Community

Hi Max,

A good post from a security perspective, as all your points on vulnerabilities of weak 2FA implementation are all true, though I would challenge the PIN stronger than biometric piece on a number of levels.

But it was your title I wanted to pick up on from a legal perspective. As we all know, all organisations have to be able to identify and authenticate their customers under GDPR, where there is suspicion that a Subject Access Request not be from the genuine customer (not that GDPR provides any guidance on how to do this). Let's call that 'common practice'.

Then certain industry sectors covering Critical National Infrastructure (CNI) have additional security requirements added in (in EU) under the security of Network Information Systems Directive (NIS), which provides additional access control and ID/Auth requirements. Let's call that good practice.

But Financial services are exempt from NIS because they have stronger sector specific security standards, such as those defined under RTS SCA in PSD2. Now these requirements, coming into force in September this year provide a range of strictures which would outlaw OTP SMS, but don't provide much in the way of guidance as to what IS fit for purpose, and that's where the new British Standard comes into play, as PAS499 in Digital Identifciation & Authentication guides organisations through how they should implemnt a practical and secure solution. Let's call that Best Practice, so the Banks WILL be leading the way come September, not only from a regulatory perspective but in practical implementation.

Matt - interesting point on Access to Account, but your earlier comment on your Galaxy/Vodafone Passport on the Tube intrigues me - I've just tried again, and my Vodafone Wallet Smartpass is still telling me that paying through the phone isn't available without the new NFC SIM (which itself ruins the point of having an NFC device), and that these aren't available yet either! I trust you don't mean you've stuck the card on the back, so please do let me know how you've managed a work around!

Also, given the difficulty TfL have had managing refunds on bank cards and more recently on bpay 'non-cards', it'll be fun watching them track back on an Apple Pay uncompleted journey!

Ian - 'all fine for now' as you say until PSD2 comes out, but the kick off of EBA early adoption is 1st August!

On the original article as a whole, it will also be interesting to see how low that 27% falls when the inevitable avalanche of frauds hit here, as they have seen in the US.

Bjorn,

You're quite right, and ENISA guidance has had 'assumed compromise', typically though not necessarily through infection, in place since 2012. The problem is that banks aren't taking the mitigation steps far enough.

The forthcoming 'early adoption' of PSD2 through ECB/EBA SecuRe Pay strong authentication requirements may well go some way to address this from August, depending of course on how they are managed (if they are managed!)