nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Banks don’t give a 2FA

Silver badge

Whoops!

It's a shame that while (rightly) castigating banks for their failings, Which? couldn't even get the link to the results of their tests right on the webpage the article links to, so I still don't know how individual banks compare. At least they have a nice custom 404 page, though. :)

3
0

Re: Whoops!

Barclays have a reasonable 2fa system. This is not a recommendation for Barclays as a bank, nor does it constitute financial advice.

0
0
Silver badge

Re: Whoops!

Santander still bringing up the rear, they got last place in 2013. Why am I not surprised.

There's a copy of the list here

1
0
Silver badge

Re: Whoops!

Who to answer first?? Lets try both at once.

Yesterday I had the dubious pleasure of trying to log in to a Barclays business account for the first time; despite the assistance of their help line, it just WOULD NOT work, throwing up a "Details not found" error.

"No, No, it isnt case sensitive" the poor girl is telling me, which it patently IS, because the first time I enter my name using lower case only, the buggering thing works.

But only if I use a specific one of the three possible account identification options; so why have the other two then??

"It isnt case sensitive, but lower case is best, as is using account identity option 1" she burbles.

Fuckwits.

1
0

Re: Whoops!

Although Santander don't use 2FA at that point, their login pages do include a personalised display as an anti-phishing measure (I haven't seen any other bank doing that).

And Santander do use 2FA for approving new payees (by sending a OTP to your mobile).

Personally, I think 2FA just to login is probably excessive, and there are reasonably some functions that could be done without it (eg requests that require delivery fulfillment or branch collection [replacement cheque books and such]).

2
0

Re: Whoops!

"It isnt case sensitive, but lower case is best"

-- best laugh I've had all week :-) Thanks for sharing!

0
0
Silver badge

Blah. Whatever. In my experience (personal and observed), most of the bank security problems had no source related to whether or not there was two factor authentication in place or not - most of them were outside this as they were evidently inside jobs of some form or external systems such as 3rd party card readers. None of which a 2FA system on their website would have helped with at all.

0
0
Silver badge

Capitec Bank (in South Africa) offers a reasonable secure system - you can link your account to your mobile device (NOT SIM card) so whenever you need to transfer money or log into your account from a computer, you will need to enter your PIN on your mobile device.

The plus thing of this is that your PIN can be longer than the usual 4 digits.

Mobile device got blagged by a ne'er-do-well? No fear, just give them a call on a 24-hour line and stop your card.

Also, said ne'er-do-well only have 3 chances of inputting the correct PIN, if he/she/it doesn't, the app deauthenticates itself, and only by going into a branch will you be able to re-establish authentication again.

1
0
Silver badge

More problems than that

My bank (a French one, as that's where I live) took away my password (that was a suitably long foreign word) and replaced it with a five digit number for the braindead retards my security.

Also, when I purchase online things from France I get an SMS asking me to confirm the transaction. Buying a Pi Zero from the UK? Transaction accepted with no hitches. Now won't fraud likely be from another country? {facepalm}

4
0

Lloyds 2FA

They do have 2FA, but only when you want to perform some action. A bit like lazy vs. eager password entry on sites like Amazon. Works better for me than one of those stupid calculators that you have to carry everywhere.

Admittedly, it's not providing much security when the second factor is calling the same phone that the app or website is running on.

4
0
Silver badge

Re: Lloyds 2FA

Which do make that point, it just didn't make it the the Reg article.

0
0
Anonymous Coward

Smile Bank / Cooperative Bank's new facelift is an utter disaster

Smile had pretty much the same system since 1999, it was matter of fact, but crucially it worked, was never offline, there was never a mistake on the account. You could phone, use a branch of the Cooperative Bank if you really had to. When all you had was 2G data, you could still log and make a transfer/payment. It was a frugal interface in terms of data exchange. It was great.

Cooperative decided on one of those useless glossy revamps, and boy, is it the biggest load of convoluted shit ever. It adds absolutely nothing and destroys everything in the process.

Each box, takes 2-3 seconds between each entry screen to become typeable.

You now need to remember your Sort Code, Account Number, the original 4 Digit Pin for Telephone support

The new Online Sign on process...

You need Sort Code, Account Number followed by the original 4 Digit Pin. (old system)

This now gets you a deleteable cookie stored on the device to access the new system. Delete this you needs the above again.

Then you need a new case sensitive 8+ character password, plus a new six digit password. Then..

Mother maiden name, First School, Last School, Fathers name, Memorable date, or some combo of.

When it all fails (it does because the system can't keep up with your typing), you can use the Generic Card Reader with your Debit Card + a different 4 Digit Card Pin to reset everything online with no system checks and gain full access (and subsequently empty the account if you had got hold of someone else's Pin + Debit Card, + have a Generic Card Reader.

It's actually quicker to fail the Password system three times, and use the Card Reader + Pin every time to log on!

All in the name of Progress. Oh, and phoning Smile/Cooperative now, you'll be lucky if the phone is answered in any time short of 30 minutes.

2
0
Anonymous Coward

Re: Smile Bank / Cooperative Bank's new facelift is an utter disaster

I missed out the username. There is also added username to remember too, to replace the Sort Code and Account Number, but you still need to remember those, anyway.

0
0

What about case-sensitive passwords?

The fact that many don't offer 2FA is not surprising,

Halifax's online banking website does not even use Case Sensitive passwords FFS

2
0

More gadgets

I manage without this by using non dictionary dual factors, one of which uses two random letters at a time.

Nothing written down an no numeric sequences.

0
0

The Lloyds system is better

I have the 2FA device I have to use with HSBC/FirstDirect: it's a huge keyring thing that I never have near me when I use it.

The Lloyds system is far superior: doing anything that might cost you money makes a robot ring you on your mobile, which you're much more likely to have on you. You then type the number on-screen into your mobile, and you're done.

A much better balance of convenience vs. security.

0
0
Silver badge

U2F

Been saying for years I'll move all my accounts to the first bank to offer U2F and also scores A+ on the qualys checker. All banks are technically incompetent and only refresh their sites like once every 10 years (my current bank only just did theirs and didn't improve any of their security when they did).

0
0
Anonymous Coward

no comment about using your fingerprint

when using an iPhone.

my iPhone 5S makes using RBS easy. Use my fingerprint and I'm in. Any new payees use 2FA including their cardreader (kept locked away at home) and an SMS.

By contract Santander is a POS.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing