Another credit card problem.

Perhaps the requirement is to enter the name as it appears on the card.

Two of my financial/card accounts have changed the login procedure in the past few months "for added customer protection".

Both logins still require information (user/account number/password) that was previously needed but now require extra information that is easily found in the public domain. I cannot see how this provides extra security for me.

Shame there's no industry standard.

My bank issue a 2FA device requiring the card to generate a login code.

It happens that Jethro_uk formulated :

One of my accounts, which is not a normal account - I can only transfer money in or out of it via another nominated current account, will only let me log in after I enter a code which they text to me every time I log in.

Trying to make a payment for some friends, site wouldn't take the name however typed, sudden thought - started with MR. and it was OK. My birth cert. doesn't show MR. as part of my name. Never seen that since that day.

Unfortunately all to common and stupid. I bet also nobody will have tested the new site for blind users either. Brian

Even telephone banking wants this but from my point of view I have no idea since I cannot see it. Now at least Lloyds seem to have woken up to this stupidity. Brian

Which *should* be the very minimum provision for online transfers.

My bank (Nationwide) allows you to log in using either the 2FA device, or a combination of one of 3 pieces of information plus digits from a separate passcode. But that only allows sight of accounts and transfer between accounts and payments to previously set up recipients. Trying to create a new transfer requires the 2FA device.

There's some know-it-all snobbery about SMS codes and the possibility of phone numbers being fraudulently redirected to bypass them, but they're still better than nothing.

But not the *only* way of doing it, not everyone can [easily] receive SMS/text messages. Our house has very poor mobile coverage (regardless of network) so sending us a text to confirm a transaction is pretty useless.

No, which is why authenticator apps, and the ability to generate a code for offline access should feature in any 2FA scheme.

It pains me to say it, but Google, Facebook and Microsoft appear to have got it right. UK banks, less so.

An app needs a mobile though doesn't it? ... and what's a "code for offline access"? I don't need offline access I need somthing that can be done securely over an internet connection and/or a landline, we have fast and reliable internet access (VDSL) but almost non-existent mobile phone coverage. As a result my mobile is rarely even turned on, it's often not charged and I'm very unfamiliar with using it because it's of so little use here. I'm much faster, more skilled and thus safer (security wise) using the internet from a computer.

An app to generate codes for 2FA doesn't need internet connectivity, which is a low-quality grumble from people that don't like change (or security). Thus allowing someone to use full-fat 2FA for banking without needing to whine about "getting a signal".

Alternatively, some 2FA schemes (Google, Facebook, Microsoft) allow a user to generate codes that can be stored (written down at a pinch) and kept for use in situations where they are unable to access an authenticator device or app.

Being selfish, I'm quite happy for people not to take up 2FA for whatever reasons they have. It means it's much less likely that there will be a concerted effort to defraud people who do use it. Low hanging fruit, etc etc.

There are several authentication apps available that work over wifi or 3/4g.

I use them for my email accounts.

I think you are wrong there.

One of the biggest security threats is overconfidence.

Jethro_uk used his keyboard to write :

When I can only transfer money in or out to one single other account at another bank, I cannot see any risk at all, unless that second account has been hacked into.

We have no mobile coverage at home and HMRC phone with a code number presented by a sythesised voice.

But what do you do if you have no mobile reception/data at work, want to pay bills etc. during your lunch break, but network security prevents you installing any apps on company PCs? That is a pretty common situation.

SteveW

Don't use a crappy 2FA system which relies on connectivity then. A proper outfit would have an app-generated code (so no need for connectivity) and should also make provision for codes to be generated in advance for cases where there's no connectivity. As Google, Microsoft and Facebook have been doing for *years*.

I've been following the upcoming introduction of POS 2FA by various UK banks with amusement ....

+1 Mobile coverage inside of my house is patchy and i often only text messages when I leave my property.