New requirement for online banking.....Rant

Not exactly MS related but I’m rather annoyed about it. Had a letter from TSB the other day informing me of new ‘Security’ measures for online banking. Read the letter and felt like headbutting a wall to see if that’d help drive the logic in. Decided against self harm as nothing about the new measure adds security in anyway. Put a complaint in and included if it goes LIVE on the 28th I’ll be looking for another bank.

Just had a phone call from TSB explaining all banks will be doing it as require by Finanicial Conduct authority…or another goverment corperation.

What am I ranting about. For added security we’ll needed to add MORE information to verify we are the account holder. TSB staff still referred to it as added two factor authentication. Now after you used the app on your phone or received a SMS message you need to enter the OTP to verify it’s you. Pretty standard nowadays.

The new hoop is after that you’ll have to enter your email address. Won’t get an email or anything it’s just for verification. As I politely explained to TSB in both my original complaint and over the phone just now it’s nothing more that a HOOP to jump through. Adds absolutey 0 to a persons account security.

OTP is the two factor authentication,2FA, code and is gained by access a persons mobile device. A device that will have access to a persons email and thus their email address. How is that more secure? If someone, not you, has access to your

Card details
Bank card number/long number on card
Expiry date
Security number on back


Bank account login
username/account number
Memorable word

They then need your phone for the OTP the same device with your email on.

If someone has all the information and device to access that very information adding a million extra hoops would not increase security. All it’s going to do is annoy people.

People already fall for scams where they voluntarily give scammers their OTP. This hoop just means the scammers will ask for their email too. If someone is willing to give the scammer their OTP they’ll have concern providing their email address at the same time.

Great way to increase the number of scams after a vulnerable victim has just provided a scammer with their email address along with knowledge they a susceptable to being scammed. Watch the phishing emails flood in.

Complained to Financial Conduct authority. Due to Covid could take weeks before any response and won’t hold my breath on them pulling it and returning to the drawing board but worth a try.

Means I’ll be wasting banks time on phone complaining and trying to complete transaction over the phone instead of online.

Sorry about the rant. Thought it might please someone who feels the same way or point out how pointless it is to anyone that didn’t or hasn’t noticed.

1 Like

And I thought ours was bad. I only have to enter my user name, password, and then answer one of several secret questions.

You have my sympathy. I agree with everything you said. All they’ve done is set everyone up for a greater risk of being hacked.

I tend to think that making a smart phone the hub of everything, which is where things seem to be going, makes that the really weak link. So much information is carried on there now. I don’t carry my desktop PC around with me - it stays at home, and uses my router only, and someone would have to break into my house to get access to that - so try to do all my vulnerable things on that rather than on my smart phone.

I’ve also got a dumb phone which is where my bank sends SMSs to, as a way to keep things a bit separate! That is so dumb it doesn’t do emails!

Something like this will becoming to all banks by March…least thats what TSB said.

Just to clarify hacking because the news like to spout hacking for anything they have no clue about leading to the general public that don’t know getting it wrong.

Hacking requires exploiting weaknesses in code. Something that is rarely done when the News say hacked. Seen stories where a memeber of staff at a organsication supposed hacked into data the shouldn’t have used. They had access to the information the just shouldn’t have used it for personal purposes.0 hacking involved but news said ‘hacked’

Majority of scams, banking or otherwise, are accomplished by the crooks crooks phishing/tricking people into voluntarily provided them with the data they need to compromise the accounts. 0 code exploitation required.

This new thing would give a scammer a vulnerable users email address allowing them to then progress to sending phishing emails. Again no hacking required.

Email addresses and numbers from incoming calls/SMS can be spoofed to appear like they are coming from anyone else.

That’s why the majority of my important stuff stay on my PC, which is a LARGE case and very heavy compared to an average PC.

I get you point but the vast majority of people don’t have a secondary phone. A 2FA/two factor authentication is a good thing but this is just doubling up the requirement to use information accessed from the same device which means it’s still 2FA so adds no advantage to entering you username. May aswell ask for your phone number

It is honestly insane. And there is nothing we, as clients, can do to change some rules which don’t make any sense. I called santander uk phone number here in order to discuss some of the security precautions but unfortunately couldn’t get through.

Trying to contact them by phone can be a nightmare and is why I gave up and just put in a complaint via their/TSB website.

Just got £50 compensation from a previous complaint.

SMS to approve a transaction at 12.40 on a sunday morning. Then a second. Phone on silent so didn’t see them till around 8am. Responded No it wasn’t me. Long story short…ish someone was trying to get a takeout using my card…just the long card number. Not my name, expiry date or security code on the back. Just the long number.

Not hard to conclude someone putting in the 16 number wrong as the rest didn’t match. As far as fraud team concerned my card had been Compromised. How can it be comprosised when nothing else matched. Not hard to make a typo when sober so not exactly a stretch to conclude someone making a typo after a few drinks.

Fine they gonna give me a new card with a new card number. Current card Chip and pin onl, no stupid contactless rubbish as I’l just start drilling to find the antenna and may disable the chip at the same time. The guy confirmed multiple times. Also made it clear I wanted same pin.

Card arrives. I cut it up and storm down to the bank. Ask for the manager and once he appears behind the counter I place the card bits on the counter. Told him to dispose of it securely and in the meantime order me a new card. Chip and pin only or if they send me a contactless card again we’ll repeat the process and I won’t be as polite the next time.

Again chip and pin only and keeping the same pin is confirmed.

Get new card. Go shopping with new card. Wrong pin entered…same pin for over a decade. Unlikely but ok, maybe, do I enter it again. Incorrect pin. Pay by credit card and put in a complaint via website. Made a point of explaining I choose to do it in writing since there staff can’t grasp basic English when spoke on the phone or in person. Not even when they confirm what is agreed multiple times…eventually had an email apologising for the misunderstanding and that a new pin should be with me in the next few days and that I could change pin at a cash machine.

Several days later had an email apologising again and compensating me with £50 credit. Amazing what can happen when you complain.

Omg, I salute you for having the patience to go through all that with them, I think I’d have been looking for a new bank!

When something should be simple and they turn it into an ******* nightmare they don’t deserve our custom, they really don’t.

I was sent a contactless card 2 months ago and told I had no choice. After it scanned itself while I was standing a meter away from the register, I hurried up and bought a high-priced protective card sleeve. Don’t get the cheap plastic Chinese ones! The banks are setting us up for disaster.

No longer working so have excess free time to complain. Not that it means I’m happy wasting time complaining.

I got £250 from TSB when they had sll the issues with their systems change over. Wasn’t affected much but that wasn’t the point :slight_smile:

Most Banks send them out before asking but if you request over the phone or in a Branch several are willing to send a contact/Chip and pin only card. When they do it should be flagged on the system and you’ll get contact only cards in the future.
First article I found about that here, old but still valid

When I got a credit card from TSB I did so in a branch. Mentioned my dislike over them and asked if they sent a contactless card if it would need activating as I didn’t want the contactless part. Got told I’d need to activate it by chip and pin…correct but also wrong.

Chip and pin to activate the card is correct but that goes for any new card. Wrong was that I didn’t need to activate the contactless portion specifically.

From first activation I was using my phone to scan the card to know if the contactless was active. Then used phones torch and put card over it. could see a line, <1mm thick black line/wire going from the chip to the edge of the card. That would be the antenna. Marked it on the card and then took a small 1mm drill bit and drilled it.

Phone confirmed antenna broke and couldn’t scan card. Chip and pin functioned fine. Though it was my credit card which I only used online. Every now and then I’d have it declined online. Need to use it in a physical store every now and then.

Over the years they started fiddling with cards and having parts inside the make 1cm parts black. wire under it so you can’t see. Started drilling at random and a few times broke the chip and pin preventing me from occasonally using it to do weekly shopping. I’d phone and say card borken and get a replacement.

Rinse and repeat. Had 3 in 3 months and each time I said I didn’t want a contactless card and they’d send one. I’d drill it at random not worrying about breaking it. Last time I told them what I was doing. If they send me a contactless card again I’ll drill it and that could mean I’d break it and need yet anther replacement. Or they could let me use it purely online and stop declining my card every few months and it’d never leave the house. Just send a text with a OTP. Nope they didn’t like that.

I made a point of saying I didn’t want a contactless card when I applied for it and was told I’d have to activate it which was misleading as chip and pin does. Options are they either supply a contact/chip and pin only card or I continue drilling them to disable the antenna and may break the cards completely. Could have said I’d go elsewhere I suppose but they apologised and said I had been mislead and issued me a contact/chip and pin only card. takes a few days longer.

Oh and I got £25 compensation/apology

Bottomline challenge them, threaten to start drilling your cards to disable the antenna and make sure they’ll be footing the cost of a replacement.

As for the blockers. Meh. They are only any good next to the card. So contactless payments are a no and so are Chip and pin because you you can’t have it attached in the chip and pin machine.

Anyone with the tech to scan a room full of contactless cards would get it the moment you pay for something. Get the tech for £100ish on ebay or amazon and it’d fit in medium sized handbag/backpack.

No high price sleeve or anything needed really. Just line your bag/ purse with some foil. Reason why all the nutters thinking they’re being tracked are portrayed wearing foil hats. Poor mans Faraday cage which is just a metal shell for blocking signals

Just wrote a complaint to Paypal again…Still waiting on FCA to finish investigating complaints I made about Paypal, TSB and welll the FCA for them dictating the new measures I mentoined when I created this thread back in January.

Reason for update and the new complaint. Tried to do and online purchase a few days ago using Credit card. Did all the card details, confirm the OTP sent via SMS to my phone and then got asked to enter my email address. Couple of clicks on my phone = I can see my email address. New I could but just double checking that if someone had my card and my phone to confirm the SMS they could access my email address for the useless and misleading new measure. I entered something random.

Changed to use Paypal. Oh just the 1 verification. SMS code. Used to used the authenticator app as phone needs to be unlocked to use it but Paypal started sending SMS code immedately afterwards. Starting with SMS code = just the SMS code…till just now. Logged in to check my Paypal account.

Password (very secure)
SMS code followed by SMS code

Seriously?? How is a second SMS code to the exact same phone number more secure than the first? Even worse than the enter you email hoop. How the hell do the senoir managers on 100,00+ salaries not see the new steps add 0 security?

Now I’m not saying everyone is stupid or anything but there are plenty of people in this world that will just accept the new step as added security without question. Then when some have their accounts compromised and someone spends their money they be oh but I used x and we had to do that, how did someone get to use my account with all the added security.

I see it all the time on a game platform. Users do silly stuff and login using phishing websites for various reasons. The first defense is but but but I use the two-factor Authentication, 2FA, so how did someone get into my account. I was hacked.

2FA is just another key and them giving their username, password and 2FA code to a phishing site is like giving their house keys to a stranger. They think that 2FA is a magically makes their accounts immune to compromise when its just an extra key.

2FA is added security, it works provided you don’t give it away. It’s having a second device for verification purposes. having to use the same second devices is not more security it’s just a hoop trying to mask that hoop as added security when the second step is nothing more than using the 2FA twice. No better than asking a person to enter their

Card Number
Expiry Date
Security code

or anything Twice

Sorry for the bump and rant. Rather stressful day and the 2 SMS in a row was so … annoying. Asking to verify using the Authenticator app would be a little tedious and annoying but the logic of 2 SMS is mind boggling. Which says something when I’m rather tired, physically aswell as cognitively, have MS, and not educated in any form of online security and it’s so obvious that it does jack. :man_facepalming: :man_facepalming: :man_facepalming: :man_facepalming: :man_facepalming: :man_facepalming:

Ok of for some alcohol and to try relaxing. hope everyone has a better night