copacetic
Member of DD Central
Posts: 306 
Likes: 667
|
Post by copacetic on Jul 9, 2018 17:27:06 GMT
Making things user unfriendly for the purposes of security is not necessarily a productive change.
Instead of this change, making the withdrawal process linked to a single nominated bank account would not only be a simple way to improve security (by stopping someone who has gained access to your AC account emptying it into their own bank account) it would also make using AC more user friendly. For a user to change their nominated bank account could instead be protected by 2 factor authentication or even a manual request for the necessary ID.
None of the banks I have ever dealt with have deemed it necessary to have two factor authentication just to log in. It's only been required to move money out which is what a malicious attacker would be interested in doing.
|
|
|
|
Post by ogglet on Jul 9, 2018 17:34:37 GMT
chris , instead of needing two factor authentication to log on, would it be possible to have to use it when withdrawing money or changing profile settings, but not for logging in? Agree, This would definitely be a more practical solution for we users...and much less of a PITA. I really don't want this.
|
|
|
|
Post by crabbyoldgit on Jul 9, 2018 17:36:56 GMT
My phone cost £28, it's the best ,3 weeks battery life and as a back up to marine vhf on the boat,ip68 water proof, it aint smart , then again it's owner is even dummer and it's built like a brick **** house. It makes telephone calls, maybe the text things, never got round to that and yes when my wife and daughter need to make a phone call often they find their iPhone  has no signal and mine works just fine.God when they have to ask to borrow it , I try not to rub it in to much  . Yours crabby old git. |
|
|
|
Post by chris on Jul 9, 2018 17:37:44 GMT
Making things user unfriendly for the purposes of security is not necessarily a productive change.
Instead of this change, making the withdrawal process linked to a single nominated bank account would not only be a simple way to improve security (by stopping someone who has gained access to your AC account emptying it into their own bank account) it would also make using AC more user friendly. For a user to change their nominated bank account could instead be protected by 2 factor authentication or even a manual request for the necessary ID.
None of the banks I have ever dealt with have deemed it necessary to have two factor authentication just to log in. It's only been required to move money out which is what a malicious attacker would be interested in doing.
HSBC and Barclays, the two I use, both require 2FA to log in to your account online. Use of the mobile app does not require 2FA (as the app is the second factor) but you cannot instigate transfers to new parties via the apps and there is a lengthy process for registering your mobile with the app with Barclays at least. HSBC required an 8 digit PIN for telephone banking when I registered with them. Amazon AWS requires 2FA to log in to your hosting account. If you set up Authy it is simple and easy to use and can be used offline as well - no mobile signal needed, no wifi needed, so you can still even use it to authorise a phone call with our support desk via a land line when you have no other connection. You can also secure Authy with an additional PIN or touch ID should you wish to further secure your account. Yes security is a pain - it would be less "bother" if we didn't have passwords and you just typed in your email address or had the computer remember you. But that's not secure and some accounts have millions of pounds in them. This current implementation is trying to reach a fair compromise between ease of use and properly securing your accounts. Even with a nominated bank account there needs to be a process for changing that account, or modifying your password, or selling loan units at a discount to clear out your account, etc. All these things present a risk to the security of your funds and 2FA reduces that risk. In time there may be revisions to the dashboard to allow certain low risk operations without logging in, such as checking your balances in the same way as the HSBC phone app allows.
|
|
|
|
Post by geoffrey on Jul 9, 2018 17:43:21 GMT
Assetz should use an open standard for 2FA and not tie us to a proprietary app that is cloud synced (what could possibly go wrong there?) and that can only be installed on two types of phone. There are open source 2FA apps on various different platforms that use the RFC 6238 published standard for One Time Passwords, that wouldn't tie us to one provider (Authy) or to two mobile phone platforms (Android and iPhone). I want to access Assetz on my Windows Tablet, and no, I don't carry a phone with me everywhere.
|
|
|
|
Post by ogglet on Jul 9, 2018 17:53:12 GMT
Doesn't Authy work with Chrome on a PC?...Not That I want to use it.
|
|
michaelc
Member of DD Central
Say No To T.D.S.
Posts: 5,677
Likes: 2,974
|
Post by michaelc on Jul 9, 2018 17:56:09 GMT
HSBC and Barclays, the two I use, both require 2FA to log in to your account online. Use of the mobile app does not require 2FA (as the app is the second factor) but you cannot instigate transfers to new parties via the apps and there is a lengthy process for registering your mobile with the app with Barclays at least. HSBC required an 8 digit PIN for telephone banking when I registered with them. Amazon AWS requires 2FA to log in to your hosting account. If you set up Authy it is simple and easy to use and can be used offline as well - no mobile signal needed, no wifi needed, so you can still even use it to authorise a phone call with our support desk via a land line when you have no other connection. You can also secure Authy with an additional PIN or touch ID should you wish to further secure your account. Yes security is a pain - it would be less "bother" if we didn't have passwords and you just typed in your email address or had the computer remember you. But that's not secure and some accounts have millions of pounds in them. This current implementation is trying to reach a fair compromise between ease of use and properly securing your accounts. Even with a nominated bank account there needs to be a process for changing that account, or modifying your password, or selling loan units at a discount to clear out your account, etc. All these things present a risk to the security of your funds and 2FA reduces that risk. In time there may be revisions to the dashboard to allow certain low risk operations without logging in, such as checking your balances in the same way as the HSBC phone app allows. I also have a Barclays account and many other bank accounts - personal and buisness . What you've said there in bold I'm afraid is not correct. I do not need to use 2fa to log into my Barclays account (nor from memory most/all of the others). I typically need it if I'm setting up a new payee. I don't have an HSBC account but I do have a FD (same bank) and they also don't need it to log in.
|
|
mary
Member of DD Central
Posts: 698 
Likes: 711
|
Post by mary on Jul 9, 2018 18:05:15 GMT
2FA is, obviously, more secure.
However, requiring a phone or mobile device is unnecessary. All the financial sites that I use, that have 2FA, have at least the option is allow you to enter 3 randomly selected alphanumeric characters from your phrase or word.
No one has ever asked me for an 8 digit pin, this is overkill.
|
|
|
|
Post by chris on Jul 9, 2018 18:07:11 GMT
HSBC and Barclays, the two I use, both require 2FA to log in to your account online. Use of the mobile app does not require 2FA (as the app is the second factor) but you cannot instigate transfers to new parties via the apps and there is a lengthy process for registering your mobile with the app with Barclays at least. HSBC required an 8 digit PIN for telephone banking when I registered with them. Amazon AWS requires 2FA to log in to your hosting account. If you set up Authy it is simple and easy to use and can be used offline as well - no mobile signal needed, no wifi needed, so you can still even use it to authorise a phone call with our support desk via a land line when you have no other connection. You can also secure Authy with an additional PIN or touch ID should you wish to further secure your account. Yes security is a pain - it would be less "bother" if we didn't have passwords and you just typed in your email address or had the computer remember you. But that's not secure and some accounts have millions of pounds in them. This current implementation is trying to reach a fair compromise between ease of use and properly securing your accounts. Even with a nominated bank account there needs to be a process for changing that account, or modifying your password, or selling loan units at a discount to clear out your account, etc. All these things present a risk to the security of your funds and 2FA reduces that risk. In time there may be revisions to the dashboard to allow certain low risk operations without logging in, such as checking your balances in the same way as the HSBC phone app allows. I also have a Barclays account and many other bank accounts - personal and buisness . What you've said there in bold I'm afraid is not correct. I do not need to use 2fa to log into my Barclays account (nor from memory most/all of the others). I typically need it if I'm setting up a new payee. I don't have an HSBC account but I do have a FD (same bank) and they also don't need it to log in. For my business account with Barclays I have to provide 2FA. After confirming your surname and membership number, in step 2 it asks you to use either the physical PINsentry card reader or Mobile PINsentry, entering the 8 digit code. I have no other option. Same with HSBC. They ask for your ID, make and model of your first car, and then to authenticate using your 2FA on either mobile or characters from your password as a fallback. I believe that second option is a more recent change as I don't recall being able to do so in the past nor have I set up a password with them that I recall.
|
|
copacetic
Member of DD Central
Posts: 306
Likes: 667
|
Post by copacetic on Jul 9, 2018 18:08:05 GMT
HSBC and Barclays, the two I use, both require 2FA to log in to your account online. Use of the mobile app does not require 2FA (as the app is the second factor) but you cannot instigate transfers to new parties via the apps and there is a lengthy process for registering your mobile with the app with Barclays at least. HSBC required an 8 digit PIN for telephone banking when I registered with them. Amazon AWS requires 2FA to log in to your hosting account. If you set up Authy it is simple and easy to use and can be used offline as well - no mobile signal needed, no wifi needed, so you can still even use it to authorise a phone call with our support desk via a land line when you have no other connection. You can also secure Authy with an additional PIN or touch ID should you wish to further secure your account. Yes security is a pain - it would be less "bother" if we didn't have passwords and you just typed in your email address or had the computer remember you. But that's not secure and some accounts have millions of pounds in them. This current implementation is trying to reach a fair compromise between ease of use and properly securing your accounts. Even with a nominated bank account there needs to be a process for changing that account, or modifying your password, or selling loan units at a discount to clear out your account, etc. All these things present a risk to the security of your funds and 2FA reduces that risk. In time there may be revisions to the dashboard to allow certain low risk operations without logging in, such as checking your balances in the same way as the HSBC phone app allows. I'm thinking more about the motivation for an intruder that would want to access a user account. If they can't benefit financially by emptying out the account and all they can do is cause mischief by moving money around on the platform then it certainly limits the type of attacker that would go to the bother of attempting to gain access. It also limits the possible loss a that we as users could experience should someone actually gain access. With regard to banks I have used 4 banks in the past few years that have not required 2FA. I suspect that each of these banks has a technical director that has weighed the burden of 2FA for login against the security benefit it provides and decided against it so it's by no means clear cut that it's necessary.
|
|
|
|
Post by geoffrey on Jul 9, 2018 18:14:46 GMT
Doesn't Authy work with Chrome on a PC?...Not That I want to use it. I will never use the steaming pile of spyware that is Chrome. It looks like there might be Windows and OS10 versions of Authy, which would be acceptable if it is not tied to a phone. Assetz haven't made that clear, and I don't particularly want to install third-party software if it's not going to work without Google or Apple.
|
|
|
|
Post by chris on Jul 9, 2018 18:27:20 GMT
I'm thinking more about the motivation for an intruder that would want to access a user account. If they can't benefit financially by emptying out the account and all they can do is cause mischief by moving money around on the platform then it certainly limits the type of attacker that would go to the bother of attempting to gain access. It also limits the possible loss a that we as users could experience should someone actually gain access. With regard to banks I have used 4 banks in the past few years that have not required 2FA. I suspect that each of these banks has a technical director that has weighed the burden of 2FA for login against the security benefit it provides and decided against it so it's by no means clear cut that it's necessary. This wasn't a unilateral decision by the CTO, it was a decision made by the exec. The cryptocurrency exchanges I use require 2FA. Amazon hosting requires it. Microsoft Office 365 requires it to sign in. Barclays requires it on my account at least. Should your peer-to-peer lending accounts be less secure? 2FA remains optional to existing lenders for the next two weeks. I'll explore with my compliance officer whether it would be practical to allow lenders to opt-out if they sign a declaration stating they understand the risks or something like that. But I can't make any promises as we need to do the right thing.
|
|
|
|
Post by GSV3MIaC on Jul 9, 2018 18:51:00 GMT
SMS to landline works OK for Amazon (but you can authorise a device/browser 'forever') .. most Android/IOS apps can be configured to use fingerprint (if your phone supports such). Even HMRC can send a one time code to a landline (but require a third factor - passport or driving license - the first time). I see HMRC are now going voiceprint as well (or instead?).
|
|
|
|
Post by wiseclerk on Jul 9, 2018 18:58:00 GMT
While I agree that 2FA increases security, I don't see the necessity for it for each and every login on Assetz.
In my view it would be sufficient to require it for these actions:
+ withdrawals
+ changing any account details (especially the associated bank account and email address)
+ selling loan parts
|
|
|
|
Post by geoffrey on Jul 9, 2018 18:59:43 GMT
This wasn't a unilateral decision by the CTO, it was a decision made by the exec. The cryptocurrency exchanges I use require 2FA. Amazon hosting requires it. Microsoft Office 365 requires it to sign in. Barclays requires it on my account at least. Should your peer-to-peer lending accounts be less secure? 2FA remains optional to existing lenders for the next two weeks. I'll explore with my compliance officer whether it would be practical to allow lenders to opt-out if they sign a declaration stating they understand the risks or something like that. But I can't make any promises as we need to do the right thing. The difference is that no bank I use requires me to install a proprietary third-party app that only works on two mobile OSs, and which syncs the keys to the cloud. My relationship is with Assetz Capital, not with Appy. Appy has to make money some way, and since I don't pay for their service, they are commercializing something else about me. I am simply not comfortable with that. Provide a standards-based, Open Source 2FA system managed by yourselves, based on RFC 6238, and then let us use one of the many Open Source (or proprietary) apps on multiple different systems that support the standard. It's really not acceptable to force us to rely on third parties.
|
|
has no signal and mine works just fine.God when they have to ask to borrow it , I try not to rub it in to much 
. Yours crabby old git.
