|
Post by moonraker on Jun 24, 2020 17:17:52 GMT
I've just had the Bank's Digipass arrived through the post as part of a security exercise delayed by Lockdown. It's a small camera powered by two AA batteries. The instructions fill a page of A4, with one having to take two images provided by the bank on one's PC, creating a four-digit PIN, typing in an 11-digit registration code, followed by a six-digit one.
Customers will have to use the Digipass every time they log in to their accounts.
Bit daunting, but of course it's for our own good.
|
|
|
Post by moonraker on Jun 25, 2020 4:10:33 GMT
My account with Cynergy is a fixed-rate ISA so the only time I would want to access it is on maturity. In fact all I would need to do then is to ask the bank to pay the matured sums to my High Street bank or re-invest it. Since it's an ISA I don't even need an annual statement of interest.
The gadget arrived after several days of stress challenge with my PC router "blocked" (due to rewiring in the BT exchange, TalkTalk said) and getting to grips with a new mobile phone that a cousin had given me and which took a very kind lady in the local Tesco phone shop 25 minutes to sort out for me for free. I'm not sure that I want a further struggle with technology just yet. I'm tempted to ask Cynergy what would happen if I didn't bother.
|
|
zlb
Member of DD Central
Posts: 1,412
Likes: 331
|
Post by zlb on Jun 25, 2020 11:41:41 GMT
I've just had the Bank's Digipass arrived through the post as part of a security exercise delayed by Lockdown. It's a small camera powered by two AA batteries. The instructions fill a page of A4, with one having to take two images provided by the bank on one's PC, creating a four-digit PIN, typing in an 11-digit registration code, followed by a six-digit one. Now, you see, find this sort of badly thought out security idiotic. They should fire the people that came up with it. By way of background, I'm the world's greatest 2FA proponent. As I see it, its simple : its 2020, there are lots of very smart hackers out there, so if 2FA is available on your user account on a service, TURN IT ON. And if the service doesn't have 2FA, CHANGE SUPPLIER for that service. We are also well into the 21st century. The century of UX/UI considerations being taken seriously, the century of smartphones with biometric autentication. The additional of 2FA can be enforced without introducing dimwitted levels of user friction like we see with your bank. With the proper design (or proper third-party software), 2FA is completely frictionless, almost enjoyable. For some bunch of dimwits to come up with a schema that requires a camera, with two AA batteries and requires a sheet of densly written A4 to tell you how to use the damn 2FA service ? At least if you are going to force users to use an external device rather than their smartphone, then at least make it foolproof and intuitive to setup and use. If you've ever seen a Bloomberg B-UNIT, you'll know what I mean. Hell, even the old RSA SecureID system was a better experience than what your bank is proposing. Oh, and to add insult to injury moonraker , one of my banks also uses a solution manufactured by Digipass. But my setup of it very much did not entail reading a sheet of A4, or taking photos of things, or typing in stupid long numbers. Hell, it doesn't even have a camera on it ! They sent me a padded envelope with the unit inside, I called them up, having ID'd me, they gave me a six digit activation pin, and that was that. So it seems your bank went out of their way to pick the worst possible option from the Digipass catalogue !! RSA SecurID : www.youtube.com/watch?v=k_zpbJF9pmcBloomberg B-Unit : www.bloomberg.com/professional/support/b-unit/Don't they just use a cheapy camera with non-rechargeable battery in order to avoid losing customers who don't have phones? I'm a (2-6)FA fan but it's taken 3 months to get into one of my accounts with a new app
|
|
michaelc
Member of DD Central
Posts: 4,863
Likes: 2,762
Member is Online
|
Post by michaelc on Jun 25, 2020 12:32:03 GMT
For balance, I'm not in favour of blanket 2fa or even 3fa.
I want it on accounts where funds can be transferred to many destinations such as a current account.
Otherwise, a strong password coupled with the usual server side ability to prevent multiple login attempts to a given username or from an ip IMO suffices. I use PasswordSafe for accounts with cash in them (those that are locked to a single account). I figure if its good enough for Bruce Schneier its good enough for me.
I don't mind others recommending blanket 2fa but I resent any that use purely technical arguments in doing so. Once you understand the info sec, the decision of what is appropriate is a personal one. i.e. How much risk can you tolerate for your convenience?
|
|
|
Post by moonraker on Jun 25, 2020 12:34:54 GMT
... The gadget arrived after several days of stress challenge with my PC router "blocked" (due to rewiring in the BT exchange, TalkTalk said) and getting to grips with a new mobile phone that a cousin had given me and which took a very kind lady in the local Tesco phone shop 25 minutes to sort out for me for free. I'm not sure that I want a further struggle with technology just yet. I'm tempted to ask Cynergy what would happen if I didn't bother.
In fact the challenge was already with me. My new phone stopped taking calls. I thought that this might be down to the four-year-old SIM card I'd transferred into the new one This morning I walked four miles into town (most of which were pleasant enough alongside the Thames) to the My EE shop, where one guy agreed that it might well be the card. A colleague spent 25 minutes on the line to My EE HQ, with it turning out that there had been a mistake there with processing a recent Top Up (though I'm not sure why this would have affected incoming calls).
Then I made the mistake of filling my man bag with Holland & Barret products and walking home again. I was glad to get in through the front door. That bag got heavier and heavier.
I definitely do not feel like tackling the Digipass challenge today.
|
|
iRobot
Member of DD Central
Posts: 1,657
Likes: 2,450
|
Post by iRobot on Jun 25, 2020 14:03:21 GMT
For balance, I'm not in favour of blanket 2fa or even 3fa. I want it on accounts where funds can be transferred to many destinations such as a current account. Otherwise, a strong password coupled with the usual server side ability to prevent multiple login attempts to a given username or from an ip IMO suffices. I use PasswordSafe for accounts with cash in them (those that are locked to a single account). I figure if its good enough for Bruce Schneier its good enough for me. I don't mind others recommending blanket 2fa but I resent any that use purely technical arguments in doing so. Once you understand the info sec, the decision of what is appropriate is a personal one. i.e. How much risk can you tolerate for your convenience? Aware of this? " It will eventually mean a customer will need to authenticate any online purchases of £28 (€30) or more" I think the point being made by @wallstreet is that the tech is so good nowadays and that the process can be - as they aptly put it - so friction-less, that there should be very few obstacles or objections to adoption.
|
|
michaelc
Member of DD Central
Posts: 4,863
Likes: 2,762
Member is Online
|
Post by michaelc on Jun 25, 2020 16:59:10 GMT
I want it on accounts where funds can be transferred to many destinations such as a current account. So, for you don't want it on email ? The natural breeding ground for identity theft ? You don't want it on your Amazon account ? Where you've got stored credit cards and personal data such as extensive order histories ? etc. People should be using 2FA everywhere possible because of the possibility of social engineering. Unauthorised access to a non-financial account might not seem worthy of 2FA. But then all you're doing is leaving the opportunity for the miscreants of this world to put 1+1 together. Think it won't happen to you ? The low-hanging fruit, the security-lax people of this world are exactly the sort of targets they are after. Stealing candy from a baby. P.S. michaelc to "strong passwords", I say two things. Keyloggers and shoulder-surfing. (There are others, but those two are simplest to understand without technical explanation). Some good points. I use Gmail mostly and think Google have it right. They give me the choice. If I was going abroad a lot as I used to or accessing gmail from insecure devices I'd probably turn it on. Yes my machine at home could have a virus but if it planned to "phone home" my firewall would alert me and in any case I think its unlikely with my av software and the fact I don't download anything dodgy. One of the most obvious ways of falling victim is to download software without paying for it - keygens etc are _very_ often loaded with hidden nasties. The difference in ease of use is a single click with a pre-populated long password vs typing in codes from my phone or copying pasting from elsewhere.
|
|
|
Post by moonraker on Jun 26, 2020 2:55:06 GMT
Last night I received a text from Cynergy announcing that it had "recently carried out a request on your behalf? How easy was it to get what you needed [on a scale of 1 to 5]?"
I assume that this referred to its sending me the Digipass. Well, very easy to "get" it, seeing I hadn't requested it ...
|
|
travolta
Member of DD Central
Posts: 1,458
Likes: 1,167
|
Post by travolta on Jun 26, 2020 7:51:30 GMT
Rubbish interest rates
|
|
|
Post by moonraker on Jun 26, 2020 11:37:38 GMT
It was a market leader when I took out a three-year cash ISA last October.
(As many of us know, many providers offer ISA rates that compare badly with those for non-ISAs.)
The other thought is that as maturity approaches I can ask another provider to take it over so they can do all the work. IIRC I would need to have no direct contact with Cynergy. (Don't bother to correct me if I'm wrong. )
|
|
zlb
Member of DD Central
Posts: 1,412
Likes: 331
|
Post by zlb on Jun 26, 2020 12:57:25 GMT
Don't they just use a cheapy camera with non-rechargeable battery in order to avoid losing customers who don't have phones? zlb This comes back to my point about frictionless. Give the majority the frictionless smartphone based experience. Its 2020, the majority of people will have a smartphone and it is highly likely that a decent proportion of them will have prior positive experience of frictionless smartphone-based 2FA. It also has the added bonus of one less thing for the majority to loose, "where did I put my phone" is less likely than "in which pocket/drawer did I put that stupid difficult to use gadget the bank sent me" (shortly followed by, "where did that pack of fresh AA batteries go ?"). Then, you have a fall-back option of the lengthly and tedious process which is made available to those who don't have a smartphone or refuse to use one or are just suckers for punishment. yes was my underlying thinking - give the battery pack as a fallback offer. that said, I've had phones mysteriously break after installing banking app with excessive authentication requirements.
|
|
|
Post by moonraker on Jul 1, 2020 12:46:58 GMT
I wailed to Cynergy about having to use the Digipass and have just received this email: "Please be assured that your funds are safe and if you do nothing until October 2022 you will still be able to access your funds upon maturity. You can contact us prior to your maturity datewith details of what you would like to do with the funds and we will act upon your instructions."
Which has saved me a little bit of hassle.
|
|
|
Post by moonraker on Nov 26, 2021 16:46:44 GMT
Just had another email from Cynergy, this time wanting me to use AI facial recognition to "update your ID documents". This entails using"either a computer with a webcam, your smartphone or tablet (if it has a camera)" to capture a copy of my passport or driving licence and then take a selfie. "Please note, if the ID/Selfie cannot be verified we may send you another request to repeat the process."
I became unreasonably petulant early this month when a solicitor soon to send me funds asked me to do the same. In the end he was satisfied with a photocopy of my driving licence certified for free by my small bank branch a mile away. (Lucky me!) This after I discovered that local solicitors wouldn't do it unless one was a client.
I suppose that in this day and age of so much financial fraud I ought to be pleased that so much care is being taken but ...
|
|
Nomad
Member of DD Central
Posts: 727
Likes: 494
|
Post by Nomad on Nov 26, 2021 17:25:24 GMT
Just had another email from Cynergy, this time wanting me to use AI facial recognition to "update your ID documents". This entails using"either a computer with a webcam, your smartphone or tablet (if it has a camera)" to capture a copy of my passport or driving licence and then take a selfie. "Please note, if the ID/Selfie cannot be verified we may send you another request to repeat the process."
I became unreasonably petulant early this month when a solicitor soon to send me funds asked me to do the same. In the end he was satisfied with a photocopy of my driving licence certified for free by my small bank branch a mile away. (Lucky me!) This after I discovered that local solicitors wouldn't do it unless one was a client.
I suppose that in this day and age of so much financial fraud I ought to be pleased that so much care is being taken but ...
In similar vein, I have stuck with TSB through many ups and downs (and IT meltdowns) but have finally given up today and closed my account with them after their fraud prevention team yet again blocked me from transferring a small sum to my own account at another UK bank, a transfer I have done many times before. This necessitates a lengthy telephone conversation with them, involving security questions provided by Equifax, some of which are a real memory test... The assumption is that you are a total idiot in the process of being scammed by some internet fraudsters... I failed the security check despite having securely uploaded my selfie and drivers licence. I was then told to attend a branch to resolve the matter. My branch shut years ago and I am overseas for several months... Surprisingly the account closure went ahead without further drama. TSB of course are owned by Banco Sabadell, about whom I could write an even longer diatribe...
|
|
littleoldlady
Member of DD Central
Running down all platforms due to age
Posts: 3,017
Likes: 1,835
|
Post by littleoldlady on Dec 16, 2021 19:28:38 GMT
Just had another email from Cynergy, this time wanting me to use AI facial recognition to "update your ID documents". This entails using"either a computer with a webcam, your smartphone or tablet (if it has a camera)" to capture a copy of my passport or driving licence and then take a selfie. "Please note, if the ID/Selfie cannot be verified we may send you another request to repeat the process."
I became unreasonably petulant early this month when a solicitor soon to send me funds asked me to do the same. In the end he was satisfied with a photocopy of my driving licence certified for free by my small bank branch a mile away. (Lucky me!) This after I discovered that local solicitors wouldn't do it unless one was a client.
I suppose that in this day and age of so much financial fraud I ought to be pleased that so much care is being taken but ...
After wrestling with this for some time I gave up and initiated an ISA transfer elsewhere. The rate is not so good at the new place but it's much easier to operate the account.
|
|