One Time Pass Code?

Use this board for general non-cycling-related chat, or to introduce yourself to the forum.
Psamathe
Posts: 10585
Joined: 10 Jan 2014, 8:56pm

Re: One Time Pass Code?

Postby Psamathe » 2 Oct 2019, 11:53am

Pastychomper wrote:
661-Pete wrote:I think you can choose to get the secure code via E-mail. Surely almost everyone who uses the internet has E-mail - if not, it's pretty easy to set up a webmail account.

Which poses the question: How secure is E-mail? I don't know - perhaps it depends on the strength of your password?



The short answer is, not at all. Email has been described as being as secure as sending a postcard written in pencil through the post. In other words it's probably even worse than SMS.....

I had a big argument with one of my credit card providers a couple of years ago. They operate a "Verified by Visa" scheme where you have a passcode where you enter 4 requested letters from your code when making online purchased (the "Enter letters 1, 5, 6 and 8 from your passcode" thing). Except their registration procedure required an e-mail address and I refused to allow them to send me details over e-mail (totally insecure).

Ended-up with me making a formal complaint about their insecure procedures, they investigated and I ended-up getting a decent cash compensation (which I was not even asking for). Different card using same "Verified by Visa" allowed me to set my password over the phone (different issuer, but same Visa scheme).

Ian

merseymouth
Posts: 1112
Joined: 23 Jan 2011, 11:16am

Re: One Time Pass Code?

Postby merseymouth » 2 Oct 2019, 12:07pm

Hi MJR, You state a lot of stuff there which shows the wide range of bank practises, appreciated. But that alarms me greatly because they appear to be taking measures with fingers crossed :evil: . The non-techno customer is at great risk, with each bank trying a one size fits all policy. Every step the banks takes makes it worse for the likes of me! I'm a KISS kind of bloke, Keep It Simple Stupid, as suffering from numerical dyslexia I go into meltdown over the vast majority of everyday numbers.
Having made it virtually impossible to trade using cheques, even in High Street shops, we have to suffer embarrassment with my Chip & Signature Card, as all too often staff training has not covered such areas?
I'm not helped by having been actually hit by fraudsters a number of times, all re-immursed by our bank, but confidence is not good now.
What troubles me most of all is the fact that internet criminals appear to be able to operate freely, even to the point of H.M. Revenue & Customs being used for fraud. Amazon, Pay Pal, Netflix et al, from such I get many e:mails over the security of my account? As I don't have any such accounts they're easy to bin, but why should they be able to continue in such crimes? Doesn't fill me with confidence.
So with fewer shops and the ones that still trade having poorer stock choice life is getting grim! :twisted: MM

AMMoffat
Posts: 219
Joined: 1 Dec 2007, 1:05pm

Re: One Time Pass Code?

Postby AMMoffat » 2 Oct 2019, 12:14pm

661-Pete wrote:I think you can choose to get the secure code via E-mail. Surely almost everyone who uses the internet has E-mail - if not, it's pretty easy to set up a webmail account.

Which poses the question: How secure is E-mail? I don't know - perhaps it depends on the strength of your password?


Email is indeed only as secure as your password. Arguably your email password should be your strongest, most secure one. Example - when my sister died she hadn't shared her passwords to most of her online accounts. I managed to correctly guess her email password (based on info only family would know) and, with access to the email account was then able to reset the password on lots of other accounts as the password reset link is sent to the registered email account. Had I been a criminal I'd have had a field day, especially with accounts like Amazon which hold saved bank details. It was a salutory lesson. One-time passcodes on other accounts could prevent that unless you also have the mobile phone (which, in this case, I did).

mercalia
Posts: 11487
Joined: 22 Sep 2013, 10:03pm
Location: london South

Re: One Time Pass Code?

Postby mercalia » 2 Oct 2019, 12:16pm

Mjr
I do not understand the above. Have I understood it correctly that the credit card protection worked and gave you your money back so you stopped using it? And now instead you have switched to cash that you will not get back if someone defrauds you of it?

I can understand some reasons for avoiding credit cards, but not that fraud one.

Eh? How can I be defrauded if I pay cash for my petrol or my visit to Lidl? I think my card was cloned at a petrol station since someone also used it at a petrol station other side of the country. It was a real hassle to get the money back, visiting a cop shop miles away, getting a cop number plus all the anxiety, filling in declaration for the cc company. I do use cc for online, never had a problem since. I see people casually flash their phone in front of a reader to make payments crazy. It's the physical use of cc I won't do any more. Here PayPal is so useful as a wrapper for small cc payments ( but not large ones)

User avatar
661-Pete
Posts: 9183
Joined: 22 Nov 2012, 8:45pm
Location: Sussex

Re: One Time Pass Code?

Postby 661-Pete » 2 Oct 2019, 1:18pm

Not being web-savvy: I believe that whenever you see "https://" on the address line, that meanst that your connection is a bit more secure. Am I right about this? My browser displays a little green padlock next to it.
Suppose that this room is a lift. The support breaks and down we go with ever-increasing velocity.
Let us pass the time by performing physical experiments...
--- Arthur Eddington (creator of the Eddington Number).

User avatar
mjr
Posts: 13991
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: One Time Pass Code?

Postby mjr » 2 Oct 2019, 1:30pm

merseymouth wrote:[...] Every step the banks takes makes it worse for the likes of me! I'm a KISS kind of bloke, Keep It Simple Stupid, as suffering from numerical dyslexia I go into meltdown over the vast majority of everyday numbers.
Having made it virtually impossible to trade using cheques, even in High Street shops, we have to suffer embarrassment with my Chip & Signature Card, as all too often staff training has not covered such areas?
I'm not helped by having been actually hit by fraudsters a number of times, all re-immursed by our bank, but confidence is not good now.

Yes, Chip & Signature is too open to fraud. If you had a smartphone which supported contactless payments, it could be set to use a fingerprint instead of a PIN code and avoid any numeric problems, but then why should you have to pay to buy a more expensive phone that you don't really want anyway? And no, staff training is not all it should be, especially around both accessibility and security, let alone the combination/interaction of the two!

What troubles me most of all is the fact that internet criminals appear to be able to operate freely, even to the point of H.M. Revenue & Customs being used for fraud. Amazon, Pay Pal, Netflix et al, from such I get many e:mails over the security of my account? As I don't have any such accounts they're easy to bin, but why should they be able to continue in such crimes? Doesn't fill me with confidence.

HMRC and so on aren't being used for fraud. It's as trivial to send out an email faked to be from someone else as it is to fake their letterhead and return address. Most encryption tools come with authentication tools, but few of the authentication tools are used because:

1. the mailserver ones are a bit of a pig to set up. In short, as well as actually the sending mailservers using it and everyone installing some fiddly software, you'd need every postmaster (mailserver manager) to load the verification certificate not just for HMRC but for every other sender to be verified, which would probably be millions at least just for the UK, so you automate it and then you've just moved the problem around because then the scammers just find a way to fake the verification, plus now if HMRC start using a new mailserver but are slow in updating their certificates then loads of valid emails are rejected and people complain far more bitterly than if fake emails get through. And even once you've got all that working, scammers will simply do the current popular thing of sending from a similar address (like Amazoƞ.com not Amazon.com) which they have got verified (because they control it) and hoping some recipients don't look closely enough.

2. the message authentication tools work better (because there are fewer senders per person you want to verify than there are sending servers per postmaster) but approximately 0% of email recipients have the software set up so where's the incentive for any sender to be the first to adopt it and have to deal with "what is this signature attachment and what do I do with it?" questions from approximately 100% of potential users, as well as a few angry people whose misconfigured mailservers rejected the email?

In an ideal world, our MPs (and equivalents) would step in and act for the common good by ordering government departments to use standardised strong encryption and authentication on both servers and messages and have the public bear the cost of being an early adopter - but they don't because there would be some public backlash (see this payment security directive, which is a pretty minimal step...) and also many governments are ambivalent about strong encryption (because it would make it harder for spies to see what you type) so attempts to promote it get perverted into trying to push some sort of backdoored weaker system which is generally non-standard (because international standards bodies correctly reject it as insecure and favouring a few governments over others) and eventually gets killed off somehow.

On top of that, almost no law enforcement agencies seem interested in this sort of e-crime. We can report this stuff but it's rather like shouting into a well in that you almost never see any effect. It takes a lot of time (and so money) to report it and customers don't want to pay for stuff that makes no measurable difference.

Sorry for the long rants, but this is part of my day job and it is rather annoying that these problems are so difficult to see ways out of. I suspect part of the solution, yet again, is probably to stop low tax promises winning elections so often because low taxes do really seem to mean low service levels, especially on not-immediately-visible stuff like police investigating things like small-but-wide-reaching international fraud.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.

User avatar
mjr
Posts: 13991
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: One Time Pass Code?

Postby mjr » 2 Oct 2019, 1:42pm

661-Pete wrote:Not being web-savvy: I believe that whenever you see "https://" on the address line, that meanst that your connection is a bit more secure. Am I right about this? My browser displays a little green padlock next to it.

Basically, yes. The connection is secured. If you click the padlock, there should be a way (for my firefox-based browser, I click ">" and then "More Information") to see who secured it - for this site, it's "forum.cyclinguk.org" - and who verified it - "Let's Encrypt".

Let's Encrypt is a service which simply checks that the webserver is controlled by whatever/whoever is requesting the encryption certificate. It does not check the organisation behind it. Basically, you can be relatively sure that no-one is messing with the web page between the server and your browser, but not that the web page belongs to any particular owner. Some similar certificates offer an organisation and/or unit/department, but still say they have not verified ownership.

If you go to to a site like https://bank.co-operativebank.co.uk/ and click the padlock (and ">" for me), you get more details, including the ownership details. That's what's called an Extended Validation certificate. So that certificate was actually issued to that organisation - there is a small chance it has been stolen since, but such things are pretty rare. Checking that owner name matches who you think is handling the payment is a good thing if you're considering putting payment details into a site, especially if it's something more vulnerable than credit card details.

It's also possible to use similar certificates for authentication/login (which could make your web browser into the "something you have" part of the two-factor authentication), but I can only think of one charity doing that off the top of my head and it's not one that many people will need to login to.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.

Psamathe
Posts: 10585
Joined: 10 Jan 2014, 8:56pm

Re: One Time Pass Code?

Postby Psamathe » 2 Oct 2019, 1:55pm

mjr wrote:.....
In an ideal world, our MPs (and equivalents) would step in and act for the common good by ordering government departments to use standardised strong encryption and authentication on both servers and messages and have the public bear the cost of being an early adopter - but they don't because there would be some public backlash......

as well as that they [UK Government] are also demanding encryption have backdoors included so governments, hackers, cyber-criminals, phishers, etc. can read all your transactions.
e.g.
https://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-backdoor-police-facebook-encryption-privacy-a9126411.html wrote:A new treaty between the UK and the US will force Facebook to share encrypted WhatsApp messages with British police, according to reports.

The accord, which is expected to be signed in October, would require social media firms to build “back doors” into messaging apps in order to assist with investigations, Bloomberg and The Times reported.
.....


Ian

User avatar
mjr
Posts: 13991
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: One Time Pass Code?

Postby mjr » 2 Oct 2019, 2:08pm

Psamathe wrote:
mjr wrote:.....
In an ideal world, our MPs (and equivalents) would step in and act for the common good by ordering government departments to use standardised strong encryption and authentication on both servers and messages and have the public bear the cost of being an early adopter - but they don't because there would be some public backlash......

as well as that they [UK Government] are also demanding encryption have backdoors included so governments, hackers, cyber-criminals, phishers, etc. can read all your transactions.

I did mention "some sort of backdoored weaker system which is generally non-standard". WhatsApp is probably such a weak system for messaging, although probably a bit better than SMS or banking apps. (Disclaimer: I've not analysed its current version in detail.)

Strong open systems are already available (XMPP with OMEMO and so on), but get less commercial promotion/interest because there would be little to stop people fleeing from anyone found to be harvesting and profiling user info and switching to another app or server. We're still at the stage where most players trying to get a dominant market position because it's easier to make money that way and regulators are failing to regulate because they also benefit from having fewer providers to control.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.

merseymouth
Posts: 1112
Joined: 23 Jan 2011, 11:16am

Re: One Time Pass Code?

Postby merseymouth » 2 Oct 2019, 4:44pm

Hi MJR, I think I made it quite evident that I don't/do smart/stupid phones!
But with a Chip & Signature Card the bank & not the trader takes a hit if things go wrong! Banks deserve to get clobbered for their poor practises and the way they treat long standing customers.
Think about this point, why do banks keep trying to foist "Contactless Cards" on us, even when we specifically state that we don't want them? With my insistence our debit cards finally come without that awful facility, yet our credit cards have to be issued with the sh*t facility? They say because it is their money with a credit card! :? . Maybe we should change banks, oh no, I forgot our bank has changed names etc without our consent over the last 48 years? But why should such a long standing customer have to move just because they won't listen!
Some banks issue credit cards without the stupid contactless facility, why not mine? MM

softlips
Posts: 526
Joined: 12 Dec 2016, 8:51pm

Re: One Time Pass Code?

Postby softlips » 2 Oct 2019, 8:56pm

PH wrote:I think you have it completely wrong - the directive says SMS sent information is not acceptable.


One of my banks introduced this only last month!

philvantwo
Posts: 594
Joined: 8 Dec 2012, 6:08pm

Re: One Time Pass Code?

Postby philvantwo » 2 Oct 2019, 9:00pm

Just go back to paying for stuff with cash! Simple, end of......or when I'm abroad I use a revolut card, put however much money you want on it, it's not linked to your bank account and you can turn features on or off, such as contactless, swipe, chip and pin or online shopping or freeze the card altogether. Use it in this country too.
[color=#FF0000][/color]

kwackers
Posts: 13695
Joined: 4 Jun 2008, 9:29pm
Location: Warrington

Re: One Time Pass Code?

Postby kwackers » 2 Oct 2019, 9:35pm

mercalia wrote:Mjr
I do not understand the above. Have I understood it correctly that the credit card protection worked and gave you your money back so you stopped using it? And now instead you have switched to cash that you will not get back if someone defrauds you of it?

I can understand some reasons for avoiding credit cards, but not that fraud one.

Eh? How can I be defrauded if I pay cash for my petrol or my visit to Lidl? I think my card was cloned at a petrol station since someone also used it at a petrol station other side of the country. It was a real hassle to get the money back, visiting a cop shop miles away, getting a cop number plus all the anxiety, filling in declaration for the cc company. I do use cc for online, never had a problem since. I see people casually flash their phone in front of a reader to make payments crazy. It's the physical use of cc I won't do any more. Here PayPal is so useful as a wrapper for small cc payments ( but not large ones)

If someone robs your cash off you then it's gone. Ditto if they pay you for something with funny money (I know someone that lost several thousand that way).

Never had any hassle getting money back when someones been naughty with my card.
Last time I just used the app and queried some dodgy looking transactions and then it all just took care of itself.
Message to say they were investigating, a few hours later a message listing transactions and asking if I could verify them all (I couldn't), few hours after that a message saying they'd credited my account with the dodgy transactions (including a couple I'd said weren't dodgy!) and that my card had been cancelled and another was on its way.
And that was it, two days later a new card turned up and I was up and running again. The whole process couldn't have been any easier.

IMO the whole current banking system is way too secure. Too many checks and balances which make it a pita to use for some stuff.
I can remember when I first got a bank account, looking back the whole system was incredibly naive.

francovendee
Posts: 983
Joined: 5 May 2009, 6:32am

Re: One Time Pass Code?

Postby francovendee » 3 Oct 2019, 9:37am

As a non tech savvy person I share some of the annoyance of yet another layer of security needed to access my bank account.
As we move away from actual banks and using 'real' money I guess it will only get worse.

If I want to add a new payee I have to dig out a device and this will give me a number. I then enter that to allow me to send a payment.

If I want to access my account I have to supply my customer number, some numbers from my pin and some letters from my password. Then wait for a text and enter the numbers.

If you look at all on-line accounts, phone, eBay, Amazon etc. each will have some form of security.

As I get older I find it harder to remember all these details so resort to keeping them in a book :roll:

Security is a necessary evil but sometimes the idea of banks on the high street, cash in your pocket and a cheque book to pay bills seems like heaven.

My wife's credit card account was hacked and over £2000 spent on her card. She was contacted by the credit card company as they'd seen unusual activity on the account and frozen it.
It was easy to convince them it wasn't her spending the money and it was refunded.
The card had never left the house and when asked how it could happen a cagey answer from the credit card employee hinted that her card details had likely been obtained from her account on Amazon.

kwackers
Posts: 13695
Joined: 4 Jun 2008, 9:29pm
Location: Warrington

Re: One Time Pass Code?

Postby kwackers » 3 Oct 2019, 9:41am

francovendee wrote:As I get older I find it harder to remember all these details so resort to keeping them in a book :roll:

Lastpass (other systems exist)