ashtondav
Member of DD Central
Posts: 1,814 
Likes: 1,092
|
Post by ashtondav on Jul 24, 2018 18:27:14 GMT
Yep AC demand Authy for me. Personally I see the biggest risk as AC failure rather than being hacked - pay attention to that, AC. The risk of AC platform failure is WAY BIGGER than being hacked...
|
|
|
|
Post by bracknellboy on Jul 25, 2018 7:40:27 GMT
just logged into AC to be confronted by this whole wall of new security. I've not read back through the 16 pages of posts on here. "This pin will be used to manually verify your account when speaking to our lender team." For all this new security, has anyone got confirmation that this PIN and Memorable word will be fully encrypted and the "lender team" will only ever be presented with fragments for verification purposes ? chris ? I have never had cause to phone AC (they once phoned me years ago), so this is a bit of faff I could do without. I have just logged in afresh to AC, and the procedure was no different from what has always been (password + randomly selected one of three security questions). No demands for PIN or Memorable word. I wonder why my experience is different to yours, bracknellboy ? Could it be because I have so far declined to opt for 2FA (and will continue to do so until the promised opt-out is made available)? Has anyone else (other than westcountryfunder ) had to do this. Was there any prior notification by email of this new procedure? (I have had none). I don't believe I've been asked. I don't recall being given the option when I logged in. Given that I balked at completing these details I will try again and see whether I missed the bit about "do you want to opt in/out". Oh b***, that means I've got to find my phone to get an SMS doesn't it ?? EDIT: No it definteily doesn't give me any option (bear in mind baldpate that these are requests to setup security info for telephone contact, so they won't be reflected back on next login). OK, I have found that IF I SCROLL DOWN below the boxes that you are meant to fill in, its says "Our lender team will never ask for the whole PIN or memorable word, only for selected characters." I will take that to meet what I wanted: just wasn't in your face without scrolling down. EDIT2: Ok now it is asking me to update my password to ensure it meets their new password policy. My old already does. They better accept my old pwd as my new pwd else I'm going to be upset.
|
|
|
|
Post by drphil on Jul 25, 2018 12:52:35 GMT
Chris
First, thanks for continuing to readily participate in this forum and thank you to AC for revising the 2FA process following customer concerns.
As Technical Director, could you please confirm exactly when I will need to start using 2FA (I tried Live Chat but they couldn't help)? Also when will details of the revised process be available (because the info in the original email is out of date)?
|
|
trouble
Member of DD Central
Posts: 127
Likes: 97
|
Post by trouble on Jul 27, 2018 8:19:47 GMT
Peer2PeerFinanceNews are onto it, have they 'reached out' to AC or just C&P'd from here? I only log on from home so don't have the issues some have, the only other login where i have 2FA is HMRC/Gov website AC responds to login glitches
|
|
niceguy37
Member of DD Central
Posts: 504
Likes: 254
|
Post by niceguy37 on Jul 27, 2018 8:56:25 GMT
I'm a long-time AC lender and enthusiast, and a minor shareholder, and think they're definitely one of the better p2p platforms. But it's disappointing how they don't seem to seek lenders opinions before driving changes like this forward.
One wonders if some tech geek (disclosure - I'm a tech geek myself) went on a course or conference and came back with the idea of 2FA. How could management think it was a good idea to add 2FA before simply having set bank account details to which all withdrawals must be made, preferably the same bank account that funded the investment in the first place?
To be fair to AC they have responded now with opt-out options, but it's a shame that all the upset and bad PR has been generated.
|
|
lara
Posts: 345
Likes: 300
|
Post by lara on Jul 27, 2018 9:01:49 GMT
Peer2PeerFinanceNews are onto it, have they 'reached out' to AC or just C&P'd from here? I only log on from home so don't have the issues some have, the only other login where i have 2FA is HMRC/Gov website AC responds to login glitches
They definitely got their information from this thread. They described the specific situation I complained of whereby I continued to get repeated phone calls with codes even though I was signed in already! Hi p2pfn! 
|
|
dave2
Member of DD Central
Posts: 177
Likes: 163
|
Post by dave2 on Jul 27, 2018 9:07:28 GMT
One wonders if some tech geek (disclosure - I'm a tech geek myself) went on a course or conference and came back with the idea of 2FA. Obstacle course?
|
|
lara
Posts: 345
Likes: 300
|
Post by lara on Jul 27, 2018 9:20:37 GMT
How could management think it was a good idea to add 2FA before simply having set bank account details to which all withdrawals must be made, preferably the same bank account that funded the investment in the first place? It doesn't make any sense to me as to why they wouldn't have a nominated bank account right from the beginning but they have promised that it's coming soon.
|
|
baz657
Member of DD Central
Posts: 500
Likes: 189
|
Post by baz657 on Jul 27, 2018 9:27:48 GMT
We've been using 2FA for a while now accessing gov.uk sites. It's a PITA but also a necessary evil with all the criminals out there all trying any means to get your and my money.  |
|
dc848
Posts: 150
Likes: 92
|
Post by dc848 on Jul 27, 2018 10:02:17 GMT
We've been using 2FA for a while now accessing gov.uk sites. It's a PITA but also a necessary evil with all the criminals out there all trying any means to get your and my money. Yes indeed.
And just how loudly would these same moaners complain if they became victims of a hack? They would be screaming from the rooftops.
Personally, I think its a hassle - but I sure am appreciative of them doing everything possible to keep my money safe.
|
|
rick24
Member of DD Central
Posts: 244
Likes: 138
|
Post by rick24 on Jul 27, 2018 10:18:57 GMT
I'm finding 2 factor authentication more convenient than the previous method. Might be a problem if I mislay my phone.
|
|
|
|
Post by vaelin on Jul 27, 2018 10:41:27 GMT
chrisI am pleased you implemented proper 2FA. However, i am disappointed that you chose Authy. Forcing us to use proprietary software is not necessary when there are open standards. I have a robust 2FA workflow already that revolves around my Yubikey, which lets me use FIDO U2F and various OTP options too. It is naturally more secure than Authy, and also a lot more convenient. Supporting open standards would let people use whatever 2FA method they want to use. It would not prohibit the use of Authy for people who are keen on it, but I could also add a TOTP credential to my Yubikey or, even better, login via FIDO U2F. I understand that Authy is going to be easier from your perspective, because it is a packaged solution that you can just plug and play. Nevertheless, I think striking the right balance for 2FA credentials is worth the labour investment. A robust 2FA system will put account security in good stead for many years. I find myself wanting to pursue fewer of your emails because I don't want to have to get my phone out.
|
|
jayjay
Member of DD Central
Posts: 264
Likes: 116
|
Post by jayjay on Jul 27, 2018 12:45:58 GMT
I just discovered that my bookmarks and simple passwords in Chrome have been synchronized between my phone and my laptop. This is because I was playing with Google Photos and synchronizing devices yesterday.
I do not use Chrome on my phone normally but am glad I tried a little experiment. Assetz is now bookmarked on my phone with username and first password pre-entered as on my laptop.
Previously it would have asked me a random question (of three). Now it asks me on the phone for a Pin code that it sends to the very same device by SMS. One step authentication by any yardstick.
In this instance I have clearly degraded my security if I lost my phone. The random question has been replaced by a code that is directly provided to the thief.
This needs looking in to.
Obviously I am now disabling Chrome on my phone. Beware this is not an improvement yet.
|
|
|
|
Post by vaelin on Jul 27, 2018 16:20:47 GMT
jayjay You should have a pin number on your phone which would prevent anyone gaining access to your browser. If you unlock your phone for a thief AND have Chrome autofill your passwords, then there is not much that AC can do to help.
|
|
jayjay
Member of DD Central
Posts: 264
Likes: 116
|
Post by jayjay on Jul 27, 2018 16:33:37 GMT
jayjay You should have a pin number on your phone which would prevent anyone gaining access to your browser. If you unlock your phone for a thief AND have Chrome autofill your passwords, then there is not much that AC can do to help. Yes I have a pin on my phone - that is all that would have protected my Assetz account after my inadvertant (for a few hours) upgrade. This is simply inadequate - the point i am making is that the recent upgrade in these circumstances notably WEAKENS security not strengthens it. . None of my other banks and financial accounts has such weak defence - relying on the phones pin code is totally inadequate. Assetz need to ask for selected letters of the password not the whole thing - this would put it on par with a number of my other accounts.
|
|
