The European “Revised Directive on Payment Services” (usually just called PSD2) has recently enter into to legislation in many countries, including the UK — despite the current political turmoil. In addition to requirements around data access and APIs, and additional limitations for financial service providers, it includes the requirement for financial institutions to provide what is called “Strong Customer Authentication”.
The idea is to provide a stronger guarantee that it is indeed the customer accessing their balance or executing a financial operation. None of this should feel particularly sophisticated, given that banks have provided multi-factor authentication options for many years before this. But if you have read my blog before, you probably know my opinion on banks’ security theatre features.
Indeed, UK – and Irish – banks still appear to believe that asking only a subset over characters of a password, or of digits of a pin, is a good security practice, despite this been easily debunked by any web engineer with a bit of sense.
My job has nothing to do with financial services or PSD2, which means I have a very basic understanding of its intricacies. On the other hand, I’m able to observe how various companies are receiving the directive and implementing it for their customers. Take for example American Express, who sent reminders to their customers to keep their Android app up to date, as they are preparing to send SafeKey notifications – their “2FA” authentication similar to Verified by Visa and MasterCard SecureCode – directly to the customers’ phones. Similarly, Santander recently sent me a contract update that, among other things, gives them permission to send notification via app or email, rather than just SMS. Pretty much the same story applies to the Italian UniCredit, which also replaced their physical password cards (yes, they still had some) and RSA tokens with app notifications.
This is not rocket science or anything particularly new. Even my American bank, Chase, send similar notifications to either SMS, or email, whether it is while logging in, or executing a transaction — and American banks are not particularly well known for their innovative ideas. Indeed, Chase has been doing this for the past three years, without any directive requiring it, and with a fairly low bullshit level. And it even supports OAuth2 delegation for transfers, which TransferWise uses. I guess we’re now seeing European banks catching up to be fairly low bar.
On the other hand of this we have Fineco, now no longer part of UniCredit. Their “strong customer authentication” appears to be an additional 7 digits PIN called “mobile code.” How and where this is going to be used is not particularly clear — the announcement says it’ll be used to hide your balance, but that does not appear to be the case right now. You need to set it in the mobile app, and once done, you’re proposed to link it to your fingerprint. The interesting part is that you already need an additional code to execute operations, and you needed it for the past two years. You also have a separate “client services” PIN, and both of those are 8-digits. And the “web password” is itself only 8 characters. You would think that instead of four “memorables”, having one that can be longer than 20 characters would work better.
Settings banks and financial institutions aside I think nothing can top the original email sent by John Lewis, the British department store (that also operates the Waitrose supermarkets). On September 2nd, they sent an email titled Important information about payment changes, which effectively introduced PSD2 and SCA to their customers. In the email, there was this gem:
SHOPPING IN STORE
You’ll notice changes when making contactless payments in our shops, including when using Apple Pay, Samsung Pay and payments via wearable technology such as smart watches. You may be asked to insert your card and key in your PIN. Chip and PIN payments will continue to work as normal.
WHAT YOU NEED TO DOmy John Lewis email, 2019-09-02
As the checks are random, you won’t know in advance whether validation is required, and neither will our Partners. So if you plan to use contactless payment, make sure you have the relevant card with you, or an alternative method to use, so you can continue with your purchase.
I took it to Twitter then to rant about the insanity of suggesting customers to insert a card when using a mobile-based payment system. Not just because there may not be a card to insert (Revolut allows connecting a virtual card to Google Pay, so there’s no matching physical card for it), not because there shouldn’t be a way for merchant to link the Google Pay/Apple Pay to the original card you connected, but most importantly because the authentication provided by an unlocked phone is stronger than that of a Chip’n’Pin card.
But they went even worse with “What you need to do”, because they are explicitly saying that they were introducing random checks, not risk-based checks which PSD2 and SCA are usually suggesting. And let’s ignore again the note of “relevant” card that may not exist. It makes it a lottery to figure out if you can pay for the groceries you’re buying, and honestly I don’t want to have an awkward moment when their till system decide to quiz me on a card I might not have to begin with.
I don’t know if anyone at the store chain noticed my tweet rant, but two days later, they sent another email, titled An update on Strong Customer Authentication.
At John Lewis & Partners, we are committed to ensuring you have a safe and secure experience when shopping with us. On Monday 2 September we sent you an email about Strong Customer Authentication (SCA) and the importance of your card issuer having your most up-to-date contact information.my John Lewis Email, 2019-09-04
We incorrectly suggested that you may be asked to insert your card and key in your PIN when using Apple Pay and Samsung Pay. We are pleased to tell you that you are not required to present your card or enter your PIN when using these payment methods, and you can continue to use Apple Pay and Samsung Pay as normal.
I don’t know if this is a change of plan, where someone pointed out that implementing it that way was silly, or just a communication error in the first place. But it definitely shows how careless the communication around this was from John Lewis. I somehow expect that other companies are on the same boat, and I just haven’t noticed because I’m not their customer.
Speaking of Twitter, I saw at least two people recently complaining that their banks refuse connection from IP addresses from countries outside their operation area. While this does not seem to be announced as part of SCA, I have a certain feeling that this is becoming more popular because of it. It’s the same kind of risk analysis that forces me to use TunnelBear to connect to my GP’s online services to order my medical supplies if I’m traveling, as their app is rejecting any request coming from a non-UK address.
I’m afraid that as usual, with bank security, we’re not talking about rational solutions. We’re instead looking at solutions that consultant can sell to banks, and that bank management can feel confident enough to defend in court. And maybe confuse their customers over the fact that they may be making their life miserable, but they do so for security.
It effectively reminded me of Andrea’s work on chip-and-pin implementations, now nearly eight years ago:
Honestly, I wish banks took their ideas from TransferWise, which, among all of my bank accounts, is the only one implementing 2FA as push notifications with the app they have on my phone.