ilmoro
Member of DD Central
'Wondering which of the bu***rs to blame, and watching for pigs on the wing.' - Pink Floyd
Posts: 11,315 
Likes: 11,523
|
Post by ilmoro on Jul 9, 2018 21:08:59 GMT
michaelc - This isn't on an AC account, but for a separate older business account. This is what I see: Ive got the option to log in with PinSentry in which case I see that screen or passcode/memorable word in which case I dont. Dont know if there is a difference between business & retail accounts but TF isnt mandatory on Barclays for me. Nor on Nationwide which also offers the TF Pinsentry route or memorable data etc. The only one of my collection of all the mainstream banks (except BOS) that requires TF login is HSBC.
|
|
|
|
Post by chris on Jul 9, 2018 21:16:30 GMT
michaelc - This isn't on an AC account, but for a separate older business account. This is what I see: Ive got the option to log in with PinSentry in which case I see that screen or passcode/memorable word in which case I dont. Dont know if there is a difference between business & retail accounts but TF isnt mandatory on Barclays for me. Nor on Nationwide which also offers the TF Pinsentry route or memorable data etc. The only one of my collection of all the mainstream banks (except BOS) that requires TF login is HSBC. Strange isn't it. I'm the other way round. I thought HSBC forced 2FA as that's what they used to do but checking today I have a new option for a password instead, not that I know what mine is set to. Whereas as per the screenshot above Barclays forces me to use 2FA with no alternative option.
|
|
kmac
Member of DD Central
Posts: 73
Likes: 73
|
Post by kmac on Jul 9, 2018 21:28:59 GMT
The service is Authy, and we pay them per login. That is how they commercialise the relationship. The open source solutions are not as complete nor easy to integrate with as Authy, and we are paying for that simplicity.My enlargement and Bold!! I do not post often and it is often to praise you and your team BUT you are now giving the impression that no one on your team or those at AC who make decisions go into the real world where many of us do not use mobile phones nor want to load our computer with Apps that we do not understand and trust, I can understand you need to be sure that any withdrawal or unusual transaction is OK.I can only request a repayment after I have entered your site by entering my Email address and password and answered a security question. Complicated enough I would have thought You have the details of the bank account that I use (that I gave you when I joined), so if I request a withdrawal to that account that is secure enough. As far as Bank security methods are concerned, both the banks I deal with need my User Name when I sign in and a password. They both then require 3 random digits from a memorable phrase. They only need to contact me with a request for me to enter a code (by landline} if it is a new payee or they thing there is something unusual about the transaction. One further point. At present it is an irritation to have to be logged out after 20 minutes of non-use and to have to log in again. But with your proposed method a logging-in.........!!!!!!
|
|
ding
Member of DD Central
Posts: 238
Likes: 132
|
Post by ding on Jul 9, 2018 22:25:14 GMT
My heart died when I saw Chris mention 2FA the other day. I usually log in quite a few times a days to see if the hamster has made it around.
If someone finds out I've invested £250 in a few loans - who cares. Where 2FA is needed is when you change your withdraw details (oh if only Assetz recorded them) or changing personal details.
|
|
|
|
Post by df on Jul 10, 2018 2:10:09 GMT
The e-mail is full of generic/corporate sentences, but doesn't explain why AC has to take such measures. Did investors experience money stolen from their accounts? I had this with TSB, Santander and Tesco in the past, but that was probably to do with my OS being out of date? I didn't mind this because I didn't need to login and make transactions very often - AC login is my daily routine.
"Next choose how you want to receive your code, click SMS to receive your number by 'text', 'call' or select ‘Authy’ to receive your code via the app." - I don't want to download any apps or receive texts/calls. Why inserting my e-mail address, password and my grandad's name is not enough?
"Once your code has been accepted, you will be asked to update your password to ensure it meets our updated password security." - I don't want to change my password. Apple asked me to do it many times and atm I don't know what my apple password is (I've lost the track of them).
"You will also need to enter a memorable word and a pin number, from which individual characters may be used by our customer service team to identify you if this is ever necessary."
to summarise:
1. memorable word
2. PIN number
3. password
4. name of school/pet/mother
5. compulsory use of mobile phone
Is this really needed?
|
|
dave2
Member of DD Central
Posts: 177
Likes: 163
|
Post by dave2 on Jul 10, 2018 4:41:33 GMT
This is good to have for withdrawal instruction only.
Using it for every account log-on seems like overkill if that is what is proposed.
|
|
duck
Member of DD Central
Posts: 2,864
Likes: 6,890
|
Post by duck on Jul 10, 2018 6:05:10 GMT
I have an old mobile (that is only rarely turned on) but unless I stand at the end of my road I can't get a signal. So that will be of no use to me when I log on ... which is usually before 5am.
Landline is downstairs, the Mrs is really going to appreciate me trudging up and down stairs as I log onto our 3 accounts and then again when I realise I have forgotten to do something.
Unknown Apps on this box? Why should I have to?
I was an early investor with AC and had decided to up my investment level this Tax year, these changes will send me away ..........
|
|
upland
Member of DD Central
Posts: 479
Likes: 175
|
Post by upland on Jul 10, 2018 6:15:31 GMT
The Beauforts system needed the TFA in order to trade , otherwise you couldnt alter anything or trade. However I was a bit dubious about the way it was configured and set up for me. I do wonder whether these logon methods have been checked by a very knowledgeable security expert. Its possible that they look good to the layman but do have weaknesses. Sometimes their function is to tell people that something is being done rather than actually doing something. However if I were a hacker I would prefer getting at the database whereupon I could get ALL details rather than mess about with my 10 K. If you think of the big recent scandals like Yahoo , Carphone , Tesco...
|
|
ptr120
Member of DD Central
Posts: 1,202
Likes: 1,350
|
Post by ptr120 on Jul 10, 2018 6:27:15 GMT
chrisI'm really sorry that you've decided to go down this route and disappointed that you didn't use this forum to sound out the best way to implement it, if it was deemed a requirement. Have Assetz or any lender ever been a victim of fraud? Not that you shouldn't be proactive in defending your systems but is this using a sledgehammer to crack a nut? The security that you implement should be balanced to the risk, so your comparison to HSBC or Barclays isn't valid in my opinion. As others have said, IF extra security is needed, it is for: + withdrawals + changing any account details (especially the associated bank account and email address) + selling loan parts I'd also ask that you consider how this change impacts those with disabilities. Finally, does your system work with my foreign mobile phone number?
|
|
|
|
Post by chris on Jul 10, 2018 6:45:03 GMT
This change is for your benefit to make the platform and your funds more secure, and to make sure we are following best practice. The security of your funds is of utmost importance to us and we have a duty to you to make sure that we help you protect your accounts.
There is one more convenience function to follow in the next couple of days which will enable the Authy app to notify us directly of the security code so that you do not have to type in the digits from the code. In normal operation logging in to the site should involve you entering your email address, password, receiving a notification on your phone, unlock your phone, then click on the notification to authenticate. We do not feel that this is onerous compared to the huge security benefits it brings. That security benefit carries over into all your dealings with us including phone calls and the web chat.
If you do not wish to install the Authy app on your mobile phone, which is one of the most widely used and trusted apps, then they have a desktop application that you can use without a mobile phone. Alternatively you can continue to use SMS notifications or receive a phone call on a land line.
The slight inconvenience of having to use a second device to authenticate yourself is massively outweighed by the increased security it brings to your funds and the personal data the website holds about you, and we firmly believe that after you've been through the login process a handful of times it will become second nature and you'll stop noticing that inconvenience.
|
|
|
|
Post by chris on Jul 10, 2018 6:48:05 GMT
I'd also ask that you consider how this change impacts those with disabilities. Finally, does your system work with my foreign mobile phone number? We take accessibility very seriously, with an internal project currently assessing and reviewing our site, and believe the 2FA solution we've presented is accessible to those with disabilities. Yes the system works with foreign mobile phone numbers.
|
|
lara
Posts: 345
Likes: 300
|
Post by lara on Jul 10, 2018 6:54:08 GMT
This change is for your benefit to make the platform and your funds more secure, and to make sure we are following best practice. The security of your funds is of utmost importance to us and we have a duty to you to make sure that we help you protect your accounts. There is one more convenience function to follow in the next couple of days which will enable the Authy app to notify us directly of the security code so that you do not have to type in the digits from the code. In normal operation logging in to the site should involve you entering your email address, password, receiving a notification on your phone, unlock your phone, then click on the notification to authenticate. We do not feel that this is onerous compared to the huge security benefits it brings. That security benefit carries over into all your dealings with us including phone calls and the web chat. If you do not wish to install the Authy app on your mobile phone, which is one of the most widely used and trusted apps, then they have a desktop application that you can use without a mobile phone. Alternatively you can continue to use SMS notifications or receive a phone call on a land line. The slight inconvenience of having to use a second device to authenticate yourself is massively outweighed by the increased security it brings to your funds and the personal data the website holds about you, and we firmly believe that after you've been through the login process a handful of times it will become second nature and you'll stop noticing that inconvenience. You seem to have changed your tune since yesterday when you promised to look into alternatives to 2fa for every log in. Now you are telling us how little it is going to inconvenience us, which is more than a little patronising. I am sorry.
|
|
|
|
Post by chris on Jul 10, 2018 6:59:05 GMT
You seemed to have changed your tune since yesterday when you promised to look into alternatives to 2fa for every log in. Now you are telling us how little it is going to inconvenience us, which is more than a little patronising. I am sorry. I've checked with our compliance officer and wider exec and we do not plan to make any changes in that regard. There are security and data protection reasons for wishing to use 2FA on every log in.
|
|
lara
Posts: 345
Likes: 300
|
Post by lara on Jul 10, 2018 7:00:32 GMT
You seemed to have changed your tune since yesterday when you promised to look into alternatives to 2fa for every log in. Now you are telling us how little it is going to inconvenience us, which is more than a little patronising. I am sorry. I've checked with our compliance officer and wider exec and we do not plan to make any changes in that regard. There are security and data protection reasons for wishing to use 2FA on every log in. That is very disappointing. What about alternatives to the phone call such as extra memorable data?
|
|
SteveT
Member of DD Central
Posts: 6,875
Likes: 7,924
|
Post by SteveT on Jul 10, 2018 7:11:58 GMT
The slight inconvenience of having to use a second device to authenticate yourself is massively outweighed by the increased security it brings to your funds and the personal data the website holds about you, and we firmly believe that after you've been through the login process a handful of times it will become second nature and you'll stop noticing that inconvenience. To log into and transact on both my personal bank account (Lloyds) and company bank account (Santander), I need just my password and selected characters from a PIN. There is only additional security if I wish to set up a new Payee, change my personal details or log in from a new device. To log into and trade on my main ISA / SIPP platform (Interactive Investor), I need just my account name and selected characters from a PIN. There is only additional security if I wish to withdraw funds, change my personal details or log in from a new device. Yet, just to check the current cash balance in the four much-reduced Assetz accounts that I maintain for myself and family members, from my own PC, I now need to go through this convoluted 2FA process four times over. It is total overkill. By all means, require 2FA for changes to personal details and bank account, and perhaps cash withdrawals (if you must). But requiring 2FA simply to log in and review the account is surreal. I will certainly " stop noticing that inconvenience" pretty quickly because, unless the need for 2FA is relaxed, I will set sell orders for all of the (few) remaining loans held in these accounts and log in only to withdraw whatever cash has accumulated. I'm generally very tolerant of platforms and their individual foibles (I'm also a small shareholder in Assetz so am keen to see the company prosper). But this latest forced change, when we're still waiting on SO MANY long-promised fixes and improvements to other MLA and platform annoyances, really winds me up. Please pass on the collective frustration expressed in this thread to your fellow Directors and get them to back off the requirement for 2FA only to personal details changes and, if you absolutely must, to cash withdrawals (albeit to a verified bank account that AC already has on record!?!)
|
|
