Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

Bank Card security

Discussing offers, rates and deals on suppliers
Lanark
Lemon Quarter
Posts: 1321
Joined: March 27th, 2017, 11:41 am
Has thanked: 595 times
Been thanked: 582 times

Re: Bank Card security

#154561

Postby Lanark » July 24th, 2018, 12:28 am

It's interesting to note that for their own staff Google insist on a physical YubiKey rather than a telephone based 2 factor auth.
https://krebsonsecurity.com/2018/07/goo ... -phishing/

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Bank Card security

#154760

Postby XFool » July 24th, 2018, 5:36 pm

So... The answer would appear to be some kind of international standards for a secure universal generator of local security codes.

Suitable 'devices' could be a USB device, a card reader or a smart phone 'app'. Only snag, these would seem to need to be unhackable. Or might that not matter as it's generated code would ultimately depend on the input from the requester, provided that was communicated securely?

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Bank Card security

#154781

Postby AF62 » July 24th, 2018, 6:41 pm

Lanark wrote:It's interesting to note that for their own staff Google insist on a physical YubiKey rather than a telephone based 2 factor auth.
https://krebsonsecurity.com/2018/07/goo ... -phishing/



Google don't insist customers use telephone based 2FA and are perfectly happy for anyone to use a security key (https://support.google.com/accounts/ans ... 3?hl=en-GB).

Alternatively you can use an authentication app (https://play.google.com/store/apps/deta ... 2&hl=en_GB but any of that type work), voice or text messages, just the prompt on your phone, or nothing at all.

Your risk, your choice.

Slarti
Lemon Quarter
Posts: 2941
Joined: November 4th, 2016, 3:46 pm
Has thanked: 640 times
Been thanked: 496 times

Re: Bank Card security

#155423

Postby Slarti » July 26th, 2018, 5:26 pm

This came up on my Twitter feed today https://lifehacker.com/two-factor-authe ... 1827867557

Seems like our banks are a day late and a dollar light, as usual.


Slarti

Lootman
The full Lemon
Posts: 18674
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6559 times

Re: Bank Card security

#155425

Postby Lootman » July 26th, 2018, 5:35 pm

Slarti wrote:This came up on my Twitter feed today https://lifehacker.com/two-factor-authe ... 1827867557

Seems like our banks are a day late and a dollar light, as usual.

Yep. Our phone systems were never designed to be secure. They were designed for people to chat about their lumbago and the next door's cat. To trust them with financial transactions is nuts.

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Bank Card security

#155739

Postby AF62 » July 28th, 2018, 6:11 am

Slarti wrote:This came up on my Twitter feed today https://lifehacker.com/two-factor-authe ... 1827867557

Seems like our banks are a day late and a dollar light, as usual.


Trouble is that if the banks introduced that you would get some people moaning they didn't own (or didn't want to own) a smartphone necessary to run the authentication app.

Lootman
The full Lemon
Posts: 18674
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6559 times

Re: Bank Card security

#155742

Postby Lootman » July 28th, 2018, 7:55 am

AF62 wrote:
Slarti wrote:This came up on my Twitter feed today https://lifehacker.com/two-factor-authe ... 1827867557

Seems like our banks are a day late and a dollar light, as usual.

Trouble is that if the banks introduced that you would get some people moaning they didn't own (or didn't want to own) a smartphone necessary to run the authentication app.

Now you mention it I do not recall my bank telling me when I opened an account with them that it was necessary for me to also buy a personal appliance and, moreover, a particular type of personal appliance.

Maybe they should give out free smart phones. HSBC gave me some box of tricks when I opened an account with them, but I have never used it, and do not even understand what it is supposed to do. Instead I go to my branch and find a person to help me.

Slarti
Lemon Quarter
Posts: 2941
Joined: November 4th, 2016, 3:46 pm
Has thanked: 640 times
Been thanked: 496 times

Re: Bank Card security

#155819

Postby Slarti » July 28th, 2018, 3:54 pm

AF62 wrote:Trouble is that if the banks introduced that you would get some people moaning they didn't own (or didn't want to own) a smartphone necessary to run the authentication app.


Google Authenticator is available for Windows PCs. You don't need a smart phone.

https://www.maketecheasier.com/google-a ... r-desktop/

Slarti

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Bank Card security

#155847

Postby AF62 » July 28th, 2018, 6:39 pm

Lootman wrote: Instead I go to my branch and find a person to help me.


You still have a branch? And they still have people in them? Not for much longer.


Slarti wrote:Google Authenticator is available for Windows PCs. You don't need a smart phone.


Is there a choice between the free mobile phone Lootman wants the bank to give them and a free PC or do you get both?

Slarti
Lemon Quarter
Posts: 2941
Joined: November 4th, 2016, 3:46 pm
Has thanked: 640 times
Been thanked: 496 times

Re: Bank Card security

#155848

Postby Slarti » July 28th, 2018, 6:43 pm

AF62 wrote:
Lootman wrote: Instead I go to my branch and find a person to help me.


You still have a branch? And they still have people in them? Not for much longer.


Slarti wrote:Google Authenticator is available for Windows PCs. You don't need a smart phone.


Is there a choice between the free mobile phone Lootman wants the bank to give them and a free PC or do you get both?



Well as this is (was?) all about online transactions, most people who do thos probably already have a computer, of sorts. :D


I still have at least 4 bank branches in my High Street, but I can't remember the last time I used any of them.

Slarti

Edited for typo of back instead of bank :o

Lootman
The full Lemon
Posts: 18674
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6559 times

Re: Bank Card security

#155861

Postby Lootman » July 28th, 2018, 7:38 pm

Slarti wrote:
AF62 wrote:
Lootman wrote: Instead I go to my branch and find a person to help me.

You still have a branch? And they still have people in them? Not for much longer.

I still have at least 4 bank branches in my High Street, but I can't remember the last time I used any of them.

I always use my bank branch and, given that it is always packed, I am fairly sure that it will be around forever. They have hired people to run interference and try and divert you to a machine, but I always say "I want specific denominations" and then they generously "allow" me to interact with a human.

The problem with branches is that they have too many of these gatekeepers, and others who try and sell you mortgages and insurance, and not enough people actually working as tellers.

I feel sure that banks would love nothing more than that all customers do them a huge favour by using smart phones with all their inherent security issues. But that won't be me - I don't even have online banking let alone a phone "app".

Your other point renders this issue moot. As long as an online transaction can be done 100% on a PC or laptop, with no need for a second device, then there is no problem. That is how it is now and how it should remain.

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Bank Card security

#155872

Postby AF62 » July 28th, 2018, 8:49 pm

Lootman wrote:
Slarti wrote:
AF62 wrote:You still have a branch? And they still have people in them? Not for much longer.

I still have at least 4 bank branches in my High Street, but I can't remember the last time I used any of them.

I always use my bank branch and, given that it is always packed, I am fairly sure that it will be around forever. They have hired people to run interference and try and divert you to a machine, but I always say "I want specific denominations" and then they generously "allow" me to interact with a human.

The problem with branches is that they have too many of these gatekeepers, and others who try and sell you mortgages and insurance, and not enough people actually working as tellers.

I feel sure that banks would love nothing more than that all customers do them a huge favour by using smart phones with all their inherent security issues. But that won't be me - I don't even have online banking let alone a phone "app".


I think the problem will be with the retention of branches is they simply are not profitable. If the banks can't sell you something then the branch setup is costing an awful lot more than a remote service.

Sure there will be some people who if they are given a free choice will choose a bank with branches over one with not. However we are starting from a position where they are not aiming to attract new customers with branches, but simply retaining customers. As the banks close branches will such people really move banks - isn't the statistic you are more likely to get divorced than change your bank. The other thing to take into account is whether these are people the other banks actually want as customers; if they can't sell them something then they are not.

As for asking for "specific denominations" it would be pointless doing that in the branch opposite my office once a year to pay in a birthday cheque from an elderly relative. They don't have a counter at all. It is machines or nothing.

Lootman wrote:Your other point renders this issue moot. As long as an online transaction can be done 100% on a PC or laptop, with no need for a second device, then there is no problem. That is how it is now and how it should remain.


That isn't going to happen. As someone who started using phone banking back in 1989 there has been one direction of change and that is to an increased level of security. There have been too many stories coming out recently and 2FA is the inevitable direction it is going.

Lootman
The full Lemon
Posts: 18674
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6559 times

Re: Bank Card security

#155883

Postby Lootman » July 28th, 2018, 9:45 pm

AF62 wrote:As for asking for "specific denominations" it would be pointless doing that in the branch opposite my office once a year to pay in a birthday cheque from an elderly relative. They don't have a counter at all. It is machines or nothing.

The only big bank that tried that in my area was Barclays. The problem is that they need to have a small army of staff to explain to people how to use the screens so I don't really see the saving. There are fewer customers in that branch than the branches of NatWest, HSBC and Lloyds, which all retain the traditional structure, so I'd have to assume their cheap attempt at cost-cutting has backfired.

There has to be a way of ensuring that customers can get the denominations that they want. Even at that "unmanned" Barclays branch there is still a human teller for commercial customers and, if you ask for 50's, you get directed to that teller.

AF62 wrote:
Lootman wrote:Your other point renders this issue moot. As long as an online transaction can be done 100% on a PC or laptop, with no need for a second device, then there is no problem. That is how it is now and how it should remain.

That isn't going to happen. As someone who started using phone banking back in 1989 there has been one direction of change and that is to an increased level of security. There have been too many stories coming out recently and 2FA is the inevitable direction it is going.

The problem here, as various people have noted, is that this solution is less secure, because phones are inherently not secure devices. There will be a lot of pushback if Banks try and ram this down peoples' throats without a reasonable and viable alternative for those without phones, whose phone cannot always be guaranteed to work or for those who do not want banking details transmitted through the phone networks.

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Bank Card security

#155886

Postby AF62 » July 28th, 2018, 10:36 pm

Lootman wrote:There has to be a way of ensuring that customers can get the denominations that they want. Even at that "unmanned" Barclays branch there is still a human teller for commercial customers and, if you ask for 50's, you get directed to that teller.


There doesn't have to be a way to give you cash in specific denominations. The bank could just tell you to like it or lump it.

As for cash, I struggle to remember the last time I paid for anything at all in cash. I have had the same emergency £20 note in my wallet for the last couple of months. The vast majority of my payments are now NFC using my phone.

Lootman wrote:Your other point renders this issue moot. As long as an online transaction can be done 100% on a PC or laptop, with no need for a second device, then there is no problem. That is how it is now and how it should remain.

AF62 wrote:That isn't going to happen. As someone who started using phone banking back in 1989 there has been one direction of change and that is to an increased level of security. There have been too many stories coming out recently and 2FA is the inevitable direction it is going.


Lootman wrote:The problem here, as various people have noted, is that this solution is less secure, because phones are inherently not secure devices. There will be a lot of pushback if Banks try and ram this down peoples' throats without a reasonable and viable alternative for those without phones, whose phone cannot always be guaranteed to work or for those who do not want banking details transmitted through the phone networks.


How does the addition of the use of a mobile to provide a 2FA check make the solution less secure?

It is an additional level of security on top of the existing PC security. You may see it as not adding any security due to the possibility of sim swap, but I cannot see that reduces the existing security.

As for banking details transmitted through the phone networks - what "banking details" are these. None of the banks I use that use a phone as part of 2FA transmit any "banking details" through the phone network.

Lootman
The full Lemon
Posts: 18674
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6559 times

Re: Bank Card security

#155894

Postby Lootman » July 29th, 2018, 7:01 am

AF62 wrote:
Lootman wrote:There has to be a way of ensuring that customers can get the denominations that they want. Even at that "unmanned" Barclays branch there is still a human teller for commercial customers and, if you ask for 50's, you get directed to that teller.

There doesn't have to be a way to give you cash in specific denominations. The bank could just tell you to like it or lump it.

Disagree. I consider it a basic function of a Bank to provide cash in whatever denominations that the customer desires.

That said the machines installed in "tellerless" branches could be programmed to allow the customer to select his own denominations. There is no point in having, say, 50 pound notes if there is nowhere to get them!

What we might see is a diversion in banks. The banks that don't really care about customers can go tellerless, or even branchless, and that might suit many people who, unlike me, do not use their branches. But then there will be banks who seek opportunity there, and continue with personal service and treating the customer as important. For example, I am very happy with my HSBC Premier account. I get to go to a special part of the branch, get an elevated level of service and I even have a "personal banker" available by phone. The cost? Zero.

As for "less secure" I was addressing the idea that phones would be involved but that passwords would no longer be used. I consider that less secure, as well as a showstopper for anyone who doesn't have a phone or can't use it at the time. There has to be an alternative offered.

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Bank Card security

#155898

Postby AF62 » July 29th, 2018, 8:35 am

Lootman wrote:
AF62 wrote:
Lootman wrote:There has to be a way of ensuring that customers can get the denominations that they want. Even at that "unmanned" Barclays branch there is still a human teller for commercial customers and, if you ask for 50's, you get directed to that teller.

There doesn't have to be a way to give you cash in specific denominations. The bank could just tell you to like it or lump it.

Disagree. I consider it a basic function of a Bank to provide cash in whatever denominations that the customer desires.

That said the machines installed in "tellerless" branches could be programmed to allow the customer to select his own denominations. There is no point in having, say, 50 pound notes if there is nowhere to get them!

What we might see is a diversion in banks. The banks that don't really care about customers can go tellerless, or even branchless, and that might suit many people who, unlike me, do not use their branches. But then there will be banks who seek opportunity there, and continue with personal service and treating the customer as important. For example, I am very happy with my HSBC Premier account. I get to go to a special part of the branch, get an elevated level of service and I even have a "personal banker" available by phone. The cost? Zero.


The branch I mentioned which has no counter at all only machines is an HSBC branch!. It is clear which direction they are going in.

As for the cost of an HSBC Premier account being zero, my understanding of the criteria for having such an account was keeping at least £50k with them or having an income of £75k and having bought a mortgage, investment, life insurance or protection product from them. That doesn't sound like a zero cost.

But you are right, there may be a two tier service, with branches and personal service only for those who want to pay through the purchase of products. And this fits with the operation of the counterless branch I mentioned - lots of salespeople for Premier account customers and machines for everyone else.

Lootman wrote:As for "less secure" I was addressing the idea that phones would be involved but that passwords would no longer be used. I consider that less secure, as well as a showstopper for anyone who doesn't have a phone or can't use it at the time. There has to be an alternative offered.


If we are back to talking about Verified by Visa, the security provided by the existing system is laughably bad, as Visa have seen by moving to a phone based system. The text to a phone is still 2FA not 1FA as you needed to have access to the physical card to make the online purchase, which then generates the 2FA check of the text to the phone.

And yes if someone doesn't have a phone of any sort then they are going to have an issue. But the subset of people who a. want to order online so have a PC and b. don't have a phone (mobile or landline) is pretty small. I don't think it unreasonable for Visa to design its security around 99.9999% of its customers and let the remaining 0.0001% seek an alternative method to buy what they want. Designing your security systems around 0.0001% of your customers doesn't sound a great idea.

Lootman
The full Lemon
Posts: 18674
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6559 times

Re: Bank Card security

#155900

Postby Lootman » July 29th, 2018, 9:01 am

AF62 wrote:The branch I mentioned which has no counter at all only machines is an HSBC branch!. It is clear which direction they are going in.

It isn't "clear" yet. There are some pilot branches out there which operate without human tellers. And that may suit some locations and demographics. But I can show you bank branches all over London that are thronged with walk-in customers using human tellers. It could be that the pilot tellerless locations are driving people to use other branches, in which case there will be a limit to how extensive that roll-out will be. It could remain a niche service.

Moreover, as you seem to acknowledge, you need human traffic through a branch to opportunistically sell all the crap products that banks have, like insurance, loans, will-making and so on. I'd never buy such products from a bank but if people like you do, thereby enabling the bank to continue to give me a free human service, then I thank you.

AF62 wrote:As for the cost of an HSBC Premier account being zero, my understanding of the criteria for having such an account was keeping at least £50k with them or having an income of £75k and having bought a mortgage, investment, life insurance or protection product from them. That doesn't sound like a zero cost.

But you are right, there may be a two tier service, with branches and personal service only for those who want to pay through the purchase of products. And this fits with the operation of the counterless branch I mentioned - lots of salespeople for Premier account customers and machines for everyone else.

I qualify on the assets and income criteria, as I suspect many here do. I suppose you could argue that if you leave 50K in a current account earning nothing then you have an opportunity cost. But I don't so it is free for all practical purposes. If HSBC assume that I will profitably buy other stuff and therefore they think it is worth giving me free premier banking, then that's fine with me. But I won't and in fact to their credit HSBC have not harassed me about buying stuff. My "personal" banker did suggest an ISA for me, and when I told him that I worked in fund management in the City for 17 years he promptly shut up, realising that I knew more about investing than he did :)

AF62 wrote:I don't think it unreasonable for Visa to design its security around 99.9999% of its customers and let the remaining 0.0001% seek an alternative method to buy what they want. Designing your security systems around 0.0001% of your customers doesn't sound a great idea.

I think you know those percentages are wrong. I do not know what the saturation rate for mobile phones and smart phones is, but it would not surprise me if at least 10% of people do not have mobile phones, and 20% to 30% do not have smart phones. Depends on the demographic, but I doubt that banks want to be seen as discriminating against pensioners, immigrants, people on benefits and other classes of people who are less likely to have mobile devices due to reasons of cost, age, disability, ethnicity and so on.

And of course they do not work everywhere nor all the time either.

But when the saturation rate does get to 99.9999%, and reliability is the same, then they may have a point. Until then, they will need an alternative.

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Bank Card security

#155903

Postby AF62 » July 29th, 2018, 9:16 am

Lootman wrote:
AF62 wrote:I don't think it unreasonable for Visa to design its security around 99.9999% of its customers and let the remaining 0.0001% seek an alternative method to buy what they want. Designing your security systems around 0.0001% of your customers doesn't sound a great idea.

I think you know those percentages are wrong. I do not know what the saturation rate for mobile phones and smart phones is, but it would not surprise me if at least 10% of people do not have mobile phones, and 20% to 30% do not have smart phones. Depends on the demographic, but I doubt that banks want to be seen as discriminating against pensioners, immigrants, people on benefits and other classes of people who are less likely to have mobile devices due to reasons of cost, age, disability, ethnicity and so on.

And of course they do not work everywhere nor all the time either.

But when the saturation rate does get to 99.9999%, and reliability is the same, then they may have a point. Until then, they will need an alternative.


We are not talking just about mobile phones but any phone. All the phone verification systems I have used will phone a landline as an alternative to a text to a mobile.

So I don't think 1 in 1,000,000 is an unreasonable guess for someone who has a PC connected to the internet but doesn't have access to a mobile or a landline.

Lootman
The full Lemon
Posts: 18674
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6559 times

Re: Bank Card security

#155905

Postby Lootman » July 29th, 2018, 9:21 am

AF62 wrote:
Lootman wrote:
AF62 wrote:I don't think it unreasonable for Visa to design its security around 99.9999% of its customers and let the remaining 0.0001% seek an alternative method to buy what they want. Designing your security systems around 0.0001% of your customers doesn't sound a great idea.

I think you know those percentages are wrong. I do not know what the saturation rate for mobile phones and smart phones is, but it would not surprise me if at least 10% of people do not have mobile phones, and 20% to 30% do not have smart phones. Depends on the demographic, but I doubt that banks want to be seen as discriminating against pensioners, immigrants, people on benefits and other classes of people who are less likely to have mobile devices due to reasons of cost, age, disability, ethnicity and so on.

And of course they do not work everywhere nor all the time either.

But when the saturation rate does get to 99.9999%, and reliability is the same, then they may have a point. Until then, they will need an alternative.


We are not talking just about mobile phones but any phone. All the phone verification systems I have used will phone a landline as an alternative to a text to a mobile.

So I don't think 1 in 1,000,000 is an unreasonable guess for someone who has a PC connected to the internet but doesn't have access to a mobile or a landline.

That assumes that people make all on-line purchases from home. They do not.

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Bank Card security

#155908

Postby AF62 » July 29th, 2018, 9:30 am

Lootman wrote:
AF62 wrote:
Lootman wrote:I think you know those percentages are wrong. I do not know what the saturation rate for mobile phones and smart phones is, but it would not surprise me if at least 10% of people do not have mobile phones, and 20% to 30% do not have smart phones. Depends on the demographic, but I doubt that banks want to be seen as discriminating against pensioners, immigrants, people on benefits and other classes of people who are less likely to have mobile devices due to reasons of cost, age, disability, ethnicity and so on.

And of course they do not work everywhere nor all the time either.

But when the saturation rate does get to 99.9999%, and reliability is the same, then they may have a point. Until then, they will need an alternative.


We are not talking just about mobile phones but any phone. All the phone verification systems I have used will phone a landline as an alternative to a text to a mobile.

So I don't think 1 in 1,000,000 is an unreasonable guess for someone who has a PC connected to the internet but doesn't have access to a mobile or a landline.

That assumes that people make all on-line purchases from home. They do not.


So someone who want to make a purchase away from home and has internet access at that point but don't have a mobile phone.

Hmmm, sorry I am not going to design any security system around three people.


Return to “Bank Accounts Savings & ISAs”

Who is online

Users browsing this forum: No registered users and 4 guests