One Time Pass Code?

[merseymouth]

Hello there, There is a new directive from the E.U., or so we're told, concerning this new security measure.
We are told that to complete transactions on the web we will have to use "One Time Pass Codes" which will be sent to one's Smart Phone which will have to be inserted in the dealing process.
Sounds like it is the banks getting to grips with on-line fraud, yippee! But I will, if it works, be excluded from making transaction?
Two main reasons, 1- I cannot operate with PIN numbers, Chip & Signature only. 2- I do not operate a Smart Phone! (an oxymoron in my eyes).
They don't seem to allow either e:mail or land-line delivery, so us dodos with stone-age communication devices will it seems be a doomed as the Dinosaur!
I dread the promised implementation of only being able to buy rail tickets through the sMART-Phone, no more little piece of orange card, I'm hoping that the humans in the loop can get me moving?
The obsession with cutting edge technology being implemented before proven to be idiot proof troubles me, but then again I am a pessimist.
I'm able to use Chip & Signature due to the Disabilities Discrimination Act, Part 3, but it would appear to me that such thought has not been used regarding the OTPC issue? Chew me to pieces guys. IGICB MM

[Psamathe]

I can receive SMS text messages on my BT Landline. Not something I use 9as I no longer use my BT landline) but certainly received them before.

Ian

[PH]

I think you have it completely wrong - the directive says SMS sent information is not acceptable.

[rjb]

I've had these letters from the bank about codes being sent to enable online transactions. As I live in an area with very patchy mobile reception I don't have a mobile phone let alone a smarty phone. I am waiting for the bank to update me on how it will work. If it's an EU directive it'll be all right at the end of the month.

[Psamathe]

I think you have it completely wrong - the directive says SMS sent information is not acceptable.

I've read of cases where people have had their bank accounts emptied when fraudsters have gone into a High Street phone store and managed to get a "replacement" SIM on the victim's number and ... the rest is easy. Google "SIM swap fraud".

Ian

[PH]

I think you have it completely wrong - the directive says SMS sent information is not acceptable.

I've read of cases where people have had their bank accounts emptied when fraudsters have gone into a High Street phone store and managed to get a "replacement" SIM on the victim's number and ... the rest is easy. Google "SIM swap fraud".

Ian

Yes, I haven't read the directive, but German banks have moved away from it
https://www.zdnet.com/article/german-ba ... passcodes/

[661-Pete]

I think you can choose to get the secure code via E-mail. Surely almost everyone who uses the internet has E-mail - if not, it's pretty easy to set up a webmail account.

Which poses the question: How secure is E-mail? I don't know - perhaps it depends on the strength of your password?

What really bugs me is the egregious "Captcha". "Click on every picture containing a [bit of a] car"? How am I supposed to recognise a 1mm strip off the edge of a wing mirror, as a car?

[mercalia]

You don't need a smartphone, just one that will receive text messages. My old £10 Nokia 106 dumb phone can do that. I am considering using it for that with a pay as you go sim that has never been otherwise used to minimise sim hijacking, and will never leave my home. You could periodically change the sim so the number changes.

I think I read that banks will have to supply a device that will receive the code for those who don't have a phone or don't want to use one

[merseymouth]

Hi Mercalia, Sounds like you've now pointed out another oxymoron? - A mobile phone that never leaves home
Looks like this Luddite will have to give up virtually everything as shops either close or have zilch choice, everything else Stupidphone linked!
So the big question - What will happen when the Great Solar Flares Storm comes??? MM

[mercalia]

Hi Mercalia, Sounds like you've now pointed out another oxymoron? - A mobile phone that never leaves home
Looks like this Luddite will have to give up virtually everything as shops either close or have zilch choice, everything else Stupidphone linked!
So the big question - What will happen when the Great Solar Flares Storm comes??? MM

I have a number of phones - Windows phones are very cheap these days

[merseymouth]

Hi again, You have forgotten one thing in relation to me? I still mentally seek out "Button B" when making a phone cal! MM
P.S. Question does "Whitehall 1212" still get one through to Scotland Yard?????

[mercalia]

Hi Mercalia, Sounds like you've now pointed out another oxymoron? - A mobile phone that never leaves home
Looks like this Luddite will have to give up virtually everything as shops either close or have zilch choice, everything else Stupidphone linked!
So the big question - What will happen when the Great Solar Flares Storm comes??? MM

I won't use a phone for payments as you see on the buses in London instead of an Oyster card or even credit card outside after my cc was cloned and used to make 3x£500 online bets ( I got my money back) I am even more luddite than you - cash only.

My smartphone 321 pay as you go rate from O2 is cheaper on voice than my landline which is 12p or so a minute and the voice quality is excellent

[Psamathe]

You don't need a smartphone, just one that will receive text messages. My old £10 Nokia 106 dumb phone can do that. I am considering using it for that with a pay as you go sim that has never been otherwise used to minimise sim hijacking, and will never leave my home. You could periodically change the sim so the number changes.

I think I read that banks will have to supply a device that will receive the code for those who don't have a phone or don't want to use one

An interesting aspect. Where I live does not matter if you have a smartphone or a dumbphone - without mobile coverage they are equally useless.

Government (or Conservatives) making a big push to get everybody ultra super-duper internet, needed by businesses, etc. but what about mobile signal coverage. And for mobile signal coverage they don't have to pay out public subsidies. Well maybe they do now but when they sold of the frequencies they should have included a requirement for e.g. in-building coverage. But that might affect the profitability and wealth of those with the money to buy ...

(But I do have a smartphone that supports Wi-Fi calling so my personal reality is that my mobile connects to EE through my internet connection so I'm OK but others e.g. my neighbours are not).

Ian

[Pastychomper]

I think you can choose to get the secure code via E-mail. Surely almost everyone who uses the internet has E-mail - if not, it's pretty easy to set up a webmail account.

Which poses the question: How secure is E-mail? I don't know - perhaps it depends on the strength of your password?

The short answer is, not at all. Email has been described as being as secure as sending a postcard written in pencil through the post. In other words it's probably even worse than SMS.

To be fair a lot of email providers now use encryption as far as they can to reduce the number of places a message can be intercepted, but they're trying to plug holes in an inherently leaky standard.

Security systems that send a one-time code in an email generally rely on the intended recipient being the first person to try to use the code and therefore the only person it works for, which I think is likely to be true if it is the real "customer" requesting the code.

Personally (being somewhat paranoid) I prefer to keep banking information away from my 'phone, so I'm glad my bank still supports the card-reader they sent out over a decade ago. I do wonder which banks are so lax on security that the EU thinks a code sent to a 'phone would be an improvement.

[mjr]

The European Banking Authority guidelines based on EU Payment Services Directive 2 only requires "two factor authentication", which is roughly requiring something you know (such as a password or PIN) and something you hold before you can login.

Good banks are providing a way to prove that you hold a certain bank card (such as those reusable chip card readers with replaceable batteries which look like small calculators). Average banks are issuing non-reusable security tokens which display a number for you to type in at login. Cheapskate banks are sending single-use codes out by text message. Dodgy banks are sending single-use codes out by smartphone app because then you have to put their app on your phone where it can snoop on you all day long.

I won't use a phone for payments as you see on the buses in London instead of an Oyster card or even credit card outside after my cc was cloned and used to make 3x£500 online bets ( I got my money back) I am even more luddite than you - cash only.

I do not understand the above. Have I understood it correctly that the credit card protection worked and gave you your money back so you stopped using it? And now instead you have switched to cash that you will not get back if someone defrauds you of it?

I can understand some reasons for avoiding credit cards, but not that fraud one.

Which poses the question: How secure is E-mail? I don't know - perhaps it depends on the strength of your password?

Partly it depends on passwords, because if an attacker gets your passwords, it probably gives them access, but you also need to encrypt the connections between mailservers (which is finally becoming more common - it's beyond most people's control but I see it for work), your connection to/from your mailserver (tick the box marked "secure connection" "Transport Layer Security" or similar) and the message contents (use software like GPG, Enigmail or whatever your email software supports).

Some banks can do encrypted mailserver connections but I don't know of any currently encrypting message contents, so the answer to "How secure is E-mail?" is "not very". If a criminal breaks into the mailserver you use, they can probably read all your email (which is why most email is like a postcard).

What really bugs me is the egregious "Captcha". "Click on every picture containing a [bit of a] car"? How am I supposed to recognise a 1mm strip off the edge of a wing mirror, as a car?

That's not a captcha. It fails the TCHA bit - Telling Computers and Humans Apart - because some computer programs are better than humans at image recognition. Google should have had massive fines for both misadvertising and disability discrimination, but governments are toothless and few others have the money to sustain a private legal challenge, so they get away with it.