Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

Bank Card security

Discussing offers, rates and deals on suppliers
XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Bank Card security

#152272

Postby XFool » July 13th, 2018, 11:22 pm

This is interesting news. TiM, of course, highlights all the negatives:

Banks will soon require text message confirmation for online Visa card purchases in shake-up that will hit ALL internet shoppers

This is Money

Same method as used by HMRC with online accounts.

I am not surprised the 'Verified by Visa' system is being replaced. It used to irritate me and I never used it as intended, just used a one time password which I never bothered to remember. Had to start again from scratch every time. Eventually 'V by V' switched to asking for the same card details you had just entered for the merchant. So I imagine everyone else was doing the same thing.

The article mentions possible security problems using SMS for a One Time Pin. I wonder if the solution could be an industry wide standardised card reader that worked with all available cards?

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: Bank Card security

#152276

Postby mc2fool » July 14th, 2018, 12:09 am

XFool wrote:I wonder if the solution could be an industry wide standardised card reader that worked with all available cards?

I think they already are, if not by a formal standard then at least in reality.

A couple of years ago when I was waiting for a much overdue suspected-lost-in-the-post Lloyds card reader to turn up I called them and the agent, after saying he'd send me another, asked if I had a reader from another bank. I said yes and, without me saying from which, he told me I could use that too as "they're all the same".

And, indeed, my Barclays and Lloyds readers (the only two I have) are interchangeable, I can use either card in either reader and it works fine.

JohnB
Lemon Quarter
Posts: 2497
Joined: January 15th, 2017, 9:20 am
Has thanked: 677 times
Been thanked: 997 times

Re: Bank Card security

#152280

Postby JohnB » July 14th, 2018, 6:46 am

I’d not want to add card readers to my holiday luggage. Phone in one trouser pocket, cards in another, cash in a third gives reasonable flexibility. I don’t want the phone to be a single point of financial access, so am wary of apps on it. Text messages ok. But I live in a city, not sure I’d be happy in the country.

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Bank Card security

#152284

Postby Lootman » July 14th, 2018, 7:51 am

XFool wrote:This is interesting news. TiM, of course, highlights all the negatives:

Banks will soon require text message confirmation for online Visa card purchases in shake-up that will hit ALL internet shoppers

TiM missed a few problems.

What about people who do not have a mobile phone, or have an old one without text functionality, or are overseas in a country where their UK phone doesn't work, or where the battery is flat, or . . . ?

Alaric
Lemon Half
Posts: 6034
Joined: November 5th, 2016, 9:05 am
Has thanked: 20 times
Been thanked: 1399 times

Re: Bank Card security

#152286

Postby Alaric » July 14th, 2018, 8:16 am

Lootman wrote:TiM missed a few problems.?


The quote does say it's for on-line purchases, rather than all purchases. If they are following the same system design as HMRC, that would include a voice message giving a code.

But I can see that if you don't have a second means of communication, the security could thwart you. An example would be perhaps using a tablet or non-phone device in a public wi-fi zone like a shop. Perhaps the next development should be built in card readers, so that the separate gadget wasn't needed.

Lanark
Lemon Quarter
Posts: 1321
Joined: March 27th, 2017, 11:41 am
Has thanked: 595 times
Been thanked: 582 times

Re: Bank Card security

#152293

Postby Lanark » July 14th, 2018, 9:51 am

The problem with this is that SMS is NOT secure, the telephone system was never designed with security in mind. Every corner shop selling mobiles can reassign numbers and SIM cards and they have pretty much zero identity checks.

UK banks don't exactly have a great reputation in designing secure systems:
https://www.theregister.co.uk/2005/10/2 ... nd_rogues/

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Bank Card security

#152314

Postby XFool » July 14th, 2018, 12:23 pm

mc2fool wrote:
XFool wrote:I wonder if the solution could be an industry wide standardised card reader that worked with all available cards?

I think they already are, if not by a formal standard then at least in reality.

A couple of years ago when I was waiting for a much overdue suspected-lost-in-the-post Lloyds card reader to turn up I called them and the agent, after saying he'd send me another, asked if I had a reader from another bank. I said yes and, without me saying from which, he told me I could use that too as "they're all the same".

That's interesting. My bank's card reader rejects any other cards I've tried. But then the only cards other cards I have are credit cards and I don't think they use such a system.

But if the above is true, what's the problem for Visa? Just use existing or general purpose card readers. Does anyone have a credit card that uses a card reader?

doug2500
Lemon Slice
Posts: 657
Joined: November 4th, 2016, 11:51 am
Has thanked: 286 times
Been thanked: 245 times

Re: Bank Card security

#152315

Postby doug2500 » July 14th, 2018, 12:47 pm

This is exactly how my wifes account was compromised. Her bank sends one time codes to her mobile but the fraudsters had her card details, probably from a shop but never proved, and hacked her phone. Vodafone were no real help, but then is it their responsibility to protect the bank?

Stupid idea IMO

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: Bank Card security

#152319

Postby mc2fool » July 14th, 2018, 1:00 pm

XFool wrote:That's interesting. My bank's card reader rejects any other cards I've tried. But then the only cards other cards I have are credit cards and I don't think they use such a system.

But if the above is true, what's the problem for Visa? Just use existing or general purpose card readers. Does anyone have a credit card that uses a card reader?

Well, I've just tried all of my credit & debit cards (from 7 banks in total, although all of them Visa) in both of my readers and they are all accepted to the initial prompt (Respond, Sign or Identify), and on most of them - including the credit cards - I can Identify and enter the PIN and it gives me a code. Only two debit cards give "This card is not valid".

I should stress that my comments on this are based purely on what the Lloyds call centre agent told me ("they're all the same") along with my personal experience with just my two card readers and collection of cards, as I've described. I should also clarify that I don't have any credit or debit cards that require the use of a reader; the cards I use with the readers I have are authorisation cards for logging in.

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Bank Card security

#152325

Postby Lootman » July 14th, 2018, 1:43 pm

doug2500 wrote:This is exactly how my wifes account was compromised. Her bank sends one time codes to her mobile but the fraudsters had her card details, probably from a shop but never proved, and hacked her phone. Vodafone were no real help, but then is it their responsibility to protect the bank?

Stupid idea IMO

I agree and, moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password).

With this system they can use my card online. So I am less secure as a result.

Slarti
Lemon Quarter
Posts: 2941
Joined: November 4th, 2016, 3:46 pm
Has thanked: 640 times
Been thanked: 496 times

Re: Bank Card security

#152339

Postby Slarti » July 14th, 2018, 4:40 pm

[quote="Lootman"]moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password)./quote]

I don't recall the last time I was asked for Verified by Visa for an online purchase.


Slarti

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Bank Card security

#152351

Postby Lootman » July 14th, 2018, 6:17 pm

Slarti wrote:
Lootman wrote:moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password).

I don't recall the last time I was asked for Verified by Visa for an online purchase.

I do. It was last week, for an air ticket.

Often it is not asked for, agreed. But for larger amounts it is more likely. And that is what you want, surely? After all, small amounts would be easy anyway using the contactless feature, but there is a limit how much damage can be caused by small transactions. A massive pattern of small transactions would probably be flagged anyway.

Slarti
Lemon Quarter
Posts: 2941
Joined: November 4th, 2016, 3:46 pm
Has thanked: 640 times
Been thanked: 496 times

Re: Bank Card security

#152354

Postby Slarti » July 14th, 2018, 6:34 pm

Lootman wrote:
Slarti wrote:
Lootman wrote:moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password).

I don't recall the last time I was asked for Verified by Visa for an online purchase.

I do. It was last week, for an air ticket.

Often it is not asked for, agreed. But for larger amounts it is more likely. And that is what you want, surely? After all, small amounts would be easy anyway using the contactless feature, but there is a limit how much damage can be caused by small transactions. A massive pattern of small transactions would probably be flagged anyway.


You can use contactless online?

Slarti

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Bank Card security

#152403

Postby Lootman » July 15th, 2018, 9:37 am

Slarti wrote:You can use contactless online?

Don't be cute. My point was that if someone steals your card and your phone then, under this proposal, they would have the same ability online to run up charges as if they used it contactless in person, but of course for much larger amounts.

A security system that is predicated on assumptions about the disposition of your phone is flawed. I prefer a password - the problem is that they do not ask for it enough.

As a more general point it depresses me that there is a growing trend to assume that everyone has a phone on them all the time. I have not yet been put in a position where I cannot do something I want because of that, but it is perhaps inevitable that will happen. The closest was a car park where I was required to text my number plate and receive a code that then had to be entered into the ticket machine. I parked elsewhere.

Slarti
Lemon Quarter
Posts: 2941
Joined: November 4th, 2016, 3:46 pm
Has thanked: 640 times
Been thanked: 496 times

Re: Bank Card security

#152423

Postby Slarti » July 15th, 2018, 12:11 pm

Lootman wrote:My point was that if someone steals your card and your phone then, under this proposal, they would have the same ability online to run up charges as if they used it contactless in person, but of course for much larger amounts.

A security system that is predicated on assumptions about the disposition of your phone is flawed. I prefer a password - the problem is that they do not ask for it enough.

As a more general point it depresses me that there is a growing trend to assume that everyone has a phone on them all the time. I have not yet been put in a position where I cannot do something I want because of that, but it is perhaps inevitable that will happen. The closest was a car park where I was required to text my number plate and receive a code that then had to be entered into the ticket machine. I parked elsewhere.


They'd have problems with my phone as it is passworded. But my wife's can't be :shock:

There is a (the?) car park in Whitby that, the last time I used it, the only way to pay was by mobile phone, it added the cost to your phone bill, or you had to use a bank app to pay them. That was 9 years ago!

I also hate things like taxis that say they'll text you when they arrive. Texts aren't guaranteed instant and I have seen them take up to 24 hours to arrive.
And that is another problem, someone I use sends out a text for 2FA that only has a 10 minute life. They usually take at least 2 minutes to arrive and I'm sure that one day I won't be able to log in because one takes too long.

Slarti

johnhemming
Lemon Quarter
Posts: 3858
Joined: November 8th, 2016, 7:13 pm
Has thanked: 9 times
Been thanked: 609 times

Re: Bank Card security

#152428

Postby johnhemming » July 15th, 2018, 12:18 pm

Lootman wrote:My point was that if someone steals your card and your phone then...

It is much hard to steal a phone via the net than to get someone's credit card details (not necessarily the card).

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Bank Card security

#152464

Postby Lootman » July 15th, 2018, 1:58 pm

Slarti wrote:There is a (the?) car park in Whitby that, the last time I used it, the only way to pay was by mobile phone, it added the cost to your phone bill, or you had to use a bank app to pay them. That was 9 years ago!

I encountered it in Edinburgh, and it was probably a similar time ago. I do not believe that any important service or system should require that people have mobile phones, let alone smart phones. There should always be an alternative.

Someone gave an example earlier of a HMRC personal tax account requiring this but, again, such an account is not necessary for reporting your taxes. I do not have one, for instance, nor do I want one.

johnhemming wrote:
Lootman wrote:My point was that if someone steals your card and your phone then...

It is much hard to steal a phone via the net than to get someone's credit card details (not necessarily the card).

Yes, I was talking about having the items physically stolen. Ironically the probability of electronic theft and hacking is greater if you use a smart phone anyway. So for example I use online banking but only from my laptop and my own IP. I never use a phone, public computer or a public wifi.

gryffron
Lemon Quarter
Posts: 3606
Joined: November 4th, 2016, 10:00 am
Has thanked: 550 times
Been thanked: 1586 times

Re: Bank Card security

#153251

Postby gryffron » July 18th, 2018, 11:09 pm

Lanark wrote:The problem with this is that SMS is NOT secure, the telephone system was never designed with security in mind. Every corner shop selling mobiles can reassign numbers and SIM cards and they have pretty much zero identity checks.

Africa has had an SMS banking system for a decade. Now extends to many other countries.
https://en.m.wikipedia.org/wiki/M-Pesa

Gryff

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Bank Card security

#153568

Postby AF62 » July 20th, 2018, 7:25 am

Lootman wrote:I do not believe that any important service or system should require that people have mobile phones, let alone smart phones. There should always be an alternative.


The alternative is to choose a different supplier.

These are commercial operations and it is entirely reasonable they design their system to meet the needs of the vast majority of their customers.

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Bank Card security

#153573

Postby Lootman » July 20th, 2018, 7:52 am

AF62 wrote:
Lootman wrote:I do not believe that any important service or system should require that people have mobile phones, let alone smart phones. There should always be an alternative.

The alternative is to choose a different supplier.

These are commercial operations and it is entirely reasonable they design their system to meet the needs of the vast majority of their customers.

Yes but I said "important service or system". That might include cases where there is no alternative.

If it was announced that you needed a mobile or smart phone to vote, collect your state pension, use an airport etc. then that would be a problem. There are always people without such devices and other cases where they fail to work when you need them.

Offering access via a phone is fine. It is when that is the only option that problems arise.


Return to “Bank Accounts Savings & ISAs”

Who is online

Users browsing this forum: No registered users and 7 guests