Nationwide BS (UK) now useless

[davehowden]

29 minutes ago, VBF said:

This recent article (link) may be relevant to this conversation.

May not help many people in Thailand (or indeed anywhere in the world outside UK) but will at least explain that the "secure customer authorisation" rules which come into force in September are a legal requirement for UK banks. It's just that some implement them differently from others.

 

In fact if you read the paragraph starting "It means two of three of the following will be required from 14 September......." it appears that an email authorisation is not contained within the rules.

However it then goes on to say that with some banks, customers "could choose to receive a one-time passcode over email......"

 

So, as I said, it appears to be up to individual banks, and Nationwide (the subject of this thread) are NOT allowing the email option - pity, but it is what it is.

I have actually sent NW a secure message (attached) requesting that an email is allowed.  Maybe if a few more people asked, they might consider it.

 

NW message.txt 755 B · 2 downloads

Message to NWBS sent.

 

[VBF]

I received a reply from Nationwide thus:

 

Hello xxxxxxx

Thank you for getting in touch.

I completely appreciate how this feature would be useful for yourself and other members, the reason we have not yet introduced this is because an email is not currently as secure as text. To look into this, I logged your feedback to be reviewed by the relevant team. We’re always looking for ways to improve the experience for all our members and we rely on feedback like yours. You may not hear back from us directly, but rest assured this will be investigated.

If there is anything else I can help you with in the meantime, please reply to my message and I'd be happy to help.

Best Wishes,
xxxxx

Customer Consultant
Digital Service

 

I replied thus:

 

Hello xxxxx,

Thank you for your reply.

Whilst I understand the security aspect, a one-time code on its own isn't much use to anyone who may intercept it. I would ask you to emphasise that point when you pass the request on for review.

Kind regards

xxxxx

 

I don't think we'll see much change but if you don't ask you definitely don't get, whereas if you do ask you usually still don't get! ????

Edited August 12, 2019 by VBF

[VBF]

And the response to the above was........

 

Hello Mr xxxxxxx

Thank you for your message.

I can appreciate your concerns about the new changes and I can assure you I have passed on your feedback to a relevant team to review. To help investigate future changes.

If there is anything further I can help you with, please feel free to reply to my message.

 

Best wishes,

xxxxx - not the same person as last time 
Customer Consultant, Digital Service.

 

I didn't bother replying - i couldn't think of a polite reply! 

I suppose i could ask them when there might be an update but  it's a bit like banging your head against a brick wall - lovely when you stop! 

 

@davehowden Did you get a reply?

 

 

And, just seen this, https://www.bbc.co.uk/news/business-49332023

Not that it's likely to affect logging into the website but might be of interest to those who were talking about online purchases

Edited August 13, 2019 by VBF

[davehowden]

4 hours ago, VBF said:

And the response to the above was........

 

Hello Mr xxxxxxx

Thank you for your message.

I can appreciate your concerns about the new changes and I can assure you I have passed on your feedback to a relevant team to review. To help investigate future changes.

If there is anything further I can help you with, please feel free to reply to my message.

 

Best wishes,

xxxxx - not the same person as last time 
Customer Consultant, Digital Service.

 

I didn't bother replying - i couldn't think of a polite reply! 

I suppose i could ask them when there might be an update but  it's a bit like banging your head against a brick wall - lovely when you stop! 

 

@davehowden Did you get a reply?

 

 

And, just seen this, https://www.bbc.co.uk/news/business-49332023

Not that it's likely to affect logging into the website but might be of interest to those who were talking about online purchases

@VBF

 

No reply yet.

 

Interesting article, thanks.

[OJAS]

On 8/13/2019 at 1:12 AM, VBF said:

"this is because an email is not currently as secure as text."

Complete and utter BS nonsense, I think.

[VBF]

5 hours ago, OJAS said:

Complete and utter BS nonsense, I think.

Actually no it's not.

Having worked in various IT support and test jobs for many years,  I can assure you that standard email such as we all use is very easy to hack into - encrypted email less so. 

Here is a reasonable explanation https://www.digitaltrends.com/computing/can-email-ever-be-secure/   

IMO the worst problem is  "man in the middle attack (MitM)"   https://en.wikipedia.org/wiki/Man-in-the-middle_attack

 

My point to NW was that just sending a OTP with no other contextual information is in itself not a risk even if it is intercepted. That's the point I'd like to see them pick up on but I'm not holding my breath!

Edited August 14, 2019 by VBF

[OJAS]

1 minute ago, VBF said:

Actually no it's not.

Having worked in various IT support and test jobs for many years,  I can assure you that standard email such as we all use is very easy to hack into - encrypted email less so. 

Here is a reasonable explanation https://www.digitaltrends.com/computing/can-email-ever-be-secure/   

IMO the worst problem is  "man in the middle attack (MitM)"   https://en.wikipedia.org/wiki/Man-in-the-middle_attack

 

My point to NW was that just sending a OTP with no other contextual information is in itself not a risk. That's the point I'd like to see them pick up on but I'm not holding my breath!

Interesting! Do you know how easy (or difficult) SMS messages are to hack into?

[NightSky]

Ring fencing and fraud prevention crackdown at UK banks has been happening since 2017. You're probably one of the few left to notice these changes. Its an inconvenience but ways to manage it if you really do need to maintain a UK bank account whilst travelling outside the country.

 

Edited August 14, 2019 by NightSky

[VBF]

1 minute ago, OJAS said:

Interesting! Do you know how easy (or difficult) SMS messages are to hack into?

Less so but do a search for "sms security" .  One site worthy of reading is https://security.stackexchange.com/questions/11493/how-hard-is-it-to-intercept-sms-two-factor-authentication

 

Remember that with an SMS it's just numbers flying around so no other information (your name and domain for example) is included by default. IE, I could text you with the number 12345 in the message - nowhere is your or my name automatically included.

Also remember, that if one person can make a security system, another one can break it - like a home or car lock or burglar alarm, nothing is ever 100% safe.

 

No nightmares now...... 

[VBF]

6 minutes ago, NightSky said:

Ring fencing and fraud prevention crackdown at UK banks has been happening since 2017. You're probably one of the few left to notice these changes. Its an inconvenience but ways to manage it if you really do need to maintain a UK bank account whilst travelling outside the country.

 

@NightSky was that directed to me or to @OJAS ?  (You replied to the topic rather than quoting a post)

If to me I can assure you that I'm VERY aware of such things -  (See #156) - I just haven't had occasion to comment on them here before

Edited August 14, 2019 by VBF

[NightSky]

On 8/1/2019 at 5:47 PM, Stocky said:

https://www.giffgaff.com/freesim-international

Thanks for this as my Thai wife was wondering how to get a UK sim card before travelling, I might check it out cheers.

[NightSky]

34 minutes ago, VBF said:

@NightSky was that directed to me or to @OJAS ?  (You replied to the topic rather than quoting a post)

If to me I can assure you that I'm VERY aware of such things -  (See #156) - I just haven't had occasion to comment on them here before

I was adding information to the OP's topic which is why i didn't include a quote.

 

 

 

 

[johng]

After reading here about Natwest soon requiring this enhanced login,I just spent the last couple of hours searching for my "card reader" which I knew I'd left in a "safe place" ( safe from me finding it ! ) anyway found it eventually and it still works, thank the Buddha [emoji39]

[NanLaew]

On 8/14/2019 at 7:59 AM, OJAS said:

Complete and utter BS nonsense, I think.

Maybe you've never, ever been spammed or had your email address cloned for carpet-bomb email episodes but there's millions, probably billions of others who have.

 

Email is hugely insecure and cannot be made less so due to the very old architecture that makes it work. Phone sms and smartphone apps are innately more secure due to the unique IMEI structure of phone/SIM cards and the new security protocols that can be built into and constantly improved on in smartphone apps.

 

Yes, I agree that OTP's are a huge inconvenience to those who roam permanently overseas and have long eschewed a 'home' phone number but it's your money in your bank account after all so up to you.

[OJAS]

1 hour ago, NanLaew said:

Maybe you've never, ever been spammed or had your email address cloned for carpet-bomb email episodes but there's millions, probably billions of others who have.

 

Email is hugely insecure and cannot be made less so due to the very old architecture that makes it work. Phone sms and smartphone apps are innately more secure due to the unique IMEI structure of phone/SIM cards and the new security protocols that can be built into and constantly improved on in smartphone apps.

 

Yes, I agree that OTP's are a huge inconvenience to those who roam permanently overseas and have long eschewed a 'home' phone number but it's your money in your bank account after all so up to you.

But one method - which, I believe, should meet the best of both worlds when it came to security v. convenience - is the one I use these days for accessing my SA account with HMRC. This entails me entering a 6-digit code from their app which changes every 30 seconds.

 

If this is good enough for HMRC (who, in common with all other UK government departments, aren’t exactly slouches when it comes to security matters), then I am at a complete loss to understand why Nationwide and other UK banks don’t seemingly consider it to be good enough for them.

 

Edited August 15, 2019 by OJAS

[tifino]

 For @Oxx  - the email angle might still be your best option!

Yes, others have brought up about email hacking etc;

but here is another way:

 

1. hopefully you have a Smart phone...

 

for an Andriod, via Play Store; there is a free app, called:

            SMS Backup+

 

Once Installed, have it automatically send( i.e. Forward) ALL your SMSs to your nominated email address.

The Action in the app, is called 'Auto backup...automatically BackUp SMS, MMS

 

The Verification Code you await from banking institutions etc; will be in the title line of the email message you receive 

 

In summary; you will now be receiving the Code by eMail, even on that same very phone that cannot receive the actual SMS

 

it works!!!

 On my Samsungs, I have them all set to send all to a dedicated Gmail address.

 

 

 

 

 

 

 

 

 

Edited August 15, 2019 by tifino

[NanLaew]

15 minutes ago, tifino said:

 For @Oxx  - the email angle might still be your best option!

Yes, others have brought up about email hacking etc;

but here is another way:

 

1. hopefully you have a Smart phone...

 

for an Andriod, via Play Store; there is a free app, called:

            SMS Backup+

 

Once Installed, have it automatically send( i.e. Forward) ALL your SMSs to your nominated email address.

The Action in the app, is called 'Auto backup...automatically BackUp SMS, MMS

 

The Verification Code you await from banking institutions etc; will be in the title line of the email message you receive 

 

In summary; you will now be receiving the Code by eMail, even on that same very phone that cannot receive the actual SMS

 

it works!!!

 On my Samsungs, I have them all set to send all to a dedicated Gmail address.

 

That does look like a good workaround. Thanks.

[MrMuddle]

On 8/1/2019 at 5:32 PM, CharlieH said:

Get a UK sim and there is no issue, they have what they want and you can get what you need, problem solved.

 

Most phones are dual sim these days, I have a Thai sim amd UK sim in one phone. The UK number can be topped up etc and maintained online at minimal cost.

Would you mind telling me what Company the sim is with ? Thank you.

[doctormann]

This post is not strictly relevant to NBS so the mods can delete it at their discretion.

 

I bank with Barclays and was getting very concerned about the necessity for having a UK phone number for receiving OTPs via SMS.  At the moment I use a mobile 'Pin Sentry' which is part of their online banking app.  Because of the almost total lack of hard information as to what would actually happen once the new rules were in place I decided to approach Barclays directly, which I did by secure email, which is available on their internet banking site - which you need a Pin Sentry - real or virtual- to access.

 

This is what i have been told:

 

1.  The new rules about OTPs will only apply to online purchases of value exceeding GBP30, made with the account debit card.

2.  Other transactions, such as money transfers, will be unaffected and will continue to use the mobile Pin Sentry, as before.

3.  In the event of the user not having a UK phone number it will still be possible to use the mobile Pin Sentry to make purchases in excess of the GBP30 limit.

 

Obviously, the proof of the pudding is in the eating so we have to wait to see how things actually work out.

 

In the interim, I now have a GifGaff UK SIM and this appears to work OK in Thailand so i do now have a UK phone number if it turns out that I do need one after all.

 

 

 

 

 

[Jip99]

3 minutes ago, doctormann said:

This post is not strictly relevant to NBS so the mods can delete it at their discretion.

 

I bank with Barclays and was getting very concerned about the necessity for having a UK phone number for receiving OTPs via SMS.  At the moment I use a mobile 'Pin Sentry' which is part of their online banking app.  Because of the almost total lack of hard information as to what would actually happen once the new rules were in place I decided to approach Barclays directly, which I did by secure email, which is available on their internet banking site - which you need a Pin Sentry - real or virtual- to access.

 

This is what i have been told:

 

1.  The new rules about OTPs will only apply to online purchases of value exceeding GBP30, made with the account debit card.

2.  Other transactions, such as money transfers, will be unaffected and will continue to use the mobile Pin Sentry, as before.

3.  In the event of the user not having a UK phone number it will still be possible to use the mobile Pin Sentry to make purchases in excess of the GBP30 limit.

 

Obviously, the proof of the pudding is in the eating so we have to wait to see how things actually work out.

 

In the interim, I now have a GifGaff UK SIM and this appears to work OK in Thailand so i do now have a UK phone number if it turns out that I do need one after all.

 

 

 

 

 

 

 

OTP’s apply to all card transactions (over a certain value).... I have had 3 this week.

[gk10002000]

Interesting about the phone.  I was just in Thailand and by paying extra to ATT, I was able to use my existing old 3g flip top phone that has simple voice and text.  When I logged into a few of the websites, Etrade for example they wanted to send a text to my phone.  Now if I had a Thai phone/ or SIM that would not have worked as Etrade uses my phone of record.  I have heard of other institutions from other countries giving all sorts of problems with overseas contacts

[Skyking]

What is "the card reader" referred to in this string?

[Jip99]

16 minutes ago, Skyking said:

What is "the card reader" referred to in this string?

 

 

Try Googling “Nationwide card reader”......... you will find pictures and a full description.

[Samuel Smith]

On 8/15/2019 at 10:01 AM, tifino said:

 For @Oxx  - the email angle might still be your best option!

Yes, others have brought up about email hacking etc;

but here is another way:

 

1. hopefully you have a Smart phone...

 

for an Andriod, via Play Store; there is a free app, called:

            SMS Backup+

 

Once Installed, have it automatically send( i.e. Forward) ALL your SMSs to your nominated email address.

 

 

 

 

 

Don't you still have to have a UK sim card & phone number to do this?

[tifino]

59 minutes ago, Samuel Smith said:

Don't you still have to have a UK sim card & phone number to do this?

well... there's good news and there's bad news

 

firstly it was fortunate thanx your question came up, for I have just checked my gmail for updates , and they have stopped... 

so, I went back to the phone, and tried logging in to sync my sms backup+

 

...and now (don't know when Google did it -  but all I see on the login screen is: 

 -  a message that Google no longer accepts Google logins to this App (sms backup+)

 

so, I tried back to scratch, and attempted with one of my Outlook.com emails... 

and the message comes back that it can't use that (to log in to Google) 

 

i guess sms backup+ has had some security complaints and it's been put to pasture, as far as Google is concerned? 

 

but - back to your question:   

 

how it has worked up to now, is that (substituting home countries) when I fly out of Australia,

I left the Mobile home,

and each and every SMS sent to the phone, got relayed to my designated Synced gMail Inbox

 

oh well... it was good whilst it lasted

back to the drawing board

[briley]

Just check gmail setting that you allow access from non-secure apps. That might solve your problem.

 

Best to use google to find out where the setting is as it is not very obvious and I have forgotten where it is..............

[Crossy]

Has anyone tried using https://receive-smss.com/ (or one of several similar services) to receive the OTP from Nationwide?

 

Certainly https://receive-smss.com/ seem to change the numbers regularly which is likely to be a pain.

 

And of course there are potential security issues.

 

[davehowden]

On 1/17/2020 at 7:47 AM, Crossy said:

Has anyone tried using https://receive-smss.com/ (or one of several similar services) to receive the OTP from Nationwide?

 

Certainly https://receive-smss.com/ seem to change the numbers regularly which is likely to be a pain.

 

And of course there are potential security issues.

 

I have been monitoring these UK numbers for a few days now and never see a FROM: NATIONWIDE.

 

I wonder if NW are blocking the use of these numbers ?

[nong38]

I have a phone with 2 sim cards in it one for here and one for the UK, seems to work ok. The phone is a Nokia and cost about 1600bts, just a simple phone, 2 sims and a camera.

[phka]

On 8/1/2019 at 5:32 PM, CharlieH said:

Get a UK sim and there is no issue, they have what they want and you can get what you need, problem solved.

 

Most phones are dual sim these days, I have a Thai sim amd UK sim in one phone. The UK number can be topped up etc and maintained online at minimal cost.

Can you top up the uk sim in Thailand