. security threshold, but I can only assume this means that you spend a large proportion of your time walking around with not-insignificant amounts of cash in your pockets. I would think that's a far greater risk. Personally, I'm much happier only having a piece of plastic which can be rendered useless in seconds with a phone call than a few days' worth of cash to be stolen, lost, put through the washing machine, etc, etc.

          1. Anonymous Coward
            Anonymous Coward

            "but I can only assume this means that you spend a large proportion of your time walking around with not-insignificant amounts of cash in your pockets."

            I also have a credit card with a very low limit for when I purchase something in a shop without cash. If a fraud is committed on that card - then a) the limit is low b) there is still money in my bank account paying my bills while I argue the toss with the credit card company.

            My lifestyle is very frugal. There can come a point when life's pleasures are simple and inexpensive.

    2. Hugh McIntyre

      Re: "Barclays still make you have a debit card in order to use PIN-Sentry for online banking"

      Not true, I have a pale blue card with "Authentication" on the top right which only works for PIN-Sentry, not ATM or Debit. It may be that you can't use a non-debit ATM card, but you definitely could get an Authentication-only card in the past at least. Contact your Barclay's branch ...

      1. Anonymous Coward
        Anonymous Coward

        Re: "Barclays still make you have a debit card in order to use PIN-Sentry for online banking"

        "[...] but you definitely could get an Authentication-only card in the past at least. "

        Thanks for that - I will enquire. When the problem first arose - it was the bank who implemented the circumvention by giving me two separate current accounts. The main one with only an ATM card and an auxiliary one with debit/ATM.

        However - whenever they did something about the problem they had to cancel all the existing cards first. So there was an inconvenient gap before I had any usable cards again.

  5. Dan 55 Silver badge

    Two glaring omissions

    I notice they've not given an option to disable contactless or to disable use outside (say) Europe.

    If you're going to allow people to lock their cards down you might as well do it properly.

    1. John Robson Silver badge

      Re: Two glaring omissions

      Particularly if doing from an online interface - you can get to the airport and while away the time telling your bank that you'll be out of the country for a few days...

      At least Barclaycard had the grace, when I was doing lots of small trips abroad, to allow me to not cancel the card, but phone them every time I used it after someone started trying CNP fraud on it (which they caught and cancelled anyway)... I couldn't give them a long enough window for them to cancel my card, and issue a new one before my next trip. For some reason they couldn't just issue a new one and cancel the old one once I said I had it...

      1. This post has been deleted by its author

        1. Dan 55 Silver badge

          Re: Two glaring omissions

          It's possible to refuse all online contactless transactions by checking a flag and not letting them go through. Offline contactless would be more difficult.

        2. paulf
          Happy

          Re: Two glaring omissions

          @ Shadmeister "Stopping contactless sounds like a good idea - unfortunate that they cannot stop this."

          That's bollocks. There is a very easy way to block contactless purchases - demand a non-contactless card from your financial institution. I've done this for all my cards - they will provide one when asked. If they cannot provide a non-contactless card I suggest you move your business to one that can.

  6. JimmyPage
    Stop

    I read the article twice, but couldn't see any mention

    of where the bank calls *you* and asks you to provide your details "for security" ?

    I'll read more carefully later ....

    1. Anonymous Coward
      Anonymous Coward

      Re: I read the article twice, but couldn't see any mention

      That's The Virgin One account trick. If you need to transfer more than 1K to a person you have to do it in 1k chunks. After about the third one you get a call from them asking you to identify yourself. At least you hope it's from them and not just some random scammer who called you just as you have moved some cash.

      Perhaps the person who devised it is proud of their achievement, but to me it's very inconvenient, increases the risk of me making a payment to the wrong person, and increases the chances of someone getting my verification details.

    2. Sir Sham Cad

      Re: I read the article twice, but couldn't see any mention

      Usually when you're on the bus for maximum potential exposure of your passphrase/password/date of birth + postcode + "Yes I really am going to Spain next week" Cheers HSBC!

    3. Steve Foster

      Re: I read the article twice, but couldn't see any mention

      It isn't mentioned in the article.

      However, it is common practice among many UK companies (banks, utilities and others) when calling you on the home/mobile telephone number they have on file (and often from a number that has CallerID suppressed/ or is clearly bogus) to insist that you have to answer "security questions" to verify your identity before they will talk to you. It is one of the most idiotic concepts ever.

  7. Androgynous Cupboard Silver badge

    Am I the only one happy with one security step, provided it's a 2FA token with a pin? More than that feels a bit belt-and-braces to me.

  8. Planty Bronze badge
    FAIL

    I wonder how many

    Have all their passwords including their bank details, in their Google or iCloud account, and don't use 2FA...

    It's not about how many layers you have, it's how many holes you have....

  9. jMcPhee

    Bank Site Authentication

    2FA is good, we know that. But, what about validating the bank sites? DigiNotar hack showed that certificates aren't always credible.

  10. Adam 52 Silver badge

    Having read all the stuff about payment scams on the BBC this morning and my father-in-law having been taken in by a scam, I feel that better, user configurable, payment limits might work better. It's not authenticated users that seem to be the current problem.

    For example I don't want my account accessible in any way from Russia, China, Syria or the United States. If I'm not at home I don't want to transfer more than £500. If I am home I want to be able to transfer £lots to my accounts at other banks or to my solicitor, £1000 to family members, £100 to UK bank account holders or £500 if my girlfriend seconds the payment and nothing to anyone else.

    Changing these rules should involve a wait, or a phone call. I can't see that any of that would be too hard to implement.

  11. Arachnoid

    2FA is good

    I believe I did see a post the other week stating 2FA is easily broken through intercetion techniques and as such is phsudo security.As to validation Id like the bank to actually use part of a specified phrase given by myself, to identify themselves to me not assume valid identification is all one sided.

    1. FrogsAndChips

      Re: 2FA is good

      That's what Verified By Visa do: the first time you use it, they ask you to provide a personal greeting phrase, that they will show you the next times they need you to confirm an online transaction.

      1. Anonymous Coward
        Anonymous Coward

        Re: 2FA is good

        "That's what Verified By Visa do:"

        I set up those for my Visa and Mastercards many years ago - "a personal greeting" or "nth letters from my string". However nowadays - even when an online transaction goes to the "Verify" page - they never prompt me in any way. Just a few seconds pause - then it authorises the transaction.

        1. FrogsAndChips

          Re: 2FA is good

          Same for me, actually. It's been so long since I've seen the prompt that, even though I still remember the greeting, I'd probably be unable to provide the "nth letters from my string". I assume they now consider that my transactions don't need extra checking, as I always do online purchases from the same very few computers.

  12. Anonymous Coward
    Anonymous Coward

    "...it’s no surprise

    ...that loss of financial details is a top concern for consumers, who increasingly demand higher security to protect their money."

    Those bastards... Always wanting to keep their money safe... Next thing you know, they'll want to be able to vote!

    1. Anonymous Coward
      Anonymous Coward

      Re: "...it’s no surprise

      "Next thing you know, they'll want to be able to vote!"

      Next thing you know, they'll want their vote to count!

      FTFY

  13. Anonymous Coward
    Anonymous Coward

    Actually, I think the Tories may have the answer to this ...

    If we're all poor as shit, we won't be worth scamming ....

  14. NonSSL-Login

    More

    While 21% said they had accounts hacked, I would estimate that a much higher percentage have had their accounts/passwords compromised but are just not aware.

    If your phone is used for 2fA via SMS then we know that is not secure thanks to the S7 protocol on mobile networks and it's being used to take funds from German banks already.

    Personally I think a credit card with a digital changing number similar to RSA SecureID should be used as an additional authentication method. Doesn't matter if phones or pc's get compromised and keylogged if this code is needed for each transaction. Saying that, no doubt criminals would find a way to make use of the 30 second window and piggy back of an existing transaction. Always a cat and mouse game.

    1. Anonymous Coward
      Anonymous Coward

      Re: More

      "Saying that, no doubt criminals would find a way to make use of the 30 second window and piggy back of an existing transaction. "

      I queried with Barclays that their Pin-Sentry always seemed to give the same code at the same time of each day. They never answered the query. You would have expected them to use a much longer cycle than 24 hours.

  15. Cuddles Silver badge

    In other words

    Even the more security-concious people don't actually understand security at all. Demanding more steps to log in meaningless if they're all essentially the same thing - having a password and a memorable word just means you have two passwords. Even in the best case that's not meaningfully different from having a single slightly longer password, but given that memorable words tend to be easily discovered things like "mother's maiden name", it barely even manages that.

    The reason two factor authentication works is not simply that two is bigger than one and therefore twice as hard to guess, it's because the two factors are of different kinds; traditionally something you know and something you have. Adding lots of extra things you know and/or have doesn't make things more secure if they can still be compromised in the same way - needing two keys to get in your house doesn't make it harder to break in if you keep both keys on the same keyring.

  16. Anonymous Coward
    Anonymous Coward

    2000 Brits

    Good work by Equifax, asking 2000 Brits what security should be applied to on-line banking. I mean there's no way I could find 2000 people qualified to answer questions about secure system design, and I'm in the business.

    Sure, I guess it could be that they just asked 2000 random idiots, but what would be the point of that? If you're going to ask a large number of people questions that they're not qualified to answer, at least do something useful with it like deciding the future of the country.

  17. EnviableOne Silver badge

    Factors schmactors

    All banking portals use behaviour analytics as a backup to password authentication.

    It baselines your behaviour where and when you access, how you flow through the site etc

    Then throws up aditional authentication if somethings not right.

    Also if the anyone rings you and ask for verification, and are un willing to verify themselves, hang up and call their organisation on an independantly sourced number.

    SMS OTP has not been a recommended factor for a while and OAUTH TOTP is cheaper and easier to impliment, so why people are still using SMS i dont know.

    the other issue is the x y and z letter trick is no better security, in fact its worse than asking for you password. As the passwords have to be stored with two way encryption instead of Complex hashes. plus it takes most people a while to work out what the x y and zth characters are, but they will rember their password/phrase/convoluted mess of symbols, substitutions, and cases that has a Capital at the start, special on the end and a number before that.

    People are bad at chosing passwords, pins etc the most common pin is always 1234...n of up to 10 digits and all 0s and all 1s are not far behind.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022