One Time Pass Code?

Use this board for general non-cycling-related chat, or to introduce yourself to the forum.
merseymouth
Posts: 1116
Joined: 23 Jan 2011, 11:16am

One Time Pass Code?

Postby merseymouth » 2 Oct 2019, 10:02am

Hello there, There is a new directive from the E.U., or so we're told, concerning this new security measure.
We are told that to complete transactions on the web we will have to use "One Time Pass Codes" which will be sent to one's Smart Phone which will have to be inserted in the dealing process.
Sounds like it is the banks getting to grips with on-line fraud, yippee! But I will, if it works, be excluded from making transaction?
Two main reasons, 1- I cannot operate with PIN numbers, Chip & Signature only. 2- I do not operate a Smart Phone! (an oxymoron in my eyes).
They don't seem to allow either e:mail or land-line delivery, so us dodos with stone-age communication devices will it seems be a doomed as the Dinosaur!
I dread the promised implementation of only being able to buy rail tickets through the sMART-Phone, no more little piece of orange card, I'm hoping that the humans in the loop can get me moving?
The obsession with cutting edge technology being implemented before proven to be idiot proof troubles me, but then again I am a pessimist.
I'm able to use Chip & Signature due to the Disabilities Discrimination Act, Part 3, but it would appear to me that such thought has not been used regarding the OTPC issue? Chew me to pieces guys. IGICB MM

Psamathe
Posts: 10603
Joined: 10 Jan 2014, 8:56pm

Re: One Time Pass Code?

Postby Psamathe » 2 Oct 2019, 10:07am

I can receive SMS text messages on my BT Landline. Not something I use 9as I no longer use my BT landline) but certainly received them before.

Ian

PH
Posts: 7578
Joined: 21 Jan 2007, 12:31am
Location: Derby
Contact:

Re: One Time Pass Code?

Postby PH » 2 Oct 2019, 10:15am

I think you have it completely wrong - the directive says SMS sent information is not acceptable.

rjb
Posts: 3462
Joined: 11 Jan 2007, 10:25am
Location: Somerset (originally 60/70's Plymouth)

Re: One Time Pass Code?

Postby rjb » 2 Oct 2019, 10:21am

I've had these letters from the bank about codes being sent to enable online transactions. As I live in an area with very patchy mobile reception I don't have a mobile phone let alone a smarty phone. :lol: I am waiting for the bank to update me on how it will work. If it's an EU directive it'll be all right at the end of the month. :lol:
At the last count:- Focus Variado, Peugeot 531 pro, Dawes Discovery Tandem, Dawes Kingpin, Raleigh 20, Falcon K2 MTB dropped bar tourer, Longstaff trike conversion on a Falcon corsa. :D

Psamathe
Posts: 10603
Joined: 10 Jan 2014, 8:56pm

Re: One Time Pass Code?

Postby Psamathe » 2 Oct 2019, 10:22am

PH wrote:I think you have it completely wrong - the directive says SMS sent information is not acceptable.

I've read of cases where people have had their bank accounts emptied when fraudsters have gone into a High Street phone store and managed to get a "replacement" SIM on the victim's number and ... the rest is easy. Google "SIM swap fraud".

Ian

PH
Posts: 7578
Joined: 21 Jan 2007, 12:31am
Location: Derby
Contact:

Re: One Time Pass Code?

Postby PH » 2 Oct 2019, 10:31am

Psamathe wrote:
PH wrote:I think you have it completely wrong - the directive says SMS sent information is not acceptable.

I've read of cases where people have had their bank accounts emptied when fraudsters have gone into a High Street phone store and managed to get a "replacement" SIM on the victim's number and ... the rest is easy. Google "SIM swap fraud".

Ian

Yes, I haven't read the directive, but German banks have moved away from it
https://www.zdnet.com/article/german-ba ... passcodes/

User avatar
661-Pete
Posts: 9183
Joined: 22 Nov 2012, 8:45pm
Location: Sussex

Re: One Time Pass Code?

Postby 661-Pete » 2 Oct 2019, 10:36am

I think you can choose to get the secure code via E-mail. Surely almost everyone who uses the internet has E-mail - if not, it's pretty easy to set up a webmail account.

Which poses the question: How secure is E-mail? I don't know - perhaps it depends on the strength of your password?

What really bugs me is the egregious "Captcha". "Click on every picture containing a [bit of a] car"? How am I supposed to recognise a 1mm strip off the edge of a wing mirror, as a car? :( :(
Suppose that this room is a lift. The support breaks and down we go with ever-increasing velocity.
Let us pass the time by performing physical experiments...
--- Arthur Eddington (creator of the Eddington Number).

mercalia
Posts: 11511
Joined: 22 Sep 2013, 10:03pm
Location: london South

Re: One Time Pass Code?

Postby mercalia » 2 Oct 2019, 10:46am

You don't need a smartphone, just one that will receive text messages. My old £10 Nokia 106 dumb phone can do that. I am considering using it for that with a pay as you go sim that has never been otherwise used to minimise sim hijacking, and will never leave my home. You could periodically change the sim so the number changes.

I think I read that banks will have to supply a device that will receive the code for those who don't have a phone or don't want to use one

merseymouth
Posts: 1116
Joined: 23 Jan 2011, 11:16am

Re: One Time Pass Code?

Postby merseymouth » 2 Oct 2019, 11:01am

Hi Mercalia, Sounds like you've now pointed out another oxymoron? - A mobile phone that never leaves home :shock: :shock: :shock:
Looks like this Luddite will have to give up virtually everything as shops either close or have zilch choice, everything else Stupidphone linked!
So the big question - What will happen when the Great Solar Flares Storm comes??? :lol: :lol: :lol: MM

mercalia
Posts: 11511
Joined: 22 Sep 2013, 10:03pm
Location: london South

Re: One Time Pass Code?

Postby mercalia » 2 Oct 2019, 11:03am

merseymouth wrote:Hi Mercalia, Sounds like you've now pointed out another oxymoron? - A mobile phone that never leaves home :shock: :shock: :shock:
Looks like this Luddite will have to give up virtually everything as shops either close or have zilch choice, everything else Stupidphone linked!
So the big question - What will happen when the Great Solar Flares Storm comes??? :lol: :lol: :lol: MM


I have a number of phones - Windows phones are very cheap these days

merseymouth
Posts: 1116
Joined: 23 Jan 2011, 11:16am

Re: One Time Pass Code?

Postby merseymouth » 2 Oct 2019, 11:07am

Hi again, You have forgotten one thing in relation to me? I still mentally seek out "Button B" when making a phone cal! MM
P.S. Question does "Whitehall 1212" still get one through to Scotland Yard?????

mercalia
Posts: 11511
Joined: 22 Sep 2013, 10:03pm
Location: london South

Re: One Time Pass Code?

Postby mercalia » 2 Oct 2019, 11:08am

merseymouth wrote:Hi Mercalia, Sounds like you've now pointed out another oxymoron? - A mobile phone that never leaves home :shock: :shock: :shock:
Looks like this Luddite will have to give up virtually everything as shops either close or have zilch choice, everything else Stupidphone linked!
So the big question - What will happen when the Great Solar Flares Storm comes??? :lol: :lol: :lol: MM


I won't use a phone for payments as you see on the buses in London instead of an Oyster card or even credit card outside after my cc was cloned and used to make 3x£500 online bets ( I got my money back) I am even more luddite than you - cash only.

My smartphone 321 pay as you go rate from O2 is cheaper on voice than my landline which is 12p or so a minute and the voice quality is excellent
Last edited by mercalia on 2 Oct 2019, 11:18am, edited 1 time in total.

Psamathe
Posts: 10603
Joined: 10 Jan 2014, 8:56pm

Re: One Time Pass Code?

Postby Psamathe » 2 Oct 2019, 11:17am

mercalia wrote:You don't need a smartphone, just one that will receive text messages. My old £10 Nokia 106 dumb phone can do that. I am considering using it for that with a pay as you go sim that has never been otherwise used to minimise sim hijacking, and will never leave my home. You could periodically change the sim so the number changes.

I think I read that banks will have to supply a device that will receive the code for those who don't have a phone or don't want to use one

An interesting aspect. Where I live does not matter if you have a smartphone or a dumbphone - without mobile coverage they are equally useless.

Government (or Conservatives) making a big push to get everybody ultra super-duper internet, needed by businesses, etc. but what about mobile signal coverage. And for mobile signal coverage they don't have to pay out public subsidies. Well maybe they do now but when they sold of the frequencies they should have included a requirement for e.g. in-building coverage. But that might affect the profitability and wealth of those with the money to buy ...

(But I do have a smartphone that supports Wi-Fi calling so my personal reality is that my mobile connects to EE through my internet connection so I'm OK but others e.g. my neighbours are not).

Ian

User avatar
Pastychomper
Posts: 307
Joined: 14 Nov 2017, 11:14am
Location: Caithness

Re: One Time Pass Code?

Postby Pastychomper » 2 Oct 2019, 11:28am

661-Pete wrote:I think you can choose to get the secure code via E-mail. Surely almost everyone who uses the internet has E-mail - if not, it's pretty easy to set up a webmail account.

Which poses the question: How secure is E-mail? I don't know - perhaps it depends on the strength of your password?



The short answer is, not at all. Email has been described as being as secure as sending a postcard written in pencil through the post. In other words it's probably even worse than SMS.

To be fair a lot of email providers now use encryption as far as they can to reduce the number of places a message can be intercepted, but they're trying to plug holes in an inherently leaky standard.

Security systems that send a one-time code in an email generally rely on the intended recipient being the first person to try to use the code and therefore the only person it works for, which I think is likely to be true if it is the real "customer" requesting the code.

Personally (being somewhat paranoid) I prefer to keep banking information away from my 'phone, so I'm glad my bank still supports the card-reader they sent out over a decade ago. I do wonder which banks are so lax on security that the EU thinks a code sent to a 'phone would be an improvement. :shock:
Last edited by Pastychomper on 2 Oct 2019, 11:41am, edited 1 time in total.
Everyone's ghast should get a good flabbering now and then.
--Ole Boot

User avatar
mjr
Posts: 14025
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: One Time Pass Code?

Postby mjr » 2 Oct 2019, 11:39am

The European Banking Authority guidelines based on EU Payment Services Directive 2 only requires "two factor authentication", which is roughly requiring something you know (such as a password or PIN) and something you hold before you can login.

Good banks are providing a way to prove that you hold a certain bank card (such as those reusable chip card readers with replaceable batteries which look like small calculators). Average banks are issuing non-reusable security tokens which display a number for you to type in at login. Cheapskate banks are sending single-use codes out by text message. Dodgy banks are sending single-use codes out by smartphone app because then you have to put their app on your phone where it can snoop on you all day long.

mercalia wrote:I won't use a phone for payments as you see on the buses in London instead of an Oyster card or even credit card outside after my cc was cloned and used to make 3x£500 online bets ( I got my money back) I am even more luddite than you - cash only.

I do not understand the above. Have I understood it correctly that the credit card protection worked and gave you your money back so you stopped using it? And now instead you have switched to cash that you will not get back if someone defrauds you of it?

I can understand some reasons for avoiding credit cards, but not that fraud one.

661-Pete wrote:Which poses the question: How secure is E-mail? I don't know - perhaps it depends on the strength of your password?

Partly it depends on passwords, because if an attacker gets your passwords, it probably gives them access, but you also need to encrypt the connections between mailservers (which is finally becoming more common - it's beyond most people's control but I see it for work), your connection to/from your mailserver (tick the box marked "secure connection" "Transport Layer Security" or similar) and the message contents (use software like GPG, Enigmail or whatever your email software supports).

Some banks can do encrypted mailserver connections but I don't know of any currently encrypting message contents, so the answer to "How secure is E-mail?" is "not very". If a criminal breaks into the mailserver you use, they can probably read all your email (which is why most email is like a postcard).

661-Pete wrote:What really bugs me is the egregious "Captcha". "Click on every picture containing a [bit of a] car"? How am I supposed to recognise a 1mm strip off the edge of a wing mirror, as a car? :( :(

That's not a captcha. It fails the TCHA bit - Telling Computers and Humans Apart - because some computer programs are better than humans at image recognition. Google should have had massive fines for both misadvertising and disability discrimination, but governments are toothless and few others have the money to sustain a private legal challenge, so they get away with it.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.