spiral
Member of DD Central
Posts: 967
Likes: 486
|
Post by spiral on Apr 17, 2024 10:19:00 GMT
The first Banking app I ever downloaded was Tandem. I didn't like it because in order to log in you needed to have a text sent to your phone with a OTP. The problem was if anyone had my mobile and it wasn't locked, identifying my mobile no. would not be difficult an therefore accessing my account would be simple. Recently Tandem introduced a passcode to log in. Great I thought, now if someone has my phone, they need to have a passcode too.
But if they don't know my passcode, they can just press forgotten passcode and they are sent a OTP to reset it so back to square one so my question is what added layer of security is achieved by adding the pin?
|
|
benaj
Member of DD Central
N/A
Posts: 5,597
Likes: 1,736
|
Post by benaj on Apr 17, 2024 10:45:29 GMT
I thought the idea of Passcode is lazy way to get access to the bank account without having the user to type user name, password and OTP.
Then the FaceID or Fingerprint can access the app without entering the passcode.
đ
Usually Tandem logs me out completely out after certain inactivity and Biometrics wouldnât work. I end up typing everything to see my account again.
Updating details like address require human interaction, just canât be done with the app alone
|
|
aj
Member of DD Central
Posts: 348
Likes: 465
|
Post by aj on Apr 17, 2024 13:01:40 GMT
I assume a password reset followed by a request to make a large transfer is going to show as a higher fraud risk on their systems (More likely to get blocked) than the transfer alone.
While the pin can be circumvented, the reset process may be raising red flags behind the scenes?
|
|
keitha
Member of DD Central
2024, hopefully the year I get out of P2P
Posts: 4,584
Likes: 2,615
|
Post by keitha on Apr 17, 2024 13:13:45 GMT
Much like my hive App will occasionally ask for a code it then sends to my phone to login. the only device I have the hive app on is my phone, and it seems the only time it asks is in places with poor mobile coverage, a couple of weeks ago I was on my allotment and was wet and cold so decided to "boost the heating" so that when I got home 45 minutes later the house would be warmer. asked me for the mystical code which because I was mostly in and out of the greenhouse took 20 minutes to arrive.
|
|
spiral
Member of DD Central
Posts: 967
Likes: 486
|
Post by spiral on Apr 17, 2024 15:17:04 GMT
đ
Usually Tandem logs me out completely out after certain inactivity and Biometrics wouldnât work. I end up typing everything to see my account again. What is everything? If Tandem logs me out, it's my mobile number they want to send a OTP to so back to square one. I have no other password to enter. On the other hand a request to change the passcode on Zopa requires you to enter the password set up originally so that is more secure. I dread to think what the option is if I've forgotten that. I would hope that I'd need to call them to get it reset.
|
|
benaj
Member of DD Central
N/A
Posts: 5,597
Likes: 1,736
|
Post by benaj on Apr 17, 2024 15:27:29 GMT
Thatâs would be everything for Tandem. đ
But I do know someone struggling to type everything.
đ¤ âWhatâs number I registered for Tandem?â Some people do have limited memory capacity for remembering something so simple.
|
|
spiral
Member of DD Central
Posts: 967
Likes: 486
|
Post by spiral on Apr 17, 2024 17:53:45 GMT
I suppose the point I'm getting at is if the apps rely on your phone's security to prevent unwanted access, why do they need another layer before logging in. If they feel they can't rely on the phone's security to prevent unwanted log ins, why have a mechanism that is so easy to circumnavigate.
|
|
adrianc
Member of DD Central
Posts: 9,986
Likes: 5,131
Member is Online
|
Post by adrianc on Apr 18, 2024 7:03:55 GMT
design. Never heard of Tandem, but both the banking apps I use (FD and Nationwide) use fingerprint for unlock, once you're in the phone. If that doesn't work, you've got a separate PIN or password to the device's. If that doesn't work, it's an unlock that requires you to confirm ID with phone banking. TBH, though, if your phone is in the hands of a bad actor AND unlocked, you've got bigger problems - because they've got your email as well as mobile number.
|
|
spiral
Member of DD Central
Posts: 967
Likes: 486
|
Post by spiral on Apr 18, 2024 7:23:58 GMT
TBH, though, if your phone is in the hands of a bad actor AND unlocked, you've got bigger problems - because they've got your email as well as mobile number. Exactly, that's why you'd expect it to be even harder to change passwords etc. Unfortunately I do leave my phone unlocked because for some reason when locked, I have random connection problems with bluetooth in the car.
|
|
|
Post by bracknellboy on Apr 18, 2024 8:08:26 GMT
The first Banking app I ever downloaded was Tandem. I didn't like it because in order to log in you needed to have a text sent to your phone with a OTP. The problem was if anyone had my mobile and it wasn't locked, identifying my mobile no. would not be difficult an therefore accessing my account would be simple. Recently Tandem introduced a passcode to log in. Great I thought, now if someone has my phone, they need to have a passcode too.
But if they don't know my passcode, they can just press forgotten passcode and they are sent a OTP to reset it so back to square one so my question is what added layer of security is achieved by adding the pin?
I'm surprised by your comments on Tandem. I've set mine up to use biometric security*. If that fails, or if I choose, I can opt to use a passcode. But if I've forgotten that.....it would appear that I can get it to send a passcode to my phone. So you are right, and its not very good. However, surely your phone itself should be secured. Though that does then question why the extra layer from the app. Tandem appears to be pretty weak in this regard* I have just tried a quick experiment (but not taking all the way so as to not waste my morning) with First Direct and Nat West. Both require you to go online / phone to get past the "I've had total amnesia" stage. Atom gives the option of face id, voice and pincode. I've not bothered experimenting what happens if all 3 fail. Zopa seems to allow you to enter an email address to receive a reset. That obviously for most people can very easily be broken once a 3rd party has unlimited access to the phone. Chip: has just allowed me to get in without doing anything ! It didn't use to. Looks like at some point the security has got switched off. Biometric now switched on. If I try to bypass it, it requires contact with customer services. Santander requires contact with customer services: in fact it has sent me an email saying I need to visit a branch ! (thankfully I'm not so stupid to have taken it to that level). So Tandem and Zopa appear to be pretty weak compared to the others I've tried. Tandem I have quite a lot of money in. *That said, you can only remit money to a linked account. I'm not going to explore that too much. If I try to link to a bank that I have an app for, it takes me to that banks app on my phone and hence its security AND most importantly only my accounts. I'm not sure whether one could set it up to link to an account which is another 3rd party's account without going through some additional final security. I don't know.
|
|
benaj
Member of DD Central
N/A
Posts: 5,597
Likes: 1,736
|
Post by benaj on Apr 18, 2024 9:57:07 GMT
What kind of âsecurityâ do we need from these banks?
Is it stopping us to get access to our own bank accounts? Is it stopping fraudsters / unauthorised person to get access to our bank? Is it stopping malware to get access to our bank accounts? or is it stopping unauthorised people or entities stealing money from our bank accounts?
There are some investment accounts I keep resetting the credentials on a regular basis as it is far too easy to enter the wrong credentials and biometrics didnât work.
It doesnât make sense to keep using the same password for all platforms and some platforms have very strange rules regarding password choice. đ¤Ź
|
|
adrianc
Member of DD Central
Posts: 9,986
Likes: 5,131
Member is Online
|
Post by adrianc on Apr 18, 2024 11:10:00 GMT
...and some platforms have very strange rules regarding password choice. 𤏠Chuffing Screwfix have recently changed their password requirements. Minimum 13 characters... but no need for extended character set.
|
|
spiral
Member of DD Central
Posts: 967
Likes: 486
|
Post by spiral on Apr 19, 2024 7:10:58 GMT
I'm surprised by your comments on Tandem. I've set mine up to use biometric security* When I first downloaded Tandem, I didn't have a phone capable of this. Later a relative gave me an old phone for this purpose. Unfortunately I had trouble with the facial recognition not working 75% of the time but I also had bluetooth connectivity issues in the car once the screen locked. I tried all kinds of settings to no avail but as soon as I disabled facial recognition, bluetooth was OK. Maybe I should give it another try to see if it's settled down now as it was at least a year ago that I stopped using it or at the very least set a pincode on the phone. The annoyance with this is that the screen locks after about 10 seconds so becomes very annoying to keep re-entering the code.
|
|
keitha
Member of DD Central
2024, hopefully the year I get out of P2P
Posts: 4,584
Likes: 2,615
|
Post by keitha on Apr 20, 2024 19:24:27 GMT
...and some platforms have very strange rules regarding password choice. 𤏠Chuffing Screwfix have recently changed their password requirements. Minimum 13 characters... but no need for extended character set. "chuffingscrewfix" will fit the requirements then
|
|
warn
Member of DD Central
Curmudgeon
Posts: 636
Likes: 658
|
Post by warn on Apr 21, 2024 6:29:08 GMT
Chuffing Screwfix have recently changed their password requirements. Minimum 13 characters... but no need for extended character set. "chuffingscrewfix" will fit the requirements then I'm reminded of the old joke: "They said my password had to be eight characters, so I set it to SnowWhiteAndTheSevenDwarfs".
|
|