|
|
Post by chris on Aug 12, 2014 6:51:23 GMT
Seems to come up fairly frequently at the moment. There are new client money rules coming in for 1st October that will dictate policy on this, involving tracking the origination account of all transfers in to the site and then directing money only back to those accounts. Beyond that I still need to be fully briefed by our compliance officer as to any implementation details we need to incorporate into our plans, but we'll have a fully automated system within that timeframe.
|
|
|
|
Post by Jack Barlow on Aug 12, 2014 10:17:05 GMT
chris, the advice from your compliance officer will no doubt focus on what AC is required to do, not necessarily what is in the interests of lender security. Please also take a lender's-eye view on this (of which I know you are one). At the moment, as paul123 has said, if a lender's login details are hacked then their account will get cleaned out. Certainly not good for the lender, and I suspect the resulting bad publicity if AC didn't compensate would kill the AC business overnight. paul123, Ton ⓉⓞⓃ started a discussion of this issue last week starting here: p2pindependentforum.com/post/18666/thread
|
|
|
|
Post by chris on Aug 12, 2014 10:51:41 GMT
chris, the advice from your compliance officer will no doubt focus on what AC is required to do, not necessarily what is in the interests of lender security. Please also take a lender's-eye view on this (of which I know you are one). At the moment, as @john334 has said, if a lender's login details are hacked then their account will get cleaned out. Certainly not good for the lender, and I suspect the resulting bad publicity if AC didn't compensate would kill the AC business overnight. Well by necessity whatever we do will have to be compliant, but as I understand it you'll only be able to withdraw funds to a UK bank account from which you have transferred money into the platform. I'm minded to limit that to one nominated account to prevent an attack where someone gets access to your account, transfers in a pound, and then transfers out all your money. I'll discuss internally what we think best practice should be.
|
|
acorn
Posts: 118
Likes: 23
|
Post by acorn on Aug 12, 2014 11:38:41 GMT
Seems to come up fairly frequently at the moment. There are new client money rules coming in for 1st October that will dictate policy on this, involving tracking the origination account of all transfers in to the site and then directing money only back to those accounts. Beyond that I still need to be fully briefed by our compliance officer as to any implementation details we need to incorporate into our plans, but we'll have a fully automated system within that timeframe. I hope the vulnerability I mentioned to Martin in a private e-mail is being sorted, where someone could, on a public machine, fail to realise they have successfully logged in, walk away and leave their a/c wide open to anyone who can access the machine's history. I realise this possibility is limited by the automatic log-out but Assetz has quite a long interval in place before this happens. I freely admit to accessing websites by numptyish practices, which is how I found this, but my partner is fairly savvy and (whilst he groaned at the way I got there) is concerned that it can happen and has tested on several browsers with one culprit ID'ed so far. It doesn't happen for other secure sites if I use the same means to access them on the same browser.
|
|
|
|
Post by geoffrey on Aug 15, 2014 7:29:19 GMT
Seems to come up fairly frequently at the moment. There are new client money rules coming in for 1st October that will dictate policy on this, involving tracking the origination account of all transfers in to the site and then directing money only back to those accounts. Beyond that I still need to be fully briefed by our compliance officer as to any implementation details we need to incorporate into our plans, but we'll have a fully automated system within that timeframe. That could be tricky where money is deposited five years earlier (say), and a lender has since switched bank accounts. It would be better to have a nominated bank account that can be switched only by entering a code sent to a (pre-nominated) mobile or email address (itself subject to extra security on attempted change), maybe with a time-delay incorporated for changes to bank account details. Another scenario is spouses sending money to the AC account of the other spouse. I do this for my wife, who is a 25% taxpayer (whereas I pay 40%): clearly I could send it to her bank account first and then she could send it on to AC, but the extra step would be a pain. Similarly, on another platform, I invest money in my daughter's P2P account (she is a student), and she withdraws the interest portion of the repayments as a steady income while building up capital for when she finishes her studies. It would be a shame to block this kind of possibility. The key is, IMHO, to ensure that the withdrawal account cannot be changed without passing an extra level of security.
|
|
mikeb
Posts: 1,072 
Likes: 472
|
Post by mikeb on Aug 15, 2014 15:15:52 GMT
That could be tricky where money is deposited five years earlier (say), and a lender has since switched bank accounts. Or like me:- If I've received a closeout from another investment (as a cheque to my current account), then I'm going to be putting money in from there. In fact, I just did. The spare will go into a savings account elsewhere, and when needed at AC, be pulled in from there. So I'm funding from 2 places. Same with FC/Zopa/THC ... and worse still, that savings account is likely to expire soon and be replaced, so queue up a 3rd recent source  There does need to be some kind of latitude, but not ruddy great loopholes 
|
|
|
|
Post by chris on Aug 15, 2014 16:56:13 GMT
As an urgent change we're making it a requirement to type in your password in order to confirm withdrawal of funds. Will run the other points past our compliance guy to see what the FCA require us to do and how we can make it practical.
|
|
|
|
Post by Ton ⓉⓞⓃ on Aug 16, 2014 12:28:11 GMT
As an urgent change we're making it a requirement to type in your password in order to confirm withdrawal of funds. Will run the other points past our compliance guy to see what the FCA require us to do and how we can make it practical. Thanks for looking into what can be done to increase safety but I'm not sure asking for the same PW that a naughty person has just used to gain access to your a/c is that much of an improvement, perhaps I misunderstand something, maybe that's okay for 'small' amounts for large withdrawals I think there does need to be some kind of warning be it a secure email, text or both and once confirmed then the transfer can happen. Other than that I've no idea what to suggest as what seems secure is very often circumvented when there is enough motivation. Most is down to the user being safe.
|
|
|
|
Post by chris on Aug 16, 2014 12:41:37 GMT
As an urgent change we're making it a requirement to type in your password in order to confirm withdrawal of funds. Will run the other points past our compliance guy to see what the FCA require us to do and how we can make it practical. Thanks for looking into what can be done to increase safety but I'm not sure asking for the same PW that a naughty person has just used to gain access to your a/c is that much of an improvement, perhaps I misunderstand something, maybe that's okay for 'small' amounts for large withdrawals I think there does need to be some kind of warning be it a secure email, text or both and once confirmed then the transfer can happen. Other than that I've no idea what to suggest as what seems secure is very often circumvented when there is enough motivation. Most is down to the user being safe. It prevents the specific issue that was first raised which is someone walking away from a public computer without logging out and therefore the browser (specifically Chrome) remembering the session and allowing someone else to come in and withdraw cash. It's a short term fix to buy us time whilst we can work on a better long term solution to site security. One possible long term solution would be to have a nominated bank account that could only be changed with a verification code sent to your mobile phone, or other similar system of providing a second security factor that's hard to steal or fake even if someone gets hold of your primary security details.
|
|
|
|
Post by mrclondon on Aug 16, 2014 18:54:47 GMT
One possible long term solution would be to have a nominated bank account that could only be changed with a verification code sent to your mobile phone, or other similar system of providing a second security factor that's hard to steal or fake even if someone gets hold of your primary security details. Squirrl.com required entry of a mobile phone received security code for just about every account transaction. It was a real pain, not least at the time I was working from our Swiss office a lot and text messages often took more than the 10 minute code validy period to arrive (not helped by my phone continually hunting between Swiss and German networks due to being close to the border). Any solution has to be equally practical for those outside of the UK to use.
|
|
|
|
Post by chris on Aug 16, 2014 18:55:55 GMT
One possible long term solution would be to have a nominated bank account that could only be changed with a verification code sent to your mobile phone, or other similar system of providing a second security factor that's hard to steal or fake even if someone gets hold of your primary security details. Squirrl.com required entry of a mobile phone received security code for just about every account transaction. It was a real pain, not least at the time I was working from our Swiss office a lot and text messages often took more than the 10 minute code validy period to arrive (not helped by my phone continually hunting between Swiss and German networks due to being close to the border). Any solution has to be equally practical for those outside of the UK to use. Any preferences?
|
|
|
|
Post by Ton ⓉⓞⓃ on Aug 17, 2014 0:06:45 GMT
Two factor authorisation (something you know, something you have) is very wonderful but is probably only needed here for withdrawals. The simplest solution, that doesn't involve opening a can of worms, is to limit the credit and debut to be the same account. Then all the responsibility for AML is on the bank. But the bank would need to be on an approved list and there's also the issue of when the lender wants to change bank account. Plus I think it's sometimes difficult to establish that credited funds came from a particular bank account. I think the only issue is when the account needs to change. I'd guess that only a very tiny proportion of lenders would need to use multiple or unapproved connected accounts. i'm afraid I come from an investment bank background and generally they are scared sh*tless of falling foul of ML regs etc because the fines and consequences of reputation damage are huge so I'm probably far more willing that some to put up with this kind of nonsense than many. From your experience then would it be possible to have two nominated a/c's, so you can decide and flip from one to the other as needed? Perhaps one is your partner and the other is... well we don't need to go into that!
|
|
|
|
Post by wiseclerk on Aug 17, 2014 8:36:21 GMT
My preference, although I am not an investor on AC would be:
Have a nominated account for withdrawals.
Allow switching of nominated accounts only:
a) to only one of those accounts that the money originally came from
b) require confirmation by a PIN sent via SMS
Possibly have investors activate the option that any withdrawel over £x also requires a confirmation via SMS PIN (x is to be set by investor). Obviously if activated changing or deactivating this option again requires PIN confirmation.
This invokes some support questions when investors change mobile number, but that will not be that frequent.
|
|
|
|
Post by jevans4949 on Aug 17, 2014 13:08:44 GMT
Sending a text message to a phone ceases to be a security measure if a browser-based account has been accessed using a smart phone.
|
|
|
|
Post by wiseclerk on Aug 17, 2014 13:29:09 GMT
Sending a text message to a phone ceases to be a security measure if a browser-based account has been accessed using a smart phone. That's why you should either avoid to use your smartphone to access fintech services or have a second (old) mobile that you only keep for the purpose of receiving PIN SMSs.
|
|
