I look forwards to the biometrics databases getting hacked so I can change my eyeballs & fingerprints.
Hey, friends. We know it's a crazy time for the economy, but don't forget to enable 2FA for payments by Saturday
Saturday is the delayed deadline for UK banks and financial institutions to have implemented two-factor authentication for payment transactions. This is the result of the EU Payment Services Directive 2 (PSD2) for "Strong Customer Authentication" (SCA). This requires institutions to have two levels of authentication in place …
-
-
Friday 13th March 2020 17:43 GMT Anonymous Coward
I have some sand paper left over. I only used the part that is dark brown to do my fingerprints and there is plenty left, no point wasting it. You can have it if you want?
I was going to use the leftovers to do my eyeballs, but I can't hold the sandpaper properly any more and couldn't find anyone willing to do it for me.
-
-
-
Monday 16th March 2020 08:21 GMT Anonymous Coward
a) the way these work, you'd need to hack the merchant to make an existing authenticated recurring payment relevant for you somehow. This is typically used by marketplace type transactions, eg. amazon where you agree to pay 100 quid, but there are actually 5 different payments in there to different market place merchants. only the first part is authenticated, but the authentication token can only be used for 100 quid worth of payments.
Sometimes used for stuff like Pay 1/3 now, 1/3 in a month, 1/3 in two months type store credit deals, or yearly subscriptions (although, the authentication is only supposed to be stored for 90 dyas max, so yearly might be pushing it.)
b) every 5th payment with a low value exemption (or any exemption, there are a few, like the merchant says it's a low risk product) is rejected and has to be authenticated anyway, so you might get lucky. Also required the merchant to have a low value exemption agreement with their acquiring bank, which requires them to have a solid record of not having fraudulent activity and usually a high transaction volume.
c) merchant initiated transactions are only accepted if they can be linked back to a customer initiated transaction that was authenticated.
Spent the last year implementing this stuff for a payment provider. It's been a nightmare, to be honest.
Should have been ready January 1st 2019, but no one was ready, no banks/ card issuers/ merchants/ gateways, no one. So the deadline was extended to June, with an agreement not to fine anyone until March 2020. Pretty much everyone we work with is now ready for the 2FA on every transaction part, but the exemptions are mostly not ready anywhere except France that basically has a nationally standard banking protocol that everyone uses, so it was implemented centrally and rolled out last November. UK banks were hoping Brexit would relieve them of the requirements, but the big card companies made it part of the spec, so they had to do it anyway... If your implementation of the protocol is more than 1 version behind the latest, other banks are allowed to just reject your transactions...
-
Saturday 14th March 2020 01:26 GMT Gerry 3
SMS is U/S for 2FA
GCHQ told the banks not to use SMS verification: it's insecure because MNOs aren't very good at preventing fraudsters gaining control of your mobile number.
Predictably, people still lose £thousands.
So why are banks such as Santander still refusing to issue card readers for 2FA, which seem to be pretty secure because (1) you need to have your card and (2) to know its PIN?
-
Saturday 14th March 2020 05:52 GMT Anonymous Coward
Re: SMS is U/S for 2FA
A very good point about the lack of security of SMS, but I'd rather use an app as the second factor than a card reader. One of my banks uses a card reader, and although it's not unreasonable to have to use it to set up a new payee (surely the biggest risk, if someone is trying to scam you), having to dig out the card reader and go through its multiple steps just to change the payment amount for a payee that I have already set up (ie, an account that I already trust), is rather a faff.
-
Saturday 14th March 2020 08:52 GMT Ben Tasker
Re: SMS is U/S for 2FA
> but I'd rather use an app as the second factor than a card reader.
Same.
One of my banks (I suspect same as yours) uses a card reader. When they introduced that they stopped being my primary bank because it just became too much of a hassle vs having a little code generator (as I have with another bank). I think they've actually scaled back how often you need the reader now though.
The (growing) issue I now have is banks who've taken their code-generating app and made it a full internet banking app too. I don't want that shit on my phone, I _just_ want the code generator (or better yet, for them to use TOTP so I can use my app of choice, and have just a single app)
-
-
Monday 16th March 2020 08:29 GMT Chloe Cresswell
Re: SMS is U/S for 2FA
I'm dyslexic and have issues with numbers, and use chip and sign cards.
I looked at the app for my credit card, to find the same, a) it's a full on banking app, and b) you have to set a 6 digit PIN to use it. Again I'm in the situation where the bank/etc understands I can't use a 4 digit PIN to use a card, but can't understand why I can't just use a 6 digit number I can remember for their app/etc. :(
-
-
-
-
Saturday 14th March 2020 09:42 GMT Warm Braw
Re: SMS is U/S for 2FA
I wouldn't even need Santander to issue a card reader: I already have several from other banks and they're all interchangeable - though only the NatWest one seems to allow you to change your card PIN.
SMS isn't just unsuitable on security grounds, it also fails on usability, particularly if you live in an area with a poor mobile signal.
The main benefit of SMS is that it doesn't require much user education. Something like an OTP generator requires an enrolment step and may involve scanning a QR code with your phone - and that means you need a second screen to display the code.
The most practical solution I've seen is from the Skipton Building Society - you get a credit-sized card printed with a grid of letters and you get challenged for the letters in certain grid positions - it's a bit like a game of Battleships. No technology required and the card fits in your wallet.
-
Saturday 14th March 2020 17:39 GMT dajames
Re: SMS is U/S for 2FA
... only the NatWest [card reader] seems to allow you to change your card PIN.
That's interesting ... that would suggest that NatWest (at least) no longer perform any online PIN verification (for which they'd need to have your PIN stored in their systems). That would imply that they don't support any PIN-verified transactions apart from chip-and-PIN transactions. It would also mean that whenever they issue a replacement card they have to send a new PIN advice, because they don't know what your old PIN was, if you've changed it.
... I can see problems with, for example, withdrawing cash from ATMs that read the magstripe rather than using the chip (older ATMs, such as are still prevalent in, e.g., the USA). As they can't use the chip to verify your PIN they have to perform an online verification ... and if you've changed your PIN using the card reader the one they'll be verifying against won't be current.
All in all, it sounds like a bad idea.
-
-
Saturday 14th March 2020 17:45 GMT FlatSpot
Re: SMS is U/S for 2FA
Santander are the worst bank in the world. I had some unauthorised transactions on my card, phoned them up and had them blocked. Fraudster phoned them up and got them unblocked again, despite all the security information having been changed and calling from a phone number not even registered on my account.
I demanded an audio copy of the phonecalls and all paperwork just to waste their time and cause as much cost to them as possible. They also paid me goodwill payments etc. but I went into the branch and cancelled my account, swiftly followed by joint account and moved all my savings. Would never trust them ever again.
-
Monday 16th March 2020 08:27 GMT Chloe Cresswell
Re: SMS is U/S for 2FA
I've just had to delete my online banking with M&S credit cards, because they need you to use a pin based token, or a pin based app on your phone. I have chip and sign cards.
As usual the response "Can't you just use a number you'll remember?", and yet no one seems to understand the idea that if I could remember numbers like that, I wouldn't have or need chip and sign cards in the first place!
Next suggestion is of course to write the PIN down for when I need it... :(
-
-
This post has been deleted by its author
-
Saturday 14th March 2020 15:30 GMT NonSSL-Login
Saturday b0rk3d
Tried to purchase something online today and got a message on my phone telling to verify the transaction in my banking app.
Tried opening the banking app and for the first time ever got an error about not being able to connect to my banks servers. Tried on cell data and home wifi but no use and the banks helpdesk was useless.
Ended up buying the item from ebay instead where it just worked without any extra prompts, phone messages or actions needed after pressing the checkout button.
I have a feeling some businesses are going to lose sales if this has been implemented badly.
-
Monday 16th March 2020 08:27 GMT Blergh
I hate SMS 2FA
I don't dislike SMS 2FA because it's insecure, although that obviously isn't great. The reason I hate it is that when I went to buy something on Saturday it took multiple attempts on 3 different cards before I actually received the SMS message for the transaction. I had a signal good enough to phone one of the helpdesks so I don't think that was the issue, it's just a rubbish system.
-
Monday 16th March 2020 08:45 GMT Mike 137
The same old stupid mantra yet again
"two levels of authentication in place for online transactions[...] a PIN, [...] a phone or hardware token, [...]a biometric check."
When will it finally sink in that a biometric is not an authenticator?
It cannot be rescinded and it cannot be kept secret with any assurance, so it's only valid as an identifier.
Biting the hand that feeds IT
