Remove ads

Introducing the LemonFools Personal Finance Calculators

Bank Card security

XFool
Lemon Quarter
Posts: 2021
Joined: November 8th, 2016, 7:21 pm
Been thanked: 128 times

Bank Card security

#152272

Postby XFool » July 13th, 2018, 11:22 pm

This is interesting news. TiM, of course, highlights all the negatives:

Banks will soon require text message confirmation for online Visa card purchases in shake-up that will hit ALL internet shoppers

This is Money

Same method as used by HMRC with online accounts.

I am not surprised the 'Verified by Visa' system is being replaced. It used to irritate me and I never used it as intended, just used a one time password which I never bothered to remember. Had to start again from scratch every time. Eventually 'V by V' switched to asking for the same card details you had just entered for the merchant. So I imagine everyone else was doing the same thing.

The article mentions possible security problems using SMS for a One Time Pin. I wonder if the solution could be an industry wide standardised card reader that worked with all available cards?

mc2fool
Lemon Slice
Posts: 849
Joined: November 4th, 2016, 11:24 am
Has thanked: 4 times
Been thanked: 106 times

Re: Bank Card security

#152276

Postby mc2fool » July 14th, 2018, 12:09 am

XFool wrote:I wonder if the solution could be an industry wide standardised card reader that worked with all available cards?

I think they already are, if not by a formal standard then at least in reality.

A couple of years ago when I was waiting for a much overdue suspected-lost-in-the-post Lloyds card reader to turn up I called them and the agent, after saying he'd send me another, asked if I had a reader from another bank. I said yes and, without me saying from which, he told me I could use that too as "they're all the same".

And, indeed, my Barclays and Lloyds readers (the only two I have) are interchangeable, I can use either card in either reader and it works fine.

JohnB
2 Lemon pips
Posts: 184
Joined: January 15th, 2017, 9:20 am
Been thanked: 37 times

Re: Bank Card security

#152280

Postby JohnB » July 14th, 2018, 6:46 am

I’d not want to add card readers to my holiday luggage. Phone in one trouser pocket, cards in another, cash in a third gives reasonable flexibility. I don’t want the phone to be a single point of financial access, so am wary of apps on it. Text messages ok. But I live in a city, not sure I’d be happy in the country.

Lootman
Lemon Quarter
Posts: 3405
Joined: November 4th, 2016, 3:58 pm
Been thanked: 503 times

Re: Bank Card security

#152284

Postby Lootman » July 14th, 2018, 7:51 am

XFool wrote:This is interesting news. TiM, of course, highlights all the negatives:

Banks will soon require text message confirmation for online Visa card purchases in shake-up that will hit ALL internet shoppers

TiM missed a few problems.

What about people who do not have a mobile phone, or have an old one without text functionality, or are overseas in a country where their UK phone doesn't work, or where the battery is flat, or . . . ?

Alaric
Lemon Quarter
Posts: 1873
Joined: November 5th, 2016, 9:05 am
Has thanked: 3 times
Been thanked: 341 times

Re: Bank Card security

#152286

Postby Alaric » July 14th, 2018, 8:16 am

Lootman wrote:TiM missed a few problems.?


The quote does say it's for on-line purchases, rather than all purchases. If they are following the same system design as HMRC, that would include a voice message giving a code.

But I can see that if you don't have a second means of communication, the security could thwart you. An example would be perhaps using a tablet or non-phone device in a public wi-fi zone like a shop. Perhaps the next development should be built in card readers, so that the separate gadget wasn't needed.

Lanark
Posts: 32
Joined: March 27th, 2017, 11:41 am
Has thanked: 4 times
Been thanked: 3 times

Re: Bank Card security

#152293

Postby Lanark » July 14th, 2018, 9:51 am

The problem with this is that SMS is NOT secure, the telephone system was never designed with security in mind. Every corner shop selling mobiles can reassign numbers and SIM cards and they have pretty much zero identity checks.

UK banks don't exactly have a great reputation in designing secure systems:
https://www.theregister.co.uk/2005/10/2 ... nd_rogues/

XFool
Lemon Quarter
Posts: 2021
Joined: November 8th, 2016, 7:21 pm
Been thanked: 128 times

Re: Bank Card security

#152314

Postby XFool » July 14th, 2018, 12:23 pm

mc2fool wrote:
XFool wrote:I wonder if the solution could be an industry wide standardised card reader that worked with all available cards?

I think they already are, if not by a formal standard then at least in reality.

A couple of years ago when I was waiting for a much overdue suspected-lost-in-the-post Lloyds card reader to turn up I called them and the agent, after saying he'd send me another, asked if I had a reader from another bank. I said yes and, without me saying from which, he told me I could use that too as "they're all the same".

That's interesting. My bank's card reader rejects any other cards I've tried. But then the only cards other cards I have are credit cards and I don't think they use such a system.

But if the above is true, what's the problem for Visa? Just use existing or general purpose card readers. Does anyone have a credit card that uses a card reader?

doug2500
2 Lemon pips
Posts: 162
Joined: November 4th, 2016, 11:51 am
Has thanked: 14 times
Been thanked: 36 times

Re: Bank Card security

#152315

Postby doug2500 » July 14th, 2018, 12:47 pm

This is exactly how my wifes account was compromised. Her bank sends one time codes to her mobile but the fraudsters had her card details, probably from a shop but never proved, and hacked her phone. Vodafone were no real help, but then is it their responsibility to protect the bank?

Stupid idea IMO

mc2fool
Lemon Slice
Posts: 849
Joined: November 4th, 2016, 11:24 am
Has thanked: 4 times
Been thanked: 106 times

Re: Bank Card security

#152319

Postby mc2fool » July 14th, 2018, 1:00 pm

XFool wrote:That's interesting. My bank's card reader rejects any other cards I've tried. But then the only cards other cards I have are credit cards and I don't think they use such a system.

But if the above is true, what's the problem for Visa? Just use existing or general purpose card readers. Does anyone have a credit card that uses a card reader?

Well, I've just tried all of my credit & debit cards (from 7 banks in total, although all of them Visa) in both of my readers and they are all accepted to the initial prompt (Respond, Sign or Identify), and on most of them - including the credit cards - I can Identify and enter the PIN and it gives me a code. Only two debit cards give "This card is not valid".

I should stress that my comments on this are based purely on what the Lloyds call centre agent told me ("they're all the same") along with my personal experience with just my two card readers and collection of cards, as I've described. I should also clarify that I don't have any credit or debit cards that require the use of a reader; the cards I use with the readers I have are authorisation cards for logging in.

Lootman
Lemon Quarter
Posts: 3405
Joined: November 4th, 2016, 3:58 pm
Been thanked: 503 times

Re: Bank Card security

#152325

Postby Lootman » July 14th, 2018, 1:43 pm

doug2500 wrote:This is exactly how my wifes account was compromised. Her bank sends one time codes to her mobile but the fraudsters had her card details, probably from a shop but never proved, and hacked her phone. Vodafone were no real help, but then is it their responsibility to protect the bank?

Stupid idea IMO

I agree and, moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password).

With this system they can use my card online. So I am less secure as a result.

Slarti
Lemon Quarter
Posts: 2052
Joined: November 4th, 2016, 3:46 pm
Has thanked: 315 times
Been thanked: 260 times

Re: Bank Card security

#152339

Postby Slarti » July 14th, 2018, 4:40 pm

[quote="Lootman"]moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password)./quote]

I don't recall the last time I was asked for Verified by Visa for an online purchase.


Slarti

Lootman
Lemon Quarter
Posts: 3405
Joined: November 4th, 2016, 3:58 pm
Been thanked: 503 times

Re: Bank Card security

#152351

Postby Lootman » July 14th, 2018, 6:17 pm

Slarti wrote:
Lootman wrote:moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password).

I don't recall the last time I was asked for Verified by Visa for an online purchase.

I do. It was last week, for an air ticket.

Often it is not asked for, agreed. But for larger amounts it is more likely. And that is what you want, surely? After all, small amounts would be easy anyway using the contactless feature, but there is a limit how much damage can be caused by small transactions. A massive pattern of small transactions would probably be flagged anyway.

Slarti
Lemon Quarter
Posts: 2052
Joined: November 4th, 2016, 3:46 pm
Has thanked: 315 times
Been thanked: 260 times

Re: Bank Card security

#152354

Postby Slarti » July 14th, 2018, 6:34 pm

Lootman wrote:
Slarti wrote:
Lootman wrote:moreover, right now if someone steals my card and my phone (quite likely since they are both always in the same location) then the thief still cannot use the card for in-store purchases (they won't have the PIN), cash withdrawals (ditto) or online purchases (they won't have the password).

I don't recall the last time I was asked for Verified by Visa for an online purchase.

I do. It was last week, for an air ticket.

Often it is not asked for, agreed. But for larger amounts it is more likely. And that is what you want, surely? After all, small amounts would be easy anyway using the contactless feature, but there is a limit how much damage can be caused by small transactions. A massive pattern of small transactions would probably be flagged anyway.


You can use contactless online?

Slarti

Lootman
Lemon Quarter
Posts: 3405
Joined: November 4th, 2016, 3:58 pm
Been thanked: 503 times

Re: Bank Card security

#152403

Postby Lootman » July 15th, 2018, 9:37 am

Slarti wrote:You can use contactless online?

Don't be cute. My point was that if someone steals your card and your phone then, under this proposal, they would have the same ability online to run up charges as if they used it contactless in person, but of course for much larger amounts.

A security system that is predicated on assumptions about the disposition of your phone is flawed. I prefer a password - the problem is that they do not ask for it enough.

As a more general point it depresses me that there is a growing trend to assume that everyone has a phone on them all the time. I have not yet been put in a position where I cannot do something I want because of that, but it is perhaps inevitable that will happen. The closest was a car park where I was required to text my number plate and receive a code that then had to be entered into the ticket machine. I parked elsewhere.

Slarti
Lemon Quarter
Posts: 2052
Joined: November 4th, 2016, 3:46 pm
Has thanked: 315 times
Been thanked: 260 times

Re: Bank Card security

#152423

Postby Slarti » July 15th, 2018, 12:11 pm

Lootman wrote:My point was that if someone steals your card and your phone then, under this proposal, they would have the same ability online to run up charges as if they used it contactless in person, but of course for much larger amounts.

A security system that is predicated on assumptions about the disposition of your phone is flawed. I prefer a password - the problem is that they do not ask for it enough.

As a more general point it depresses me that there is a growing trend to assume that everyone has a phone on them all the time. I have not yet been put in a position where I cannot do something I want because of that, but it is perhaps inevitable that will happen. The closest was a car park where I was required to text my number plate and receive a code that then had to be entered into the ticket machine. I parked elsewhere.


They'd have problems with my phone as it is passworded. But my wife's can't be :shock:

There is a (the?) car park in Whitby that, the last time I used it, the only way to pay was by mobile phone, it added the cost to your phone bill, or you had to use a bank app to pay them. That was 9 years ago!

I also hate things like taxis that say they'll text you when they arrive. Texts aren't guaranteed instant and I have seen them take up to 24 hours to arrive.
And that is another problem, someone I use sends out a text for 2FA that only has a 10 minute life. They usually take at least 2 minutes to arrive and I'm sure that one day I won't be able to log in because one takes too long.

Slarti

johnhemming
Lemon Quarter
Posts: 1147
Joined: November 8th, 2016, 7:13 pm
Has thanked: 3 times
Been thanked: 119 times

Re: Bank Card security

#152428

Postby johnhemming » July 15th, 2018, 12:18 pm

Lootman wrote:My point was that if someone steals your card and your phone then...

It is much hard to steal a phone via the net than to get someone's credit card details (not necessarily the card).

Lootman
Lemon Quarter
Posts: 3405
Joined: November 4th, 2016, 3:58 pm
Been thanked: 503 times

Re: Bank Card security

#152464

Postby Lootman » July 15th, 2018, 1:58 pm

Slarti wrote:There is a (the?) car park in Whitby that, the last time I used it, the only way to pay was by mobile phone, it added the cost to your phone bill, or you had to use a bank app to pay them. That was 9 years ago!

I encountered it in Edinburgh, and it was probably a similar time ago. I do not believe that any important service or system should require that people have mobile phones, let alone smart phones. There should always be an alternative.

Someone gave an example earlier of a HMRC personal tax account requiring this but, again, such an account is not necessary for reporting your taxes. I do not have one, for instance, nor do I want one.

johnhemming wrote:
Lootman wrote:My point was that if someone steals your card and your phone then...

It is much hard to steal a phone via the net than to get someone's credit card details (not necessarily the card).

Yes, I was talking about having the items physically stolen. Ironically the probability of electronic theft and hacking is greater if you use a smart phone anyway. So for example I use online banking but only from my laptop and my own IP. I never use a phone, public computer or a public wifi.


Return to “Bank Accounts Savings & ISAs”

Who is online

Users browsing this forum: No registered users and 1 guest