Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to GrahamPlatt,Walkeia,genou,Anonymous,Fluke, for Donating to support the site

New security rules. Bank App or code via SMS text?

Seek assistance with technology
Infrasonic
Lemon Quarter
Posts: 1665
Joined: November 4th, 2016, 2:25 pm
Has thanked: 250 times
Been thanked: 302 times

Re: New security rules. Bank App or code via SMS text?

#244773

Postby Infrasonic » August 16th, 2019, 1:07 pm

Biometrics...https://www.google.com/search?rlz=1C1BL ... CAo&uact=5

Malware apps...https://www.google.com/search?rlz=1C1BL ... CAo&uact=5

A further refinement is to make apps 'AV aware' so they lie dormant when being scanned and act in a non malware 'legitimate' fashion.
The idea is to delay the true intentions of the apps being discovered and allow the ones that are running maliciously (undetected) to have the maximum potential results for the protagonists.

Julian
Lemon Slice
Posts: 616
Joined: November 4th, 2016, 9:58 am
Has thanked: 145 times
Been thanked: 196 times

Re: New security rules. Bank App or code via SMS text?

#244800

Postby Julian » August 16th, 2019, 2:30 pm

Infrasonic wrote:Biometrics...https://www.google.com/search?rlz=1C1BL ... CAo&uact=5

Malware apps...https://www.google.com/search?rlz=1C1BL ... CAo&uact=5

A further refinement is to make apps 'AV aware' so they lie dormant when being scanned and act in a non malware 'legitimate' fashion.
The idea is to delay the true intentions of the apps being discovered and allow the ones that are running maliciously (undetected) to have the maximum potential results for the protagonists.

But in the context of biometrics for apps running on phones and tablets I’m not sure that is relevant. Assuming one trusts the vendor (and I do) then Apple for instance says that the user’s biometric data is stored in a secure enclave on the device’s SoC and never ever leaves the device so issues of hacking biometric databases would seem to not be applicable.

The malware stuff, including examples of the “second level” stuff getting onto Google Play Store whereby the initial app can subsequently download an additional payload onto the compromised device is indeed concerning. I wonder if the Apple App Store has seen similar issues.

- Julian

supremetwo
Lemon Slice
Posts: 850
Joined: November 8th, 2016, 2:20 am
Has thanked: 58 times
Been thanked: 116 times

Re: New security rules. Bank App or code via SMS text?

#244813

Postby supremetwo » August 16th, 2019, 3:16 pm

These new rules are forcing providers to replace previously-secure methods such as card-reader codes and grid cards.

There is also the aspect of providers insisting on an email address as a login ID rather than an account-specific ID.

mc2fool
Lemon Quarter
Posts: 1498
Joined: November 4th, 2016, 11:24 am
Has thanked: 5 times
Been thanked: 356 times

Re: New security rules. Bank App or code via SMS text?

#244826

Postby mc2fool » August 16th, 2019, 4:12 pm

supremetwo wrote:These new rules are forcing providers to replace previously-secure methods such as card-reader codes and grid cards.

No they don't. The Payment Services Directive (PSD2) just requires "strong customer authentication" (aka 2FA), which it defines as follows; it doesn't mandate or proscribe any specific methods:

"‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;" https://eur-lex.europa.eu/eli/dir/2015/2366/oj, Article 4(30).

If any banks etc are stopping using card readers then it's their choice, not something forced by PSD2. I have cards & card readers from Barclays and Lloyds, and a physical "secure key" from HSBC and I've not heard anything about them being withdraw. Can you cite any examples of providers that have?

supremetwo wrote:There is also the aspect of providers insisting on an email address as a login ID rather than an account-specific ID.

Well I have online accounts with, on a quick count, 18 banks/building societies and only one (Marcus) uses an email address as a login ID. The rest all have an alphanumeric or numeric ID and, again, I've not heard anything about any of them changing that. Do you know of any that are?

UncleEbenezer
Lemon Quarter
Posts: 3827
Joined: November 4th, 2016, 8:17 pm
Has thanked: 429 times
Been thanked: 636 times

Re: New security rules. Bank App or code via SMS text?

#244837

Postby UncleEbenezer » August 16th, 2019, 4:45 pm

Julian wrote:I would hope that ...

A trojaned banking app in an app store wouldn't take long to become a headline! I'd expect liability to follow it, and it should presumably also put you on the right side of the recent "bank compensates you unless you were grossly negligent" rule.

The trojan in your system, that perhaps logs all your interactions with your banking app and thus grabs your credentials, seems to me a bigger risk. If your phone is infected with Pegasus, all bets are off!
Did I read at some point in the past about the possibility of hijacking a session in progress and somehow intercepting a per-session authentication key and taking over the session from another location or am I imagining that?

You might have done, but I expect it was in the context of a vulnerability report (CVE), and that vendor(s) affected had a fix by the time it became a story.
Even if I'm not I would assume such an exploit would require a man in the middle so perhaps only a possibility on a WiFi connection (or wired Ethernet) as opposed to mobile data unless you're a target of specific interest and someone like GCHQ has compromised a cell tower. The other possibility would be traffic sniffing if the traffic encryption is weak enough such that the sniffed packets could be decrypted to extract the required key. I would hope that no active exploits of this type exist in any of the big banking apps.

That would imply a serious bug in (the implementation you use of) encryption. The transport medium (wifi, mobile date, ethernet, etc) is immaterial. You *always* start with the assumption that someone *might* be listening on the line - and might be up to no good!

Unless you've gone and visited a phishing site!

Julian
Lemon Slice
Posts: 616
Joined: November 4th, 2016, 9:58 am
Has thanked: 145 times
Been thanked: 196 times

Re: New security rules. Bank App or code via SMS text?

#244857

Postby Julian » August 16th, 2019, 6:03 pm

mc2fool wrote:...
If any banks etc are stopping using card readers then it's their choice, not something forced by PSD2. I have cards & card readers from Barclays and Lloyds, and a physical "secure key" from HSBC and I've not heard anything about them being withdraw. Can you cite any examples of providers that have?
...

As a slight aside, although not to my knowledge going away from them, HSBC introduced the ability to say that you want your HSBC banking app to be the source of your secure codes in future rather than the physical device. I now generate all my HSBC secure codes using the HSBC banking app on my iPhone and I’m pretty certain that my act of saying that I wanted to transfer that task to the app also rendered all codes generated by my physical key (it will still generate codes if asked) invalid.

- Julian

XFool
Lemon Quarter
Posts: 4349
Joined: November 8th, 2016, 7:21 pm
Been thanked: 203 times

Re: New security rules. Bank App or code via SMS text?

#244861

Postby XFool » August 16th, 2019, 6:26 pm

mc2fool wrote:
supremetwo wrote:These new rules are forcing providers to replace previously-secure methods such as card-reader codes and grid cards.

No they don't. The Payment Services Directive (PSD2) just requires "strong customer authentication" (aka 2FA), which it defines as follows; it doesn't mandate or proscribe any specific methods:

"‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;" https://eur-lex.europa.eu/eli/dir/2015/2366/oj, Article 4(30).

If any banks etc are stopping using card readers then it's their choice, not something forced by PSD2. I have cards & card readers from Barclays and Lloyds, and a physical "secure key" from HSBC and I've not heard anything about them being withdraw. Can you cite any examples of providers that have?

Indeed. In fact I was recently sent a card reader by Barclays, for use with a Barclaycard.

It seems there is a great deal of misinformation and misunderstanding going around on this topic. IMO

mc2fool
Lemon Quarter
Posts: 1498
Joined: November 4th, 2016, 11:24 am
Has thanked: 5 times
Been thanked: 356 times

Re: New security rules. Bank App or code via SMS text?

#244880

Postby mc2fool » August 16th, 2019, 7:14 pm

Julian wrote:As a slight aside, although not to my knowledge going away from them, HSBC introduced the ability to say that you want your HSBC banking app to be the source of your secure codes in future rather than the physical device.

They've had the "Digital Secure Key" (what you describe) for a while -- at least a year from the internet archive but I think longer -- but they didn't hesitate to replace my physical one when the battery died earlier this year. In fact the agent didn't even mention the app, just took me through security and told me the replacement device should arrive in the post in a few days, which it did.

I'm sure they'd prefer people to use the app on their phones -- it's cheaper than them sending out physical devices -- but there doesn't seem to be any moves afoot to force that, at least not for PSD2.

AF62
Lemon Slice
Posts: 473
Joined: November 27th, 2016, 8:45 am
Has thanked: 6 times
Been thanked: 120 times

Re: New security rules. Bank App or code via SMS text?

#244891

Postby AF62 » August 16th, 2019, 8:11 pm

Laughton wrote:I'm a bit confused about what the problem is with security or otherwise of the SMS system/arrangement.

For example, I'm online making a purchase from a site that I know or that at least has the https at the beginning or I'm making a payment via my online bank and either of these then require me to enter a code sent to my mobile phone by SMS.

If, as has been suggested, some fraudster intercepts and send me a spoof code which I then enter on the website then my transaction will be refused (because it's the incorrect code). OK, that's going to be a pain but how would I lose money and if I don't where is the benefit and therefore the incentive to the criminal?


The fraud isn't spoofing.

The logic with using SMS as a secondary level of security is that if someone found out or guessed your password they couldn't access your account as you would receive the SMS code not them.

The problem is if you go to a mobile phone shop for your phone network and say "I have lost my sim card, can I have a new one" they should do comprehensive checks to ensure that you are you.

However the poorly trained minimum wage member of staff who has been employed to sell phones (and not be a bank clerk concerned about security) doesn't really give a damn and will just issue the sim without the ID documents - I have experienced it myself when an EE shop determined the reason my mother's phone was faulty (from a description not seeing the phone) just issued a new sim even though I was clearly not my mother and she was not with me.

So now your phone number is on the fraudsters sim and they now receive the codes and suddenly your bank account is empty without you knowing anything about it. And since some here indicate they only use their phone once in a blue moon, then they wouldn't notice the phone isn't working.

supremetwo
Lemon Slice
Posts: 850
Joined: November 8th, 2016, 2:20 am
Has thanked: 58 times
Been thanked: 116 times

Re: New security rules. Bank App or code via SMS text?

#244908

Postby supremetwo » August 16th, 2019, 9:07 pm

mc2fool wrote:
supremetwo wrote:These new rules are forcing providers to replace previously-secure methods such as card-reader codes and grid cards.

No they don't. The Payment Services Directive (PSD2) just requires "strong customer authentication" (aka 2FA), which it defines as follows; it doesn't mandate or proscribe any specific methods:

"‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;" https://eur-lex.europa.eu/eli/dir/2015/2366/oj, Article 4(30).

If any banks etc are stopping using card readers then it's their choice, not something forced by PSD2. I have cards & card readers from Barclays and Lloyds, and a physical "secure key" from HSBC and I've not heard anything about them being withdraw. Can you cite any examples of providers that have?

supremetwo wrote:There is also the aspect of providers insisting on an email address as a login ID rather than an account-specific ID.

Well I have online accounts with, on a quick count, 18 banks/building societies and only one (Marcus) uses an email address as a login ID. The rest all have an alphanumeric or numeric ID and, again, I've not heard anything about any of them changing that. Do you know of any that are?

https://www.smile.co.uk/global/security ... entication?

We are replacing card readers with a different way of verifying yourself. We're also increasing security when you view statements, transactions and scheduled payments and sometimes when you log in.
Don't worry though, you won't need to change your existing log in details.


Yes, it is Marcus that stood out.

mc2fool
Lemon Quarter
Posts: 1498
Joined: November 4th, 2016, 11:24 am
Has thanked: 5 times
Been thanked: 356 times

Re: New security rules. Bank App or code via SMS text?

#244919

Postby mc2fool » August 16th, 2019, 9:40 pm

supremetwo wrote:https://www.smile.co.uk/global/security/two-factor-authentication?
We are replacing card readers with a different way of verifying yourself. We're also increasing security when you view statements, transactions and scheduled payments and sometimes when you log in.
Don't worry though, you won't need to change your existing log in details.

Blimey, I didn't know smile was still going! In any case, that's their choice (I agree, not a particularly good one), not something "forced" by PSD2.

UncleEbenezer
Lemon Quarter
Posts: 3827
Joined: November 4th, 2016, 8:17 pm
Has thanked: 429 times
Been thanked: 636 times

Re: New security rules. Bank App or code via SMS text?

#244923

Postby UncleEbenezer » August 16th, 2019, 10:44 pm

mc2fool wrote:Blimey, I didn't know smile was still going! In any case, that's their choice (I agree, not a particularly good one), not something "forced" by PSD2.

At a guess, that choice was because customers don't like it.

I have a card reader from Nationwide. Never use it, it's too inconvenient even at home, let alone the idea of giving the wretched thing pocket-space when away. Now if it were a sim card, or at worst a USB stick, to verify me, that could be a different story.

wickham
Lemon Slice
Posts: 342
Joined: November 6th, 2016, 8:13 am
Has thanked: 30 times
Been thanked: 8 times

Re: New security rules. Bank App or code via SMS text?

#244978

Postby wickham » August 17th, 2019, 10:25 am

UncleEbenezer wrote:I have a card reader from Nationwide. Never use it, it's too inconvenient even at home, let alone the idea of giving the wretched thing pocket-space when away. Now if it were a sim card, or at worst a USB stick, to verify me, that could be a different story.

I also have a Nationwide card reader, but it's so old I often wonder if the battery is running out. If that happens, perhaps I can't even access my account to order a new one. There's too much dependence on several communication items all requiring a battery.

Julian
Lemon Slice
Posts: 616
Joined: November 4th, 2016, 9:58 am
Has thanked: 145 times
Been thanked: 196 times

Re: New security rules. Bank App or code via SMS text?

#245005

Postby Julian » August 17th, 2019, 12:26 pm

wickham wrote:
UncleEbenezer wrote:I have a card reader from Nationwide. Never use it, it's too inconvenient even at home, let alone the idea of giving the wretched thing pocket-space when away. Now if it were a sim card, or at worst a USB stick, to verify me, that could be a different story.

I also have a Nationwide card reader, but it's so old I often wonder if the battery is running out. If that happens, perhaps I can't even access my account to order a new one. There's too much dependence on several communication items all requiring a battery.

I have quite a few card readers all at least 10 years old and one of which I had to retire when some of the segments on the LCD failed meaning that I couldn't tell what numbers were being displayed. I discovered that at least the NatWest, Nationwide and HSBC (now replaced by secure key as previously discussed) ones are interchangeable which makes me think they probably all are.

I agree about the concerns regarding batteries. As stated earlier I wish that more places would give the option of using Google Authenticator for the SFA code. It really is very convenient and when on a phone and protected by biometric authentication or a PIN code potentially way more than 4 numbers long (https://www.youtube.com/watch?v=e9CfWK-uN44) it's more secure. Most people keep their phone charged so no battery issues plus it's always available. Technically if someone can discover the 32 character alphanumeric key used to seed the number generator for the specific account that they are trying to hack then they can generate the codes themselves but for me those seeds are not kept online anywhere, they're in a printout in my fire safe and very cryptically labelled so that no one would know what they were even if they got their hands on the piece of paper, so I feel pretty secure with this system.

- Julian

pochisoldi
Lemon Slice
Posts: 531
Joined: November 4th, 2016, 11:33 am
Has thanked: 9 times
Been thanked: 273 times

Re: New security rules. Bank App or code via SMS text?

#245013

Postby pochisoldi » August 17th, 2019, 1:04 pm

Julian wrote:
wickham wrote:
UncleEbenezer wrote:I have a card reader from Nationwide. Never use it, it's too inconvenient even at home, let alone the idea of giving the wretched thing pocket-space when away. Now if it were a sim card, or at worst a USB stick, to verify me, that could be a different story.

I also have a Nationwide card reader, but it's so old I often wonder if the battery is running out. If that happens, perhaps I can't even access my account to order a new one. There's too much dependence on several communication items all requiring a battery.

I have quite a few card readers all at least 10 years old and one of which I had to retire when some of the segments on the LCD failed meaning that I couldn't tell what numbers were being displayed. I discovered that at least the NatWest, Nationwide and HSBC (now replaced by secure key as previously discussed) ones are interchangeable which makes me think they probably all are.


Natwest, Nationwide, Smile, Barclays all use the same interface and technology.

The first three have devices which are identical in all but colour and branding (designed for people with small fingers).
Barclays is slightly bigger, the buttons are designed for the fat fingered amongst us (more like a 1980's simple calculator less like a late 1990s mobile phone), and seems to be more robust.

BTW for Nationwide, if your card reader breaks, the system isn't as Kafkaesque as you might think see: https://www.nationwide.co.uk/support/ca ... ard-reader

mc2fool
Lemon Quarter
Posts: 1498
Joined: November 4th, 2016, 11:24 am
Has thanked: 5 times
Been thanked: 356 times

Re: New security rules. Bank App or code via SMS text?

#245017

Postby mc2fool » August 17th, 2019, 1:09 pm

pochisoldi wrote:Natwest, Nationwide, Smile, Barclays all use the same interface and technology.

The first three have devices which are identical in all but colour and branding (designed for people with small fingers).
Barclays is slightly bigger, the buttons are designed for the fat fingered amongst us (more like a 1980's simple calculator less like a late 1990s mobile phone), and seems to be more robust.

I have a Barclays and a Lloyds one and aside from colour and branding they are identical, and they are functionally interchangeable (I can use either card with either device).

Breelander
Lemon Quarter
Posts: 2757
Joined: November 4th, 2016, 9:42 pm
Has thanked: 433 times
Been thanked: 853 times

Re: New security rules. Bank App or code via SMS text?

#245023

Postby Breelander » August 17th, 2019, 1:34 pm

mc2fool wrote:I have a Barclays and a Lloyds one and aside from colour and branding they are identical, and they are functionally interchangeable (I can use either card with either device).


I have a Barclays one, but being away from home I borrowed my daughter's NatWest one in order to sign in. That's functionally interchangeable too. They all should be, it's a standard set by Mastercard called CAP.


The Chip Authentication Program (CAP) is a MasterCard initiative and technical specification for using EMV banking smartcards for authenticating users and transactions in online and telephone banking...

... card readers issued by most, possibly all, UK banks conform to a CAP subset defined by APACS, meaning that, in most cases, cards issued by a UK bank can be used in a card reader issued by a different bank.
https://en.wikipedia.org/wiki/Chip_Auth ... on_Program


Return to “Computers, TVs & Phones”

Who is online

Users browsing this forum: No registered users and 5 guests