|
|
Post by chris on Jul 9, 2018 19:05:02 GMT
This wasn't a unilateral decision by the CTO, it was a decision made by the exec. The cryptocurrency exchanges I use require 2FA. Amazon hosting requires it. Microsoft Office 365 requires it to sign in. Barclays requires it on my account at least. Should your peer-to-peer lending accounts be less secure? 2FA remains optional to existing lenders for the next two weeks. I'll explore with my compliance officer whether it would be practical to allow lenders to opt-out if they sign a declaration stating they understand the risks or something like that. But I can't make any promises as we need to do the right thing. The difference is that no bank I use requires me to install a proprietary third-party app that only works on two mobile OSs, and which syncs the keys to the cloud. My relationship is with Assetz Capital, not with Appy. Appy has to make money some way, and since I don't pay for their service, they are commercializing something else about me. I am simply not comfortable with that. Provide a standards-based, Open Source 2FA system managed by yourselves, based on RFC 6238, and then let us use one of the many Open Source (or proprietary) apps on multiple different systems that support the standard. It's really not acceptable to force us to rely on third parties. The service is Authy, and we pay them per login. That is how they commercialise the relationship. The open source solutions are not as complete nor easy to integrate with as Authy, and we are paying for that simplicity.
|
|
SteveT
Member of DD Central
Posts: 6,875 
Likes: 7,924
|
Post by SteveT on Jul 9, 2018 19:13:04 GMT
I'm thinking more about the motivation for an intruder that would want to access a user account. If they can't benefit financially by emptying out the account and all they can do is cause mischief by moving money around on the platform then it certainly limits the type of attacker that would go to the bother of attempting to gain access. It also limits the possible loss a that we as users could experience should someone actually gain access. With regard to banks I have used 4 banks in the past few years that have not required 2FA. I suspect that each of these banks has a technical director that has weighed the burden of 2FA for login against the security benefit it provides and decided against it so it's by no means clear cut that it's necessary. This wasn't a unilateral decision by the CTO, it was a decision made by the exec. The cryptocurrency exchanges I use require 2FA. Amazon hosting requires it. Microsoft Office 365 requires it to sign in. Barclays requires it on my account at least. Should your peer-to-peer lending accounts be less secure? 2FA remains optional to existing lenders for the next two weeks. I'll explore with my compliance officer whether it would be practical to allow lenders to opt-out if they sign a declaration stating they understand the risks or something like that. But I can't make any promises as we need to do the right thing. Please God give us the option to opt out of 2FA. I’ve now only a fraction of my original peak AC balance (on account of there being no loans for months that pay enough to interest me) and this, if I’m forced to jump through more hoops just to log in, will guarantee that goes to zero ASAP. AC is already the slowest of all the platforms I use to log into and compulsory 2FA is complete overkill.
|
|
|
|
Post by honda2ner on Jul 9, 2018 19:45:41 GMT
Like many on here the 2FA doesn't make sense just for logging in and buying/selling within the platform. I think 2FA is a good idea but strictly limited to security critical requests like withdrawals and bank account details. Chris, can you argue the case for an opt out of full fat 2FA to a 2FA 'Lite' that only covers critical requests?
I've always thought that ACs security was weak but requiring 2FA for every single login even if I don't make any changes is a massive swing from one extreme to the other. Can we have a bit of common sense please?
|
|
jj
Member of DD Central
Jolly Jammy
Posts: 320
Likes: 358
|
Post by jj on Jul 9, 2018 19:58:17 GMT
I don't have a mobile phone. Is AC going to pay for a mobile contract for me or are we parting company ?
|
|
ianj
Member of DD Central
Posts: 656
Likes: 520
|
Post by ianj on Jul 9, 2018 20:14:47 GMT
....... I'll explore with my compliance officer whether it would be practical to allow lenders to opt-out if they sign a declaration stating they understand the risks or something like that. But I can't make any promises as we need to do the right thing. From what youv'e said there appears to have been was zero consultatiuon of any kind with those affected by the proposed changes. Poor show, if thats the case! 
|
|
registerme
Member of DD Central
Posts: 6,618
Likes: 6,432
|
Post by registerme on Jul 9, 2018 20:20:30 GMT
Chris, can you argue the case for an opt out of full fat 2FA to a 2FA 'Lite' that only covers critical requests? That gets my vote.
|
|
upland
Member of DD Central
Posts: 479
Likes: 175
|
Post by upland on Jul 9, 2018 20:23:08 GMT
I had this stuff with Beauforts and look what happened.
|
|
|
|
Post by geoffrey on Jul 9, 2018 20:24:07 GMT
I don't have a mobile phone. Is AC going to pay for a mobile contract for me or are we parting company ? Assetz have been very bad at explaining things here. I've watched the video they have on two factor authentication, and they say that as well as the option to receive an SMS, there is an option to receive the code via phone call. While I haven't tried that, they do say it is available, and this might be an alternative for you?
|
|
|
|
Post by geoffrey on Jul 9, 2018 20:32:19 GMT
I've taken one for the team and have set up 2FA using Authy Desktop on my PC, since I don't have an Android or iPhone. There is also a version for Mac desktop. The bad news is that you need a mobile number to authenticate the Desktop app, because it sends an SMS during setup. It's *possible* you could do this with a landline, since at least BT landlines can receive an SMS that will be read to you when you answer the phone, and I'm sure others can too. After that, you don't need SMS any more. chris could I suggest you get the info updated to say that Authy works on Windows and Mac desktops as well as on mobiles? Also, your info should be clearer that it's possible to receive a login code via phone call instead of via SMS, as stated in the video you've produced to explain 2FA. This could go some way to allaying some of the anxieties on this thread. |
|
jj
Member of DD Central
Jolly Jammy
Posts: 320
Likes: 358
|
Post by jj on Jul 9, 2018 20:34:50 GMT
I don't have a mobile phone. Is AC going to pay for a mobile contract for me or are we parting company ? Assetz have been very bad at explaining things here. I've watched the video they have on two factor authentication, and they say that as well as the option to receive an SMS, there is an option to receive the code via phone call. While I haven't tried that, they do say it is available, and this might be an alternative for you? I actually understand why AC needs to do this. I regard using smartphones and the like very unsafe way to trade. I personally would never do any financial transactions using a phone of any sort. A delicated computer, with a hardwire connection only.
I did have experience with a tablet of mine being hacked I only used it to look at me emails though. I do however feel people with the same view as me will be victimised.
|
|
michaelc
Member of DD Central
Say No To T.D.S.
Posts: 5,677
Likes: 2,974
|
Post by michaelc on Jul 9, 2018 20:39:15 GMT
HSBC and Barclays, the two I use, both require 2FA to log in to your account online. Use of the mobile app does not require 2FA (as the app is the second factor) but you cannot instigate transfers to new parties via the apps and there is a lengthy process for registering your mobile with the app with Barclays at least. HSBC required an 8 digit PIN for telephone banking when I registered with them. Amazon AWS requires 2FA to log in to your hosting account. If you set up Authy it is simple and easy to use and can be used offline as well - no mobile signal needed, no wifi needed, so you can still even use it to authorise a phone call with our support desk via a land line when you have no other connection. You can also secure Authy with an additional PIN or touch ID should you wish to further secure your account. Yes security is a pain - it would be less "bother" if we didn't have passwords and you just typed in your email address or had the computer remember you. But that's not secure and some accounts have millions of pounds in them. This current implementation is trying to reach a fair compromise between ease of use and properly securing your accounts. Even with a nominated bank account there needs to be a process for changing that account, or modifying your password, or selling loan units at a discount to clear out your account, etc. All these things present a risk to the security of your funds and 2FA reduces that risk. In time there may be revisions to the dashboard to allow certain low risk operations without logging in, such as checking your balances in the same way as the HSBC phone app allows. I'm thinking more about the motivation for an intruder that would want to access a user account. If they can't benefit financially by emptying out the account and all they can do is cause mischief by moving money around on the platform then it certainly limits the type of attacker that would go to the bother of attempting to gain access. It also limits the possible loss a that we as users could experience should someone actually gain access. With regard to banks I have used 4 banks in the past few years that have not required 2FA. I suspect that each of these banks has a technical director that has weighed the burden of 2FA for login against the security benefit it provides and decided against it so it's by no means clear cut that it's necessary. The below is a screenshot of the second stage of the authentication - you can see I'm allowed to enter two static passwords (or parts of). This is a business account but maybe if your business account is an assetz account, then it may be a corporate account with higher levels of security?   ![]()
|
|
lara
Posts: 345
Likes: 300
|
Post by lara on Jul 9, 2018 20:43:17 GMT
I don't have a mobile phone. Is AC going to pay for a mobile contract for me or are we parting company ? Assetz have been very bad at explaining things here. I've watched the video they have on two factor authentication, and they say that as well as the option to receive an SMS, there is an option to receive the code via phone call. While I haven't tried that, they do say it is available, and this might be an alternative for you? I don't have a mobile phone either but I have been able to get in using my landline, it does text to speech. It's better than nothing but I'm limited in the hours I can access the site if I don't want to disturb the rest of the household. Frustrating.
|
|
|
|
Post by chris on Jul 9, 2018 20:46:34 GMT
michaelc - This isn't on an AC account, but for a separate older business account. This is what I see: 
|
|
michaelc
Member of DD Central
Say No To T.D.S.
Posts: 5,677
Likes: 2,974
|
Post by michaelc on Jul 9, 2018 20:47:31 GMT
Making things user unfriendly for the purposes of security is not necessarily a productive change.
Instead of this change, making the withdrawal process linked to a single nominated bank account would not only be a simple way to improve security (by stopping someone who has gained access to your AC account emptying it into their own bank account) it would also make using AC more user friendly. For a user to change their nominated bank account could instead be protected by 2 factor authentication or even a manual request for the necessary ID.
None of the banks I have ever dealt with have deemed it necessary to have two factor authentication just to log in. It's only been required to move money out which is what a malicious attacker would be interested in doing.
HSBC and Barclays, the two I use, both require 2FA to log in to your account online. Use of the mobile app does not require 2FA (as the app is the second factor) but you cannot instigate transfers to new parties via the apps and there is a lengthy process for registering your mobile with the app with Barclays at least. HSBC required an 8 digit PIN for telephone banking when I registered with them. Amazon AWS requires 2FA to log in to your hosting account. to allow certain low risk operations without logging in, such as checking your balances in the same way as the HSBC phone app allows. Just noticed this. That is also not correct. I have never needed a second device or method to allow me to login to AWS. Even when I used them at work and our dept had around 20k per month (modest compared to some I know) the account didn't need it. I'm guessing its possible to opt in to 2 factor I haven't checked but its certainly not mandatory. It does seem none of your customers (at least here) want it for all transactions. Please reconsider until you are able to add a user story to the backlog along the lines of "....enforce 2fa for the most sensative transactions such as withdrawl, bank details change... not otherwise..."
|
|
lara
Posts: 345
Likes: 300
|
Post by lara on Jul 9, 2018 20:54:09 GMT
Chris, can you argue the case for an opt out of full fat 2FA to a 2FA 'Lite' that only covers critical requests? That gets my vote. Mine too.
|
|
