New requirement for online banking.....Rant

Not exactly MS related but I’m rather annoyed about it. Had a letter from TSB the other day informing me of new ‘Security’ measures for online banking. Read the letter and felt like headbutting a wall to see if that’d help drive the logic in. Decided against self harm as nothing about the new measure adds security in anyway. Put a complaint in and included if it goes LIVE on the 28th I’ll be looking for another bank.

Just had a phone call from TSB explaining all banks will be doing it as require by Finanicial Conduct authority…or another goverment corperation.

What am I ranting about. For added security we’ll needed to add MORE information to verify we are the account holder. TSB staff still referred to it as added two factor authentication. Now after you used the app on your phone or received a SMS message you need to enter the OTP to verify it’s you. Pretty standard nowadays.

The new hoop is after that you’ll have to enter your email address. Won’t get an email or anything it’s just for verification. As I politely explained to TSB in both my original complaint and over the phone just now it’s nothing more that a HOOP to jump through. Adds absolutey 0 to a persons account security.

OTP is the two factor authentication,2FA, code and is gained by access a persons mobile device. A device that will have access to a persons email and thus their email address. How is that more secure? If someone, not you, has access to your

Card details
Bank card number/long number on card
Expiry date
Security number on back
Name

or

Bank account login
username/account number
password
Memorable word

They then need your phone for the OTP the same device with your email on.

If someone has all the information and device to access that very information adding a million extra hoops would not increase security. All it’s going to do is annoy people.

People already fall for scams where they voluntarily give scammers their OTP. This hoop just means the scammers will ask for their email too. If someone is willing to give the scammer their OTP they’ll have concern providing their email address at the same time.

Great way to increase the number of scams after a vulnerable victim has just provided a scammer with their email address along with knowledge they a susceptable to being scammed. Watch the phishing emails flood in.

Complained to Financial Conduct authority. Due to Covid could take weeks before any response and won’t hold my breath on them pulling it and returning to the drawing board but worth a try.

Means I’ll be wasting banks time on phone complaining and trying to complete transaction over the phone instead of online.

Sorry about the rant. Thought it might please someone who feels the same way or point out how pointless it is to anyone that didn’t or hasn’t noticed.

And I thought ours was bad. I only have to enter my user name, password, and then answer one of several secret questions.

You have my sympathy. I agree with everything you said. All they’ve done is set everyone up for a greater risk of being hacked.

I tend to think that making a smart phone the hub of everything, which is where things seem to be going, makes that the really weak link. So much information is carried on there now. I don’t carry my desktop PC around with me - it stays at home, and uses my router only, and someone would have to break into my house to get access to that - so try to do all my vulnerable things on that rather than on my smart phone.

I’ve also got a dumb phone which is where my bank sends SMSs to, as a way to keep things a bit separate! That is so dumb it doesn’t do emails!

Something like this will becoming to all banks by March…least thats what TSB said.

Just to clarify hacking because the news like to spout hacking for anything they have no clue about leading to the general public that don’t know getting it wrong.

Hacking requires exploiting weaknesses in code. Something that is rarely done when the News say hacked. Seen stories where a memeber of staff at a organsication supposed hacked into data the shouldn’t have used. They had access to the information the just shouldn’t have used it for personal purposes.0 hacking involved but news said ‘hacked’

Majority of scams, banking or otherwise, are accomplished by the crooks crooks phishing/tricking people into voluntarily provided them with the data they need to compromise the accounts. 0 code exploitation required.

This new thing would give a scammer a vulnerable users email address allowing them to then progress to sending phishing emails. Again no hacking required.

Email addresses and numbers from incoming calls/SMS can be spoofed to appear like they are coming from anyone else.

That’s why the majority of my important stuff stay on my PC, which is a LARGE case and very heavy compared to an average PC.

I get you point but the vast majority of people don’t have a secondary phone. A 2FA/two factor authentication is a good thing but this is just doubling up the requirement to use information accessed from the same device which means it’s still 2FA so adds no advantage to entering you username. May aswell ask for your phone number

Trying to contact them by phone can be a nightmare and is why I gave up and just put in a complaint via their/TSB website.

Just got £50 compensation from a previous complaint.

SMS to approve a transaction at 12.40 on a sunday morning. Then a second. Phone on silent so didn’t see them till around 8am. Responded No it wasn’t me. Long story short…ish someone was trying to get a takeout using my card…just the long card number. Not my name, expiry date or security code on the back. Just the long number.

Not hard to conclude someone putting in the 16 number wrong as the rest didn’t match. As far as fraud team concerned my card had been Compromised. How can it be comprosised when nothing else matched. Not hard to make a typo when sober so not exactly a stretch to conclude someone making a typo after a few drinks.

Fine they gonna give me a new card with a new card number. Current card Chip and pin onl, no stupid contactless rubbish as I’l just start drilling to find the antenna and may disable the chip at the same time. The guy confirmed multiple times. Also made it clear I wanted same pin.

Card arrives. I cut it up and storm down to the bank. Ask for the manager and once he appears behind the counter I place the card bits on the counter. Told him to dispose of it securely and in the meantime order me a new card. Chip and pin only or if they send me a contactless card again we’ll repeat the process and I won’t be as polite the next time.

Again chip and pin only and keeping the same pin is confirmed.

Get new card. Go shopping with new card. Wrong pin entered…same pin for over a decade. Unlikely but ok, maybe, do I enter it again. Incorrect pin. Pay by credit card and put in a complaint via website. Made a point of explaining I choose to do it in writing since there staff can’t grasp basic English when spoke on the phone or in person. Not even when they confirm what is agreed multiple times…eventually had an email apologising for the misunderstanding and that a new pin should be with me in the next few days and that I could change pin at a cash machine.

Several days later had an email apologising again and compensating me with £50 credit. Amazing what can happen when you complain.

Omg, I salute you for having the patience to go through all that with them, I think I’d have been looking for a new bank!

When something should be simple and they turn it into an ******* nightmare they don’t deserve our custom, they really don’t.

I was sent a contactless card 2 months ago and told I had no choice. After it scanned itself while I was standing a meter away from the register, I hurried up and bought a high-priced protective card sleeve. Don’t get the cheap plastic Chinese ones! The banks are setting us up for disaster.

No longer working so have excess free time to complain. Not that it means I’m happy wasting time complaining.

I got £250 from TSB when they had sll the issues with their systems change over. Wasn’t affected much but that wasn’t the point

Most Banks send them out before asking but if you request over the phone or in a Branch several are willing to send a contact/Chip and pin only card. When they do it should be flagged on the system and you’ll get contact only cards in the future.
First article I found about that here, old but still valid

When I got a credit card from TSB I did so in a branch. Mentioned my dislike over them and asked if they sent a contactless card if it would need activating as I didn’t want the contactless part. Got told I’d need to activate it by chip and pin…correct but also wrong.

Chip and pin to activate the card is correct but that goes for any new card. Wrong was that I didn’t need to activate the contactless portion specifically.

From first activation I was using my phone to scan the card to know if the contactless was active. Then used phones torch and put card over it. could see a line, <1mm thick black line/wire going from the chip to the edge of the card. That would be the antenna. Marked it on the card and then took a small 1mm drill bit and drilled it.

Phone confirmed antenna broke and couldn’t scan card. Chip and pin functioned fine. Though it was my credit card which I only used online. Every now and then I’d have it declined online. Need to use it in a physical store every now and then.

Over the years they started fiddling with cards and having parts inside the make 1cm parts black. wire under it so you can’t see. Started drilling at random and a few times broke the chip and pin preventing me from occasonally using it to do weekly shopping. I’d phone and say card borken and get a replacement.

Rinse and repeat. Had 3 in 3 months and each time I said I didn’t want a contactless card and they’d send one. I’d drill it at random not worrying about breaking it. Last time I told them what I was doing. If they send me a contactless card again I’ll drill it and that could mean I’d break it and need yet anther replacement. Or they could let me use it purely online and stop declining my card every few months and it’d never leave the house. Just send a text with a OTP. Nope they didn’t like that.

I made a point of saying I didn’t want a contactless card when I applied for it and was told I’d have to activate it which was misleading as chip and pin does. Options are they either supply a contact/chip and pin only card or I continue drilling them to disable the antenna and may break the cards completely. Could have said I’d go elsewhere I suppose but they apologised and said I had been mislead and issued me a contact/chip and pin only card. takes a few days longer.

Oh and I got £25 compensation/apology

Bottomline challenge them, threaten to start drilling your cards to disable the antenna and make sure they’ll be footing the cost of a replacement.

As for the blockers. Meh. They are only any good next to the card. So contactless payments are a no and so are Chip and pin because you you can’t have it attached in the chip and pin machine.

Anyone with the tech to scan a room full of contactless cards would get it the moment you pay for something. Get the tech for £100ish on ebay or amazon and it’d fit in medium sized handbag/backpack.

No high price sleeve or anything needed really. Just line your bag/ purse with some foil. Reason why all the nutters thinking they’re being tracked are portrayed wearing foil hats. Poor mans Faraday cage which is just a metal shell for blocking signals

Just wrote a complaint to Paypal again…Still waiting on FCA to finish investigating complaints I made about Paypal, TSB and welll the FCA for them dictating the new measures I mentoined when I created this thread back in January.

Reason for update and the new complaint. Tried to do and online purchase a few days ago using Credit card. Did all the card details, confirm the OTP sent via SMS to my phone and then got asked to enter my email address. Couple of clicks on my phone = I can see my email address. New I could but just double checking that if someone had my card and my phone to confirm the SMS they could access my email address for the useless and misleading new measure. I entered something random.

Changed to use Paypal. Oh just the 1 verification. SMS code. Used to used the authenticator app as phone needs to be unlocked to use it but Paypal started sending SMS code immedately afterwards. Starting with SMS code = just the SMS code…till just now. Logged in to check my Paypal account.

Username
Password (very secure)
SMS code followed by SMS code

Seriously?? How is a second SMS code to the exact same phone number more secure than the first? Even worse than the enter you email hoop. How the hell do the senoir managers on 100,00+ salaries not see the new steps add 0 security?

Now I’m not saying everyone is stupid or anything but there are plenty of people in this world that will just accept the new step as added security without question. Then when some have their accounts compromised and someone spends their money they be oh but I used x and we had to do that, how did someone get to use my account with all the added security.

I see it all the time on a game platform. Users do silly stuff and login using phishing websites for various reasons. The first defense is but but but I use the two-factor Authentication, 2FA, so how did someone get into my account. I was hacked.

2FA is just another key and them giving their username, password and 2FA code to a phishing site is like giving their house keys to a stranger. They think that 2FA is a magically makes their accounts immune to compromise when its just an extra key.

2FA is added security, it works provided you don’t give it away. It’s having a second device for verification purposes. having to use the same second devices is not more security it’s just a hoop trying to mask that hoop as added security when the second step is nothing more than using the 2FA twice. No better than asking a person to enter their

Card Number
Expiry Date
Name
Security code

or anything Twice

Sorry for the bump and rant. Rather stressful day and the 2 SMS in a row was so … annoying. Asking to verify using the Authenticator app would be a little tedious and annoying but the logic of 2 SMS is mind boggling. Which says something when I’m rather tired, physically aswell as cognitively, have MS, and not educated in any form of online security and it’s so obvious that it does jack.

Ok of for some alcohol and to try relaxing. hope everyone has a better night

Either they reduced the frequency after myself and I’d expect others complained or their wording just sucked. I’ve probably had to enter my email address 4 times since I created this thread. They still use SMS which is pathetic as there is this old thing called Sim cloning. Then there is the new voice cloning so someone can likely gather what they need, data wise, and only need a 3 second or so clip of someone talking to clone their voice. Then they just call the your phone provided impersonating you and divert the calls and SMS with passcodes. Oh and if you’ve recorded your voicemail message they can get a sample of your voice for the cloning from just calling to listen to it. Are methods to autom,atically go to voicemail without a persons phone ever ringing.

Any 2fa/mfa or whatever else that requires a persons phone should be required that you unlock your device to use and that includes if the device was already unlocked before you open the 2fa/mfa app. Peoples phones get swiped all the time. Watched another video of a biker swiping a pedestrians phone out of their hands in London less than an hour ago.

Problem is these bodies like old IT ‘experts’ don’t seem to grasp what it is they talk about. I worked in a warehouse 20+ years ago and they had a policy of requiring you to change your passwords every 30 days for security. I lost track of how many times I complained about it being a stupid policy. I left for a year, 14 months actually. When I returned I got access to over 2 dozen user accounts without asking anyone for their password. I went back on a nightshift. I knew passwords for the 8 people on nights already and they all di the same thing. A password with a number at the end and that number got increased +1 or +2 depending on when part of the month it got changed. As for the rest postit notes dotted around the office, stuck on monitors or desktops that I could see through the windows or in desk drawers and I could access to offices. Even after all that IT still stuck by their change password peroidically for enhanced security. Nowadays any sesnsible security expert advises that frequent password changes make for weaker security.

As for banks educating users thats all well and good but the facct is the vast majority of people live in a bubble and they’re more than happy to ignore those emails about tips and warnings about avoiding scammers and stuff. TSB have been using their app to make you access it on your phone, unlock phone to access it, and then confirm a payment request for something you’re trying to buy online. In theory it’s ok, not hugely annoying or time consuming or anything like that. However nothing is stopping you doing so on a dodgy scam site supposedly ‘selling’ something. But it’s better than nothing.

Phone Scammers and internet scammers will often use pressure and scare tactics and will talk any victim through those steps making them nothing more than a hurdle.

I’m not against educating people. I’m all for it but I know their are way too many people that ignore stuff like that. Rather sit in their bubble than read something that might not be fun.

Also have the wordings and tactics. Some scam methods involve telling a victim they are going to send them a code they need the victim to read back to them to confirm they are who they say they are. That code could be sent when the scammer is trying to move a victims money which triggers the banks system to send the code via SMS. When the victim reads it back to the scammer the scam uses it.

Banks should be educating everyone that if someone from the bank calls you do NOT do anything until they verify who THEY are. As they can’t give you any information they can’t do that. At which point take a name, ask what it’s about and say you’ll call them back. Call them back from another device or restart your phone and wait an hour or more before calling them back via the number on the back of your bank card. I’ve done that decades. The reason you wait and restart phone is because scammers can hold open the line. If youo call back to soon they can play fake audio and then answer the call as though you just called them back when they acctually still connected. No matter how many times I’ve done this no bank changes anything.

Even with the current education the scammers adapt and can be convincing when pressure is put on their victims. I know a guy in his 50’s that was called at 2am and woke him up, half asleep they plied on the pressure but immediately after he hung up he realised and called the bank. Lucklily they managed to stop everything. Mistakes happen and scammers do stuff like that. Had he been drinking, not well or a host of other things no amount of education would have helped.

Scammers sent SMS messages to my mother pretending to be my niece using someone elses phone because hers was stolen. It’s only by chance that I’d described that exact same scam to her a few days before and she had the sense to call my niece, who answered her phone thus confirming the SMS was a scam. If I wasn’t so ‘Paranoid’ about this sort of stuff it’s highly likely she would have got scammed.

Things are only going to get worse with voice cloning and a deepfakes. While I could, I never would, but I could access software to do both of those, with some AI training on my computer I’d be able to run a pretty good looking and sound Video chat whilst looking and sounding like someone else. Plenty of peolpe slap way too much information on the internet that would allow someone to appear more like the faked persona. I reiterate whilst I could do that stuff I am in no-way going to such a thing.

My bank has this, too. Their logic is that by adding another step, they’re enhancing security, but if someone already has access to all your sensitive information and your phone, asking for your email isn’t really going to stop them.
To manage this, I started using temporary phone numbers for OTPs and other verification codes. This way, even if my main phone number is compromised, my banking verification remains secure because the temporary number changes frequently and isn’t tied to my email or other personal information. It adds a layer of security by keeping the verification process separate from my everyday phone number, which might be more vulnerable to exposure.
I use the numbers from https://anonymsms.com/, a free service that has UK numbers based on real SIMs. So at least I don’t have to pay for these.

Technically it’s the FCA thats mandated this, banks are on ly following that they’re told they must do. I was hoping that if enough people complain and point out the obvious futility in this hoop the FCA would rethink it…

Didn’t intend to give the impression I was arguing, sorry, for that. We don’t all have the same knowledge, experience and anything else that is affected by this topic. Can’t say I thought anyone has been wrong. Just different perspective to the same topic.