The Lemon Fool

This is interesting news. TiM, of course, highlights all the negatives:

Banks will soon require text message confirmation for online Visa card purchases in shake-up that will hit ALL internet shoppers

This is Money

Same method as used by HMRC with online accounts.

I am not surprised the 'Verified by Visa' system is being replaced. It used to irritate me and I never used it as intended, just used a one time password which I never bothered to remember. Had to start again from scratch every time. Eventually 'V by V' switched to asking for the same card details you had just entered for the merchant. So I imagine everyone else was doing the same thing.

The article mentions possible security problems using SMS for a One Time Pin. I wonder if the solution could be an industry wide standardised card reader that worked with all available cards?

XFool wrote:I wonder if the solution could be an industry wide standardised card reader that worked with all available cards?

I think they already are, if not by a formal standard then at least in reality.

A couple of years ago when I was waiting for a much overdue suspected-lost-in-the-post Lloyds card reader to turn up I called them and the agent, after saying he'd send me another, asked if I had a reader from another bank. I said yes and, without me saying from which, he told me I could use that too as "they're all the same".

And, indeed, my Barclays and Lloyds readers (the only two I have) are interchangeable, I can use either card in either reader and it works fine.

I’d not want to add card readers to my holiday luggage. Phone in one trouser pocket, cards in another, cash in a third gives reasonable flexibility. I don’t want the phone to be a single point of financial access, so am wary of apps on it. Text messages ok. But I live in a city, not sure I’d be happy in the country.

XFool wrote:This is interesting news. TiM, of course, highlights all the negatives:

Banks will soon require text message confirmation for online Visa card purchases in shake-up that will hit ALL internet shoppers

TiM missed a few problems.

What about people who do not have a mobile phone, or have an old one without text functionality, or are overseas in a country where their UK phone doesn't work, or where the battery is flat, or . . . ?

Lootman wrote:TiM missed a few problems.?

The quote does say it's for on-line purchases, rather than all purchases. If they are following the same system design as HMRC, that would include a voice message giving a code.

But I can see that if you don't have a second means of communication, the security could thwart you. An example would be perhaps using a tablet or non-phone device in a public wi-fi zone like a shop. Perhaps the next development should be built in card readers, so that the separate gadget wasn't needed.

The problem with this is that SMS is NOT secure, the telephone system was never designed with security in mind. Every corner shop selling mobiles can reassign numbers and SIM cards and they have pretty much zero identity checks.

UK banks don't exactly have a great reputation in designing secure systems:
https://www.theregister.co.uk/2005/10/2 ... nd_rogues/

mc2fool wrote:

XFool wrote:I wonder if the solution could be an industry wide standardised card reader that worked with all available cards?

I think they already are, if not by a formal standard then at least in reality.

A couple of years ago when I was waiting for a much overdue suspected-lost-in-the-post Lloyds card reader to turn up I called them and the agent, after saying he'd send me another, asked if I had a reader from another bank. I said yes and, without me saying from which, he told me I could use that too as "they're all the same".

That's interesting. My bank's card reader rejects any other cards I've tried. But then the only cards other cards I have are credit cards and I don't think they use such a system.

But if the above is true, what's the problem for Visa? Just use existing or general purpose card readers. Does anyone have a credit card that uses a card reader?

This is exactly how my wifes account was compromised. Her bank sends one time codes to her mobile but the fraudsters had her card details, probably from a shop but never proved, and hacked her phone. Vodafone were no real help, but then is it their responsibility to protect the bank?

Stupid idea IMO

XFool wrote:That's interesting. My bank's card reader rejects any other cards I've tried. But then the only cards other cards I have are credit cards and I don't think they use such a system.

But if the above is true, what's the problem for Visa? Just use existing or general purpose card readers. Does anyone have a credit card that uses a card reader?

Well, I've just tried all of my credit & debit cards (from 7 banks in total, although all of them Visa) in both of my readers and they are all accepted to the initial prompt (Respond, Sign or Identify), and on most of them - including the credit cards - I can Identify and enter the PIN and it gives me a code. Only two debit cards give "This card is not valid".

I should stress that my comments on this are based purely on what the Lloyds call centre agent told me ("they're all the same") along with my personal experience with just my two card readers and collection of cards, as I've described. I should also clarify that I don't have any credit or debit cards that require the use of a reader; the cards I use with the readers I have are authorisation cards for logging in.

doug2500 wrote:This is exactly how my wifes account was compromised. Her bank sends one time codes to her mobile but the fraudsters had her card details, probably from a shop but never proved, and hacked her phone. Vodafone were no real help, but then is it their responsibility to protect the bank?

Stupid idea IMO

I agree and, moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password).

With this system they can use my card online. So I am less secure as a result.

[quote="Lootman"]moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password)./quote]

I don't recall the last time I was asked for Verified by Visa for an online purchase.


Slarti

Slarti wrote:

Lootman wrote:moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password).

I don't recall the last time I was asked for Verified by Visa for an online purchase.

I do. It was last week, for an air ticket.

Often it is not asked for, agreed. But for larger amounts it is more likely. And that is what you want, surely? After all, small amounts would be easy anyway using the contactless feature, but there is a limit how much damage can be caused by small transactions. A massive pattern of small transactions would probably be flagged anyway.

Lootman wrote:

Slarti wrote:

Lootman wrote:moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password).

I don't recall the last time I was asked for Verified by Visa for an online purchase.

I do. It was last week, for an air ticket.

Often it is not asked for, agreed. But for larger amounts it is more likely. And that is what you want, surely? After all, small amounts would be easy anyway using the contactless feature, but there is a limit how much damage can be caused by small transactions. A massive pattern of small transactions would probably be flagged anyway.

You can use contactless online?

Slarti

Slarti wrote:You can use contactless online?

Don't be cute. My point was that if someone steals your card and your phone then, under this proposal, they would have the same ability online to run up charges as if they used it contactless in person, but of course for much larger amounts.

A security system that is predicated on assumptions about the disposition of your phone is flawed. I prefer a password - the problem is that they do not ask for it enough.

As a more general point it depresses me that there is a growing trend to assume that everyone has a phone on them all the time. I have not yet been put in a position where I cannot do something I want because of that, but it is perhaps inevitable that will happen. The closest was a car park where I was required to text my number plate and receive a code that then had to be entered into the ticket machine. I parked elsewhere.

Lootman wrote:My point was that if someone steals your card and your phone then, under this proposal, they would have the same ability online to run up charges as if they used it contactless in person, but of course for much larger amounts.

A security system that is predicated on assumptions about the disposition of your phone is flawed. I prefer a password - the problem is that they do not ask for it enough.

As a more general point it depresses me that there is a growing trend to assume that everyone has a phone on them all the time. I have not yet been put in a position where I cannot do something I want because of that, but it is perhaps inevitable that will happen. The closest was a car park where I was required to text my number plate and receive a code that then had to be entered into the ticket machine. I parked elsewhere.

They'd have problems with my phone as it is passworded. But my wife's can't be

There is a (the?) car park in Whitby that, the last time I used it, the only way to pay was by mobile phone, it added the cost to your phone bill, or you had to use a bank app to pay them. That was 9 years ago!

I also hate things like taxis that say they'll text you when they arrive. Texts aren't guaranteed instant and I have seen them take up to 24 hours to arrive.
And that is another problem, someone I use sends out a text for 2FA that only has a 10 minute life. They usually take at least 2 minutes to arrive and I'm sure that one day I won't be able to log in because one takes too long.

Slarti

Lootman wrote:My point was that if someone steals your card and your phone then...

It is much hard to steal a phone via the net than to get someone's credit card details (not necessarily the card).

Slarti wrote:There is a (the?) car park in Whitby that, the last time I used it, the only way to pay was by mobile phone, it added the cost to your phone bill, or you had to use a bank app to pay them. That was 9 years ago!

I encountered it in Edinburgh, and it was probably a similar time ago. I do not believe that any important service or system should require that people have mobile phones, let alone smart phones. There should always be an alternative.

Someone gave an example earlier of a HMRC personal tax account requiring this but, again, such an account is not necessary for reporting your taxes. I do not have one, for instance, nor do I want one.

johnhemming wrote:

Lootman wrote:My point was that if someone steals your card and your phone then...

It is much hard to steal a phone via the net than to get someone's credit card details (not necessarily the card).

Yes, I was talking about having the items physically stolen. Ironically the probability of electronic theft and hacking is greater if you use a smart phone anyway. So for example I use online banking but only from my laptop and my own IP. I never use a phone, public computer or a public wifi.

Lanark wrote:The problem with this is that SMS is NOT secure, the telephone system was never designed with security in mind. Every corner shop selling mobiles can reassign numbers and SIM cards and they have pretty much zero identity checks.

Africa has had an SMS banking system for a decade. Now extends to many other countries.
https://en.m.wikipedia.org/wiki/M-Pesa

Gryff

Lootman wrote:I do not believe that any important service or system should require that people have mobile phones, let alone smart phones. There should always be an alternative.

The alternative is to choose a different supplier.

These are commercial operations and it is entirely reasonable they design their system to meet the needs of the vast majority of their customers.

AF62 wrote:

Lootman wrote:I do not believe that any important service or system should require that people have mobile phones, let alone smart phones. There should always be an alternative.

The alternative is to choose a different supplier.

These are commercial operations and it is entirely reasonable they design their system to meet the needs of the vast majority of their customers.

Yes but I said "important service or system". That might include cases where there is no alternative.

If it was announced that you needed a mobile or smart phone to vote, collect your state pension, use an airport etc. then that would be a problem. There are always people without such devices and other cases where they fail to work when you need them.

Offering access via a phone is fine. It is when that is the only option that problems arise.