Santander strikes again

[gnawsome]

A message from Santander,
<At the moment, you don’t need to enter a One Time Passcode (OTP) when paying an existing payee or using your card for online purchases. This is changing, and from February 2018, you may need to enter an OTP to complete your transaction.>
I went to the trouble of going to branch to create a list of 'pay-to' accounts. This notice tells me that was a waste of time. It means that you should not have an account with Santander unless you have a mobile phone and are prepared to allow them to use it.

[BobbyD]

A message from Santander,
<At the moment, you don’t need to enter a One Time Passcode (OTP) when paying an existing payee or using your card for online purchases. This is changing, and from February 2018, you may need to enter an OTP to complete your transaction.>
I went to the trouble of going to branch to create a list of 'pay-to' accounts. This notice tells me that was a waste of time. It means that you should not have an account with Santander unless you have a mobile phone and are prepared to allow them to use it.

BBC consumer protection programmes spend half their time complaining that banks correctly carried out instructions for customers who instructed them to give their money to fraudsters, and the other half complaining when banks defer legitimate transactions due to concerns about fraud. The banks literally can't win.

If you don't have a mobile phone you can get and run one very cheaply. If you have one why would you object to the bank sending you a text message to make sure it is you trying to move your money around?

[Loup321]

I fell foul of this with Tesco a few years ago. I do not need or want a mobile phone, and while there are providers that don't require one I will use alternative providers. Tesco used to be fine with me accessing my ClubcardPlus account on two PCs, but then they decided that as I used a different computer from the last time I logged on, they weren't going to allow it unless they sent me a text message or a letter. The letter used to take 2 weeks to arrive (by which time I'd proabably forgotten which PC I had been using, or what on earth I was trying to accomplish anyway, and had tried logging in from the other PC so the letter was invalid anyway), and I don't have a mobile phone, so I couldn't use their online banking, and ended up closing the account (by writing a letter, because it was the only way they would communicate with me).

Nationwide and HSBC manage by issuing me a security device. Nationwide's requires my card and me to enter my normal PIN, and HSBC's requires a (yet another) security number I have memorized. Halifax telephone me on a number I have set up, in much the same way as HMRC. I just have to remember not to pay a new payee or try and access my tax return before 7.00 am or the whole house is woken up by the telephone!

If someone requires you to have a mobile phone, this should be clear in their terms and conditions. If it is, and you don't have one, you are in breach, but if it is not, they need to find a way to accommodate you. I would suggest that Sandanter have said that you MAY require a One Time Passcode, and your list of accounts you set up in branch should remove this need (for you personally). Wait and see...

My reasons for not having a mobile phone are mine, and are as valid as anyone elses for having a mobile phone.

[BobbyD]

My reasons for not having a mobile phone are mine, and are as valid as anyone elses for having a mobile phone.

...and a companies reasons for deciding that they will require a mobile phone as part of a security protocol are theirs and every bit as valid as any other company which has not made the same decision, yet.

[Slarti]

...and a companies reasons for deciding that they will require a mobile phone as part of a security protocol are theirs and every bit as valid as any other company which has not made the same decision, yet.

Not true.

Mobile phones are a very weak form of 2FA as the message is in plain text and not hard to intercept with a Man in the Middle attack. Or so I'm told.


Slarti

[BobbyD]

...and a companies reasons for deciding that they will require a mobile phone as part of a security protocol are theirs and every bit as valid as any other company which has not made the same decision, yet.

Not true.

Mobile phones are a very weak form of 2FA as the message is in plain text and not hard to intercept with a Man in the Middle attack. Or so I'm told.


Slarti

That's not exactly what I said... I'm sure Santander have actually sat down and considered their security set up rather than just googling 'how should we secure our customers accounts', and if they've decided to use mobiles that's their choice, just as not having a mobile is the op's choice. People who don't like it are quite at liberty to move.

[Urbandreamer]

As BobbyD said, it's a matter of choice on both sides.

While I am a fan of the Nationwide card reader, they also use to (and probably still do) offer a less secure password and personal data option.
(EDIT) Just checked and yes they do.
https://www.nationwide.co.uk/support/se ... yquestions
After all, while they give out the card readers, who takes them on holiday with them?

People don't have to own a mobile phone or smartphone, but you may find it a hell of a lot easier if you do own a smartphone. I personally found this out when I used the dartford crossing on holiday.

You need internet access to either pay the fee or to find out how to pay the fee (without paying over the internet). You also need to pay by the following midnight and it might be fun finding a post office open on a bank holiday (once you have found a library open to use the internet to find how to pay). I could go on, but you get the idea.

Ps I have accounts with both Santander and Nationwide. Sorry I can't make an argument about which provides the better account or service. While different I can't say that the differences sway me to one rather than the other.

[Wmnr]

Have you tried giving your landline phone number as the number to send the text to. BT landlines are able to receive text messages and convert them into voicemails, I believe.

[bruncher]

After all, while they give out the card readers, who takes them on holiday with them?

I do

[gnawsome]

If you don't have a mobile phone you can get and run one very cheaply. If you have one why would you object to the bank sending you a text message to make sure it is you trying to move your money around?

I do not understand how the bank sending a text to a mobile phone establishes proof of who you are, any more that is, than by the account being accessed by a normal online login.
I do believe that having a mobile phone and giving out that number opens opportunities for attack that would not otherwise be present. A mobile phone is a confusing device of itself, to use it to control ones cash is best done by those competent to do so - that does not include this octogenarian

[gnawsome]

If someone requires you to have a mobile phone, this should be clear in their terms and conditions. If it is, and you don't have one, you are in breach, but if it is not, they need to find a way to accommodate you. I would suggest that Sandanter have said that you MAY require a One Time Passcode, and your list of accounts you set up in branch should remove this need (for you personally). Wait and see...

My reasons for not having a mobile phone are mine, and are as valid as anyone elses for having a mobile phone.

I admire your optimism that "they need to find a way to accommodate you." We are all now 'profit centres'. To be so, we have to fit into patterns and that particularly means that we have to accommodate their (ever changing) requirements. They provide for their future requirements by scope to change their Ts&Cs.

Reasons to not have a mobile phone are indeed an individual decision and reasons to not give out any such number too numerous to list.
I very much regret providing my landline number over the years and it has only been by repeated complaints that the %age of nuisance calls has been reduced from 90~95% to the occasional interuption.
Similarly with unwanted 'stuff' thro' the letter box, it was not a simple instuction to Royal Mail, it meant a campaign over several years and repeated submissions before they put it into practice.
I put a large bold sign adjacent to my letter box to tell leafleteers and similar to put nothing here and have followed that up with complaints to councillors. Normal mode - other than normal mail delivery times - is that I block the letterbox.
A man's gotta do....

[mc2fool]

I do not understand how the bank sending a text to a mobile phone establishes proof of who you are, any more that is, than by the account being accessed by a normal online login.

Because the text includes a randomly generated time limited number that you then have to enter into their website to proceed. See https://en.wikipedia.org/wiki/Multi-fac ... entication

Of course, that doesn't prove who you are, but it makes it more likely than just the normal online login.

[Alaric]

Of course, that doesn't prove who you are, but it makes it more likely than just the normal online login.

It proves you have the phone, or perhaps just the SIM.

https://motherboard.vice.com/en_us/arti ... le-stories

[Stompa]

Whilst I would personally find it a bit of a PITA, I imagine that you could use telephone banking to make payments without the need for OTPs.

[arty]

Indeed, this is a PITA. I spend a few months a year in Japan, where my mobile doesn't work. With wifi I can do pretty much everything I want, but now they've introduced this I have to faff about calling them, going through security, etc, just to make a simple small transfer.
Funnily enough, I say I'm logged in online, and the security questions they ask are generally things like "how much did you spend in x, on the xth". Bit pointless really.

[UncleEbenezer]

Whilst I would personally find it a bit of a PITA, I imagine that you could use telephone banking to make payments without the need for OTPs.

Telephone lines are not normally encrypted. That means your sensitive data (like a password or other identifier) are instantly at much higher risk than sending them over the web.

Of course, a bank could also screw up internally. That's a different risk.

[XFool]

Whilst I would personally find it a bit of a PITA, I imagine that you could use telephone banking to make payments without the need for OTPs.

Telephone lines are not normally encrypted. That means your sensitive data (like a password or other identifier) are instantly at much higher risk than sending them over the web.

Surely that's why they don't ask for a "password"? Rather they ask for: "Letters three and five from your password" etc.

At least they used to. But it's been a long time since I used telephone banking.

[UncleEbenezer]

Telephone lines are not normally encrypted. That means your sensitive data (like a password or other identifier) are instantly at much higher risk than sending them over the web.

Surely that's why they don't ask for a "password"? Rather they ask for: "Letters three and five from your password" etc.

At least they used to. But it's been a long time since I used telephone banking.

Ok, for a related better example, consider when you make a payment by credit or debit card. Online, your card details are secure in transmission. Over the phone they're transmitted in the open. What happens at the far end is out of your control either way.

Not quite the same situation as 'phone banking. I wouldn't feel comfortable without the details in front of me on the screen, but YMMV.

How does your phone banking work? If you're speaking to a human that's one more source of possible error or fraud, while if you're using a keypad to talk to a robot, you've taken out the hurdle of speech recognition and are wide open to mass-surveillence by an eavesdropping 'bot listening to *everything* on a line and collecting sensitive data. Including, over time, your entire password.

[swill453]

How does your phone banking work? If you're speaking to a human that's one more source of possible error or fraud, while if you're using a keypad to talk to a robot, you've taken out the hurdle of speech recognition and are wide open to mass-surveillence by an eavesdropping 'bot listening to *everything* on a line and collecting sensitive data. Including, over time, your entire password.

Ironically using a mobile phone for phone banking makes it more secure than a landline, and just about as secure as online banking. Either way you have an encrypted communication path, but have to trust the personnel at the bank.

Scott.

[GeoffF100]

Santander (or perhaps it was Abbey National in those days) have been sending me OTPs for many years. I used a cheap PAYG dumb phone for several years, and bought a smart phone when the prices came down.