back to article Hey, friends. We know it's a crazy time for the economy, but don't forget to enable 2FA for payments by Saturday

Saturday is the delayed deadline for UK banks and financial institutions to have implemented two-factor authentication for payment transactions. This is the result of the EU Payment Services Directive 2 (PSD2) for "Strong Customer Authentication" (SCA). This requires institutions to have two levels of authentication in place …

  1. ArrZarr Silver badge
    Coat

    I look forwards to the biometrics databases getting hacked so I can change my eyeballs & fingerprints.

    1. Jimmy2Cows Silver badge

      Be away with you, you and your rational, sensible way of looking at these things. Damnit! Away with you I say!

    2. Anonymous Coward
      Anonymous Coward

      I have some sand paper left over. I only used the part that is dark brown to do my fingerprints and there is plenty left, no point wasting it. You can have it if you want?

      I was going to use the leftovers to do my eyeballs, but I can't hold the sandpaper properly any more and couldn't find anyone willing to do it for me.

  2. Anonymous Coward
    Anonymous Coward

    Damn EU, securing our accounts......

    1. Anonymous Coward
      Anonymous Coward

      Even after Brexit, the cheek of it!

  3. cantankerous swineherd Silver badge

    top tips for fraudsters, go for one or all of:

    recurring payments when only the first payment needs authenticating

    low-value payments of less than €30

    merchant-initiated transactions.

    1. Anonymous Coward
      Anonymous Coward

      Phishing. Phishing also works.

      I caught one this big!!!

    2. Anonymous Coward
      Anonymous Coward

      a) the way these work, you'd need to hack the merchant to make an existing authenticated recurring payment relevant for you somehow. This is typically used by marketplace type transactions, eg. amazon where you agree to pay 100 quid, but there are actually 5 different payments in there to different market place merchants. only the first part is authenticated, but the authentication token can only be used for 100 quid worth of payments.

      Sometimes used for stuff like Pay 1/3 now, 1/3 in a month, 1/3 in two months type store credit deals, or yearly subscriptions (although, the authentication is only supposed to be stored for 90 dyas max, so yearly might be pushing it.)

      b) every 5th payment with a low value exemption (or any exemption, there are a few, like the merchant says it's a low risk product) is rejected and has to be authenticated anyway, so you might get lucky. Also required the merchant to have a low value exemption agreement with their acquiring bank, which requires them to have a solid record of not having fraudulent activity and usually a high transaction volume.

      c) merchant initiated transactions are only accepted if they can be linked back to a customer initiated transaction that was authenticated.

      Spent the last year implementing this stuff for a payment provider. It's been a nightmare, to be honest.

      Should have been ready January 1st 2019, but no one was ready, no banks/ card issuers/ merchants/ gateways, no one. So the deadline was extended to June, with an agreement not to fine anyone until March 2020. Pretty much everyone we work with is now ready for the 2FA on every transaction part, but the exemptions are mostly not ready anywhere except France that basically has a nationally standard banking protocol that everyone uses, so it was implemented centrally and rolled out last November. UK banks were hoping Brexit would relieve them of the requirements, but the big card companies made it part of the spec, so they had to do it anyway... If your implementation of the protocol is more than 1 version behind the latest, other banks are allowed to just reject your transactions...

  4. petef

    RBS have many things to answer for but did you mean to say Bank of Scotland in your institutions who are ignoring you?

  5. Gerry 3
    Boffin

    SMS is U/S for 2FA

    GCHQ told the banks not to use SMS verification: it's insecure because MNOs aren't very good at preventing fraudsters gaining control of your mobile number.

    Predictably, people still lose £thousands.

    So why are banks such as Santander still refusing to issue card readers for 2FA, which seem to be pretty secure because (1) you need to have your card and (2) to know its PIN?

    1. Anonymous Coward
      Anonymous Coward

      Re: SMS is U/S for 2FA

      A very good point about the lack of security of SMS, but I'd rather use an app as the second factor than a card reader. One of my banks uses a card reader, and although it's not unreasonable to have to use it to set up a new payee (surely the biggest risk, if someone is trying to scam you), having to dig out the card reader and go through its multiple steps just to change the payment amount for a payee that I have already set up (ie, an account that I already trust), is rather a faff.

      1. Ben Tasker Silver badge

        Re: SMS is U/S for 2FA

        > but I'd rather use an app as the second factor than a card reader.

        Same.

        One of my banks (I suspect same as yours) uses a card reader. When they introduced that they stopped being my primary bank because it just became too much of a hassle vs having a little code generator (as I have with another bank). I think they've actually scaled back how often you need the reader now though.

        The (growing) issue I now have is banks who've taken their code-generating app and made it a full internet banking app too. I don't want that shit on my phone, I _just_ want the code generator (or better yet, for them to use TOTP so I can use my app of choice, and have just a single app)

        1. Insert

          Re: SMS is U/S for 2FA

          I have resisted downloading my bank's app because I don't want a stolen phone to be a threat to my money. If it was the same time based system as any other two factor account I'd choose that in a heartbeat.

          1. Chloe Cresswell

            Re: SMS is U/S for 2FA

            I'm dyslexic and have issues with numbers, and use chip and sign cards.

            I looked at the app for my credit card, to find the same, a) it's a full on banking app, and b) you have to set a 6 digit PIN to use it. Again I'm in the situation where the bank/etc understands I can't use a 4 digit PIN to use a card, but can't understand why I can't just use a 6 digit number I can remember for their app/etc. :(

    2. Warm Braw Silver badge

      Re: SMS is U/S for 2FA

      I wouldn't even need Santander to issue a card reader: I already have several from other banks and they're all interchangeable - though only the NatWest one seems to allow you to change your card PIN.

      SMS isn't just unsuitable on security grounds, it also fails on usability, particularly if you live in an area with a poor mobile signal.

      The main benefit of SMS is that it doesn't require much user education. Something like an OTP generator requires an enrolment step and may involve scanning a QR code with your phone - and that means you need a second screen to display the code.

      The most practical solution I've seen is from the Skipton Building Society - you get a credit-sized card printed with a grid of letters and you get challenged for the letters in certain grid positions - it's a bit like a game of Battleships. No technology required and the card fits in your wallet.

      1. dajames Silver badge

        Re: SMS is U/S for 2FA

        ... only the NatWest [card reader] seems to allow you to change your card PIN.

        That's interesting ... that would suggest that NatWest (at least) no longer perform any online PIN verification (for which they'd need to have your PIN stored in their systems). That would imply that they don't support any PIN-verified transactions apart from chip-and-PIN transactions. It would also mean that whenever they issue a replacement card they have to send a new PIN advice, because they don't know what your old PIN was, if you've changed it.

        ... I can see problems with, for example, withdrawing cash from ATMs that read the magstripe rather than using the chip (older ATMs, such as are still prevalent in, e.g., the USA). As they can't use the chip to verify your PIN they have to perform an online verification ... and if you've changed your PIN using the card reader the one they'll be verifying against won't be current.

        All in all, it sounds like a bad idea.

        1. TheMeerkat

          Re: SMS is U/S for 2FA

          The definitely don’t ask you to change your pin.

      2. katrinab Silver badge
        Megaphone

        Re: SMS is U/S for 2FA

        The Skipton one isn’t 2fa because you can copy the card, it is just an insecure password.

      3. Anonymous Coward
        Anonymous Coward

        Re: SMS is U/S for 2FA

        The Skipton grid cards are being outlawed in this round of changes.

    3. FlatSpot
      Thumb Down

      Re: SMS is U/S for 2FA

      Santander are the worst bank in the world. I had some unauthorised transactions on my card, phoned them up and had them blocked. Fraudster phoned them up and got them unblocked again, despite all the security information having been changed and calling from a phone number not even registered on my account.

      I demanded an audio copy of the phonecalls and all paperwork just to waste their time and cause as much cost to them as possible. They also paid me goodwill payments etc. but I went into the branch and cancelled my account, swiftly followed by joint account and moved all my savings. Would never trust them ever again.

    4. Anonymous Coward
      Anonymous Coward

      Re: SMS is U/S for 2FA

      In addition spoofing the sender or alternatively intercepting the receiving of SMS is also possible. Though I'm not away of any attacks/uses in the wild past research. But up the incentive, and the scammers/thieves will quickly find a hook.

    5. Chloe Cresswell

      Re: SMS is U/S for 2FA

      I've just had to delete my online banking with M&S credit cards, because they need you to use a pin based token, or a pin based app on your phone. I have chip and sign cards.

      As usual the response "Can't you just use a number you'll remember?", and yet no one seems to understand the idea that if I could remember numbers like that, I wouldn't have or need chip and sign cards in the first place!

      Next suggestion is of course to write the PIN down for when I need it... :(

  6. This post has been deleted by its author

  7. NonSSL-Login
    FAIL

    Saturday b0rk3d

    Tried to purchase something online today and got a message on my phone telling to verify the transaction in my banking app.

    Tried opening the banking app and for the first time ever got an error about not being able to connect to my banks servers. Tried on cell data and home wifi but no use and the banks helpdesk was useless.

    Ended up buying the item from ebay instead where it just worked without any extra prompts, phone messages or actions needed after pressing the checkout button.

    I have a feeling some businesses are going to lose sales if this has been implemented badly.

  8. karlkarl Silver badge

    Can anyone guess what Thinkpad that is in the stock image?

    I don't recall one with a notch in the middle. :)

    1. Julian Bradfield

      Eh? It's any old-style one with two sets of mouse buttons, e.g. X301

      1. karlkarl Silver badge

        Hmm, no I don't think it is. Can you see just below the mouse buttons there is a slant (or ridge)? I don't have that on my x61 or other X-series I have seen.

  9. MatthewSt

    Drat!

    I knew there was a PR I meant to merge this week...!

  10. Giles C

    Not on amazon

    Just placed an order on amazon, no login checks just went straight through without any further prompts, ok it was only for £12 but still with the new rules they would have at least asked for the cv2 code?

    1. Is It Me Bronze badge

      Re: Not on amazon

      I believe the rules are for the bank/card issuer.

      Amazon have taken on the financial risk of card holder not present for a long time by not asking for the CV2 number. They decided that any loss is worth it to minimise the effort from their customers

  11. Chronos Silver badge
    Devil

    Government quango Action Fraud is the UK's central referral point for online crime. But it ref is about as much use as a condom vending machine in St Paul's Basilica.

  12. Blergh

    I hate SMS 2FA

    I don't dislike SMS 2FA because it's insecure, although that obviously isn't great. The reason I hate it is that when I went to buy something on Saturday it took multiple attempts on 3 different cards before I actually received the SMS message for the transaction. I had a signal good enough to phone one of the helpdesks so I don't think that was the issue, it's just a rubbish system.

  13. Mike 137 Silver badge

    The same old stupid mantra yet again

    "two levels of authentication in place for online transactions[...] a PIN, [...] a phone or hardware token, [...]a biometric check."

    When will it finally sink in that a biometric is not an authenticator?

    It cannot be rescinded and it cannot be kept secret with any assurance, so it's only valid as an identifier.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020