More British cashback: Airtime Rewards

You could say that one of this blog’s “side hustles” is talking about cashback offers. I think it all started with the idea of describing how privacy compromises work, but more recently focused on just one fintech’s free money distribution. This time I have something to talk about that again touches on both points.

Airtime Rewards is a cashback program that was advertised to me by my mobile phone provider, and it is indeed a bit different from other programs I’ve seen, because the cashback can only be redeemed as credit to your (or someone else’s) mobile phone bill — thus the Airtime part of the name I guess.

The way it works is pretty much reminiscent of the US-only “Rewards Club Dining”: you sign up for an account, and you give them your payment cards’ details — PAN (the 16-digit number), CVV and expiration date. They don’t charge you, instead they set up a “trap” on those cards, so that they are notified when you spend on them.

And this is honestly borderline even for me, as a privacy invasion. I haven’t worked deep enough in payment systems to actually know how those traps are implemented, but it sounds like the companies like Airtime Rewards are getting pretty much a huge feed of your spend, not just related to the vendors they offer cashback for. But don’t quote me on that because I don’t actually know how they implemented it, it might be totally benign.

Now let’s preface this with one important bit of information: only Visa and MasterCard cards are usable for either of these two options. American Express is, once again, a walled garden — they are effectively the iPhone of payment cards, for good and bad (including costs). Just like they don’t allow vendors to scam people via DCC, they don’t seem to allow traps of cards for payment.

So how does this program fare, and why do I even bother talking about it? Well first of all, if you’re the type of person who don’t like leaving money on the table at any chance, it’s actually pretty good, as long as you visit the stores involved. I signed up for this just before Christmas shopping, because I knew we were going to spend a bit of money at Debenhams, and they had a nice 5% cashback, but even just the couple of orders from Waitrose, and the usual stock-up at Boots were enough to get back ~£30 in a couple of months. It’s not going to pay for the phone bill constantly, but it does pay for a few vanity domain names, at the end of the year.

The cashback offers from various retailers are there to make customers chose them over alternatives. This has worked a tiny little bit with Airtime Rewards, in the sense that I factored in the cashback offer when choosing between ordering from Morrisons, Waitrose or Ocado — because sometimes the cheaper is actually winning due to cashback offers, either Airtime Rewards, or Santander. For the most part, a number of our usual destinations are part of the program, so Boots, Pizza Express, Ryman, or (more recently) Uniqlo are nice to see. For a while, Morrisons was also part of the program, but that has not been the case for very long — it appears there’s some variability on which retailers sign up, that suggests there may be a middleman company handling the retailers connections.

Speaking of Santander cashback, because Airtime Rewards attaches to the card number itself, it is possible to combine the two offers, making it closer to (sometimes) 10% cashback than 5%. The same is true with Curve, although note that you can’t stack Curve and banks’ offers, as the latter only see the charge coming directly from Curve.

One very annoying thing with the way Airtime Rewards work, compared to offers by banks, Curve, and American Express, is that they only hand you the cashback credit after a “confirmation period” by the retailer — namely it seems to be matching the various retailers’ return policies. Which means it’s taking 90 days to confirm a Morrisons transaction, despite Morrisons not being in the program anymore. It feels very strange for restaurants (like Pizza Express) needing 35 days to confirm a transaction though — I don’t think I would be able to return my lunch there.

One important thing to note is that the offers are also not quite uniform: while most of the offers are valid for both MasterCard and Visa, some are only available on one or the other circuit. It’s not a big deal for me, as I always preferred having one card on each, but it’s something to keep in mind. Not all the offers are available online, either – again the Morrisons offer I referred to above was only available in store, which excluded home delivery – and then there’s the catch with Google Pay and Apple Pay.

You see, when you pay with Google Pay or Apple Pay, you’re using a “virtual card” — the PAN of the card reported to the merchant does not match the one printed (or embedded) in the card that you connected. This has been described as a privacy-preserving feature by many, although I can’t find any obvious official documentation of this. The idea being, if you pay alternatively with your phone (or different phones) and your physical card, the merchants shouldn’t be able to tell you’re the same customer (but the bank, obviously, can). Turns out this is also not true, because indeed you can attach the PAN of a physical card to Airtime Rewards, and you get your cashback when you pay with Google Pay (connected to that particular card) at some of the retailers.

I say some, not just because Airtime Rewards explicitly only marks some offers as compatible with Google Pay, but also because experimentally I can tell you that even some of the offers that are marked as Google Pay compatible don’t actually work when paying with Google Pay. That was the case, for instance, of Carluccio’s: the only time the cashback got registered was the one time I paid explicitly with my physical card.

What this does mean, though, is that there’s a way for third parties (beside you, your bank, and Google/Apple) to connect payments by virtual cards with the corresponding physical card. And honestly, that’s the scariest part of this whole program.

So, at the end of the day, what if you’re interested in signing up for this? You can sign up here, and use code P7YR6TPE to get £1.5 bonus for you (and a matching one for me). Or maybe you can check with your mobile provider, that might have an even better sign-up offer, honestly.

Curve is giving “free” money away, again.

About a year and a half ago, I reviewed the Curve debit card, and I went back talking about it when talking about foreign transaction fees. If you don’t want to go back and read the whole set of text, I’ll give a very brief description: Curve is a proxy-card, that allows you to connect a bunch of other debit and credit cards, and to decide when you pay (or, critically, shortly after) which card you want to charge your expense to. It includes a few features such as some amount of free (or cheaper) transaction fee spend, but the “proxy” nature of the card is the selling (or not-really-selling as I’ll explain later) point.

In my previous posts, I have made two main points about Curve: the first is that they give away for free most of the useful features of the service, and the other that they make no real sense in the UK, as one of the possibly biggest selling points (the foreign transaction free nullification) is vastly irrelevant: most high street banks have some offering with no foreign transaction fee, and I still venture that Santander is the best UK offering for globetrotters who need to use their card in many different currencies. Despite my fairy pessimistic view of Curve’s business plans, it seems like the management is taking a different view — even FT Alphaville wrote about their marketing campaign.

Speaking of pessimistic view — I am a bit skeptical about their marketing of “100 Cards in One”. While it would be a great feature a few years ago, in 2019 most of my spending goes through my phone, with Google Pay. While I have half a dozen separate cards, most of them are compatible with Google Pay, so I don’t carry them with me. The ironic exception being my company card. As it turns out, this is something that Curve can help with: it now supports Google Pay, and on a business trip I can proxy my expenses to the company card.

Now, one claim on their website that appears to mostly hold true is «Your gateway to money for nothing.» Because they do appear to run lots of promotions that give you free money. Indeed, in the past week I received two email from Curve: one to announce that they would give me £5 if I just used my card at all (which I did, just to see if they pay up), and another to tell me that they are giving a “Christmas gift” for all their users to select three new retailers to get their 1% cashback from. All of this for a “Curve Blue”, which is their totally free tier.

Speaking of the 1% cashback, when I signed up last year, Amazon was not one of the options, or I would have taken it. It was this time, so I did that, under the impression that one way or another I do end up buying stuff off them often enough, and in the next three months I may get some value out of it. Despite this, their paid offer is still pointless: they charge you £9.99 a month, and to cover that on cashback alone you would have to spend £1000 a month from those three retailers. And no, I don’t think the Travel/Gadget insurances that they peddle with the offer mean anything else — there’s a doubling of how much free cash you can get from ATMs, but they appear to have closed the loophole that allowed you to withdraw cash and get loyalty points, or cashback, from a credit card, without incurring in cash handling fees.

So yeah, it looks like they do give money for nothing. Well, for some profiling data I guess. The obvious question is where that money comes from, given that the free offering is just compelling enough, and their paid offering are… in one word, overpriced. As I said in the previous post on foreign transaction fees, Santander offers their All in One Credit Card for £3 a month, and is also 0% foreign transaction fees and comes with a 0.5% cashback on all purchases; recovering that monthly fee requires “only” £600/month spend across any vendor (and not just three), and if you spend more you can probably pay for the travel/gadget insurance separately. And since it’s issued as a World MasterCard (rather than a Debit MasterCard), it also allows you to use some of the available perks worldwide, including some airports’ priority lane at security (as it turns out, that includes Venice Airport, which is very handy since that’s where we fly in and out for to see my family.)

And if you want to compare with the Curve Metal offering at £14.99 a month, well, Santander offers a World Elite Mastercard at the same price point, which comes with the same 0.5% cashback (although capped to nullify the monthly fee.) Despite not coming with the insurances (which again I don’t find particularly compelling, it does have a discount for Santander’s own offering. And it provides LoungeKey access just as well, except that you don’t have to pay the £20 per person entry fee. Being a World Elite card, it also comes with a bunch of other perks, including a Boingo subscription (not particularly compelling to me either, but worth noting.)

Anyway, if you are yet to make your Christmas purchases, and are interested in getting some more extra cashback with Curve, you can download the app from their website and if you want you can sign up with the code BG2G3 to get another £5 out of the magic free money card (and give me the same.)

Revolut, as of October 2019

A few months ago I wrote a not-so-short comparison of a few FinTech services with offerings from high street banks in the UK — and I would note again, that the comparison does not hold up in Ireland, so it’s definitely biased, but I would uphold it for good reason. I think it might be time to do a bit more dusting over it.

The first service I should get back to talk about is Revolut, which I first praised and more recently complained about. As I said in a number of previous posts, my reasons to keep using Revolut for day-to-day transactions have pretty much disappeared: my Santander credit card gives me 0.5% cashback on all transactions, and no foreign transaction fee, why would I use Revolut? Virtual cards, and rotating-number cards are interesting and have their use, but honestly, I can’t be bothered unless it’s for very shady operations where I don’t trust giving my credit card, but those are pretty much corner cases.

Revolut has been running multiple advertising campaign throughout the London Tube, the most recent one promising three Tube trips free if you pay with Revolut. I could probably do that, next week, maybe, if I paid enough attention — I don’t use monthly tickets, so I can change card any Monday as long as I use it until the same until Sunday to cover the 7-day cap. But I had bad history with using Revolut on the TfL network before, although admittedly that was when I was landing from Dublin, and the location-based security tripped.

Update 2019-10-07: turns out I cannot actually use their TfL offer because it relies on Google Pay (which with Revolut I found already too unreliable to use for commuting) and only works if you have a Visa-issued card. My card is MasterCard-issued still.

If you check the news, the FT reported just this week how Revolut expects to reach “viability” despite continuing to lose money. This is likely because, as I pointed in my complain-post, Revolut makes perfect sense as long as you’re not paying anything for it. The only reason to sign up for any Premium or Metal tier in London (where most of their advertising budget appears to be spent, from what I read from news) is if you don’t understand the services available from the high street, or if you want to subsidize the free tier for everyone else. Funnily enough, FT Alphaville reported on the same day of the staff cashing it in.

I had to use Revolut only once in the past few months, and that was a couple of days ago. My sister asked me if I could send her some money for her to use the card, as her debit cards expired and she was trying to buy something — remember Italy does not have “faster payments” so inter-bank transfers are not instantaneous. It should be a simple operation: top-up £50, send £50 to my sister, she can convert to € and spend it.

Topping up worked like a charm. But sending the money didn’t: in addition to confirming my fingerprint, the app said it would send me an email, and to check the email from the same device to confirm the operation. The email can be re-sent only after one minute, but (as often) it recommends you to check your Junk or Spam folder too. The email never arrived. I don’t mean within a minute. I mean that this is two days later, the email has still not arrived yet.

No the mail server was not having a hiccup. Yes I did try resending it five minutes later. Yes I did check the Spam folder. No it’s not graylisting. My email address is served by G Suite, which means it’s more reliable than a normal Gmail address. Revolut can’t seem to be able to send email to Gmail. And it’s not just me. The same problem with email not arriving happened a number of months ago to my girlfriend, while sending money to my Revolut account! Anyway the answer is that I now have £50 that I can’t seem to be able to send to my sister, she ended up asking our mum for the transfer instead, and I have even less trust in the service.

I complained on Twitter about this, but without tagging in the Revolut account. When this happened to my girlfriend, and I ranted at them about it, they kept insisting to “check [my] spam folder”, which of course we did. If I asked now, I’m expecting to hear that “PSD2 made them do it”.

It’s sad, but I can’t really expect much better from a service that, despite a lot of nice ideas at the start, appear to have found a business model only to augment banks in places where high street has no offering (Ireland), or for people who can’t seem to know better (the whole Bitcoin/cryptocurrency part, that appears to be the sole attraction for Premium/Metal for quite a few people).

PSD2 Made Me Do It

The European “Revised Directive on Payment Services” (usually just called PSD2) has recently enter into to legislation in many countries, including the UK — despite the current political turmoil. In addition to requirements around data access and APIs, and additional limitations for financial service providers, it includes the requirement for financial institutions to provide what is called “Strong Customer Authentication”.

The idea is to provide a stronger guarantee that it is indeed the customer accessing their balance or executing a financial operation. None of this should feel particularly sophisticated, given that banks have provided multi-factor authentication options for many years before this. But if you have read my blog before, you probably know my opinion on banks’ security theatre features.

Indeed, UK – and Irish – banks still appear to believe that asking only a subset over characters of a password, or of digits of a pin, is a good security practice, despite this been easily debunked by any web engineer with a bit of sense.

My job has nothing to do with financial services or PSD2, which means I have a very basic understanding of its intricacies. On the other hand, I’m able to observe how various companies are receiving the directive and implementing it for their customers. Take for example American Express, who sent reminders to their customers to keep their Android app up to date, as they are preparing to send SafeKey notifications – their “2FA” authentication similar to Verified by Visa and MasterCard SecureCode – directly to the customers’ phones. Similarly, Santander recently sent me a contract update that, among other things, gives them permission to send notification via app or email, rather than just SMS. Pretty much the same story applies to the Italian UniCredit, which also replaced their physical password cards (yes, they still had some) and RSA tokens with app notifications.

This is not rocket science or anything particularly new. Even my American bank, Chase, send similar notifications to either SMS, or email, whether it is while logging in, or executing a transaction — and American banks are not particularly well known for their innovative ideas. Indeed, Chase has been doing this for the past three years, without any directive requiring it, and with a fairly low bullshit level. And it even supports OAuth2 delegation for transfers, which TransferWise uses. I guess we’re now seeing European banks catching up to be fairly low bar.

On the other hand of this we have Fineco, now no longer part of UniCredit. Their “strong customer authentication” appears to be an additional 7 digits PIN called “mobile code.” How and where this is going to be used is not particularly clear — the announcement says it’ll be used to hide your balance, but that does not appear to be the case right now. You need to set it in the mobile app, and once done, you’re proposed to link it to your fingerprint. The interesting part is that you already need an additional code to execute operations, and you needed it for the past two years. You also have a separate “client services” PIN, and both of those are 8-digits. And the “web password” is itself only 8 characters. You would think that instead of four “memorables”, having one that can be longer than 20 characters would work better.

Settings banks and financial institutions aside I think nothing can top the original email sent by John Lewis, the British department store (that also operates the Waitrose supermarkets). On September 2nd, they sent an email titled Important information about payment changes, which effectively introduced PSD2 and SCA to their customers. In the email, there was this gem:

SHOPPING IN STORE
You’ll notice changes when making contactless payments in our shops, including when using Apple Pay, Samsung Pay and payments via wearable technology such as smart watches. You may be asked to insert your card and key in your PIN. Chip and PIN payments will continue to work as normal.
WHAT YOU NEED TO DO
As the checks are random, you won’t know in advance whether validation is required, and neither will our Partners. So if you plan to use contactless payment, make sure you have the relevant card with you, or an alternative method to use, so you can continue with your purchase.
my John Lewis email, 2019-09-02

I took it to Twitter then to rant about the insanity of suggesting customers to insert a card when using a mobile-based payment system. Not just because there may not be a card to insert (Revolut allows connecting a virtual card to Google Pay, so there’s no matching physical card for it), not because there shouldn’t be a way for merchant to link the Google Pay/Apple Pay to the original card you connected, but most importantly because the authentication provided by an unlocked phone is stronger than that of a Chip’n’Pin card.

But they went even worse with “What you need to do”, because they are explicitly saying that they were introducing random checks, not risk-based checks which PSD2 and SCA are usually suggesting. And let’s ignore again the note of “relevant” card that may not exist. It makes it a lottery to figure out if you can pay for the groceries you’re buying, and honestly I don’t want to have an awkward moment when their till system decide to quiz me on a card I might not have to begin with.

I don’t know if anyone at the store chain noticed my tweet rant, but two days later, they sent another email, titled An update on Strong Customer Authentication.

At John Lewis & Partners, we are committed to ensuring you have a safe and secure experience when shopping with us. On Monday 2 September we sent you an email about Strong Customer Authentication (SCA) and the importance of your card issuer having your most up-to-date contact information.
We incorrectly suggested that you may be asked to insert your card and key in your PIN when using Apple Pay and Samsung Pay. We are pleased to tell you that you are not required to present your card or enter your PIN when using these payment methods, and you can continue to use Apple Pay and Samsung Pay as normal.
my John Lewis Email, 2019-09-04

I don’t know if this is a change of plan, where someone pointed out that implementing it that way was silly, or just a communication error in the first place. But it definitely shows how careless the communication around this was from John Lewis. I somehow expect that other companies are on the same boat, and I just haven’t noticed because I’m not their customer.

Speaking of Twitter, I saw at least two people recently complaining that their banks refuse connection from IP addresses from countries outside their operation area. While this does not seem to be announced as part of SCA, I have a certain feeling that this is becoming more popular because of it. It’s the same kind of risk analysis that forces me to use TunnelBear to connect to my GP’s online services to order my medical supplies if I’m traveling, as their app is rejecting any request coming from a non-UK address.

I’m afraid that as usual, with bank security, we’re not talking about rational solutions. We’re instead looking at solutions that consultant can sell to banks, and that bank management can feel confident enough to defend in court. And maybe confuse their customers over the fact that they may be making their life miserable, but they do so for security.

It effectively reminded me of Andrea’s work on chip-and-pin implementations, now nearly eight years ago:

Andrea Barisani and Daniele Bianco talking about Chip&PIN.

Honestly, I wish banks took their ideas from TransferWise, which, among all of my bank accounts, is the only one implementing 2FA as push notifications with the app they have on my phone.

Opinion: FinTech vs High Street

If you’re a regular reader of this blog, you may have noticed that I have strong opinions regarding consumer financial services, particularly when it comes to Revolut, which I wrote about a lot by now.

I didn’t start writing about these services because of a professional interest, but rather because when I moved from Italy to Dublin (via Los Angeles), I felt like I stepped back ten or more years with the banking system. And while this improved significantly when I moved to London, there are still a few things baffling me from time to time.

But as I discussed in one of my recent Revolut-bashing posts, compared to Ireland the high street banking options in London are so much more interesting that I’ve effectively ditched Revolut for day-to-day payments. So why would anyone care about FinTech products?

I have been thinking this for a while, not just as a customer, but with an awareness that, if I decided to change my perspective in life and go for a riskier professional position, from my rather cushy one, FinTech appears to be the place to be right now. Particularly given the unfortunate experience I have gained in this field by now.

One of the issues appears to be one of branding, and trust. Quite a few people appear to have a dislike for high street banks because of their association with previous scandals or news. And that’s what makes it funny to see how high street banks appear to just want to enter the market with new brands.

Another thing that Monzo appears to capitalize on, in their tube advertisements, is the ability to receive instant notification of the money spent. And that’s something that I deifnitely can relate to. This is particularly important when you get to more shady stores, or to coffee stores with untrained staff, that may suggest that a transaction didn’t really go through, and suggest you to pay cash instead, charging you twice.

Indeed, this was one of the biggest advantages of using Revolut for me in Ireland. The “famous” Tesco Bank credit card didn’t really have even an online banking platform, and the only way for me to confirm whether a transaction went through was by looking at my Tesco points statements. But this is not something revolutionary: I had notifications of all online transactions, and card-present transactions over €50, on my Italian pre-paid card in 2006 (via SMS, not via app at the time, of course.)

While I feel Monzo is right to take a swing to most high street banks for not implementing these notifications, even in 2019 London it’s not true that you need to “go FinTech” to have this level of support. My American Express does the same, and you cannot say that AmEx is a new player on the market!

And it doesn’t stop at just sending me notifications for the charges: American Express goes one step further, and integrates with Google Pay so that you get the notifications even without having the American Express application installed.

Indeed, I have a feeling that, for the most part, customers would be happy if the level of support in high street banking was on par with American Express:

Their website lets you log in with a simple username/password combination, rather than the silly security theatre of “Give me the 1st, 2nd, 123th character of your password, and 1st, 5th and 6th digit of your PIN” (seriously, setting aside the random index selection, why on Earth do you need two equivalent factors?)
New charges on the card are notified immediately, either through app or through Google Pay (I don’t know about Apple Pay but I assume that’s the case there as well).
You can get your card’s PIN online, which is usually verified by a text message OTP.

One of the things that AmEx does not do, that I think all of the FinTech players appear to do, is freezing/unfreezing the card on the fly. A feature that Barclays has been advertising all over as if they had invented it.

It is pretty much possible, or certain, that some UK high street banks already started providing all of these options, maybe in different combinations. As I said, Barclays does appear to have the ability to freeze/unfreeze the card. Fineco does not mail out the PIN but rather has you requesting it online and delivers it as text message. And as I made as a point before, Santander has a credit card with no foreign transaction fees.

Many of the articles I read over the importance to FinTech startups imply that the main reason why big banks can’t be this flexible or “innovative” is that they have old, heavy and difficult to manage backends. From second hand discussions, I can believe that the backends are indeed as heavy and clunky as they are purported to be, but it does seem to me that many of the features involved can’t be that tied to the backends, given that most of the banks can provide those features already.

A number of features that I see being deployed throughout different banks is the ability to “budget” expenses. While they sound particularly interesting, this appears to be mostly a “frontend” feature. Santander has this feature, but somehow they decided to implement this on a separate Android app only, which I gave up on. Indeed, it does not allow you to correct their classification of expenses, which makes it pretty much useless, not just because some vendors are classified completely wrong, but also because sometimes the same vendor might be used for different reasons (Boots, CVS, Walgreens, and similar all provide both medicines and groceries; how you categorize their spend depends on what you bought!)

While Santander have already won me over as a bank customer, I do feel that they would win over more of my credit card expenses from American Express if they implemented “this one weird trick” of informing me of charges as they happen. Because small things like that are one of the reasons I use my AmEx quite a lot in the UK, even after I reach the needed spend to upgrade my Marriott membership to gold.

So yeah, my hope is that high street banks will finally see the competition from FinTech as a list of features that they should, opportunistically, implement, rather than an excuse for the branding and marketing departments to come up with new ideas to be “hip”.

Speaking of Foreign Transaction Fees

In the previous post about Revolut, I have left open a topic that I wanted to move to its own post: foreign transaction fees.

For those who are not acquainted with the terminology here, with foreign transaction fee I’m referring to the additional fee levied by banks and payment card companies when you incur expenses in a different currency than the one the card was issued for. Sometimes (particularly in UK and Ireland) this is referred to as an “overseas transaction fee” — which is confusing, particularly for Ireland, where the fee is applied for expenses in GBP (which is not overseas, but rather “up the road”), but not in EUR (which is mostly oversea).

This is a different cost incurred than the possible bad exchange rate that the financial institution may be applying, and it has nothing to do with the various DCC scams that you may run into when going to touristy destinations with a non-local card, although there is a link there: even online, services may suggest you to apply the charge in your local currency to avoid foreign transaction fees — as you can see in the linked post, that’s rarely a good idea, with a few exceptions (e.g. PayPal actually applies sane conversion fees in my experience, even if not the best ever).

These foreign transaction fees are set by the card issuers, and vary widely. I have seen cards with up to 6% “fex fees”, but that was back in Italy (why I say that will be clearer in a moment). In Ireland, with the exception of various fintech companies, the typical fex fees were of 2-3% — I was very happy with Tesco Banks‘s 1.75% fex fee (Tesco Bank no longer operates in Ireland.) In the UK, it appears most cards either have 0% fex fee, or 2.99% fex fee; there are a few divergences, but those two appear to be the most common options.

The reason why I am specifying this information with a country attached is that, in addition to telling you what the currency is, the mix of local-vs-foreign spend for the average person is also connected to the country. For instance, for my friends and family living in Italy, foreign transaction fees only exist when buying from foreign websites (or eBay), or when going on a “far” trip — Croatia and Switzerland being the closest countries that incur the fex fee. On the other hand, if you live in Ireland, you’ll probably have at least one recurring expense in GBP — depending on how Brexit is going to go this may change.

Indeed, for electronics you often need to look at the UK, rather than the continent — because of plugs, regulations, availability, etc. And quite a few eShops with presence both in the continent and the UK used to refuse you service from the European website, referring you to the UK one instead — this is another thing that may change after Brexit. There is a reason why, when discussing markets, most companies call it “UKI”.

I’m told that a similar situation exists for those living in Switzerland, and I can imagine this goes similar in the Nordics, given that Denmark, Sweden, and Norway have their own currencies as well, and likely a lot of services overlap.

In the UK (and again this may change after Brexit), you may very well never spend money outside of GBP because all the services exist within the country. Unless you’re an expat, in which case you’re probably still visiting the continent (Eurozone or not) fairly often, or may be paying for ongoing services (such as cellphone contracts) in that currency. This probably explains why the two sets of fex fee groups: if you’re part of the first group, you probably don’t need a card with no foreign transaction fees — while you really do in the latter case.

In my case, I have two credit cards: one from Santander, which I spoke of last time, with no foreign transaction fee, and an American Express with a 2.99% foreign transaction fee. I effectively spread the expenses on the two cards, depending on where I am — namely I try to use the Amex in the UK, and the Santander anywhere the other does not work. I could give up on the Amex, as the Santander is strictly a superset usage, but the perks provided by Amex are worth having. And that’s the most important thing: cards have perks, so you should probably consider those as well.

Thus the utility of fintech services like Revolut and Curve depend on the country you live in not just because it sets the band for foreign transaction fees, but also because they set the tone of foreign currency usage. In the UK, with the wide availability of debit and credit cards with no foreign transaction fees, their services are likely less useful than in other countries — except when it comes to perks. Indeed in the case of Curve, you would be able to keep most of the perks of a credit card, such as cashback, even if the card comes with a hefty foreign transaction fee. Except for Amex of course.

But is it convenient for you to pay for such a service? That’s another very good question. And to answer it, I’ll try to forget about the UK and go back to Ireland — mainly because here, as I now repeated a number of times, cards with no foreign transaction fee exists and you can just use one of those. Metro Bank has free current accounts with cards that come with cards without foreign transaction fees in Europe. Santander has a £3/month credit card with no foreign transaction fees, and 0.5% cashback. Halifax has a Clarity MasterCard that comes with no monthly fee, no foreign transaction fees (and of course no perks.)

But let’s go back to Ireland and take a look at the options. As I said the usual foreign transaction fee in the country was between 2% and 3%. In the case of Ulster Bank, the card I used to have had 2.75% foreign transaction fee. At which point would it have been cheaper for me to subscribe to Curve Black, at €9.99/month, rather than give Ulster Bank their fees? (And for simplicity here, I’m not talking about exchange rates; the exchange rate for their MasterCard is network-provided so it’s not at all bad, and in fact it’s comparable to Revolut’s.)

As most services would require a yearly commitment, we should consider the spend on an yearly basis too. This makes the cost €119.88, but we’ll call it €120 to make it easier to run umbers on them. Let’s just call the twelve cents a rounding error. If we’re ignoring the cashback options (as in Ireland there were none, beside Tesco Bank), the amount of foreign expenses you’d need to break even on Curve black with the foreign transaction fee noted above is about €4364 (divide the yearly cost by the foreign transaction fee). That’s the cost of fairly big vacation for a family (note that you can’t include flights in the vacation cost, as those would be billed by the currency of the country of origin, which is likely local).

If you have a card that provides cashback, then things become more complicated, because you’d have to include the cashback in the calculation. If you’re curious the following formula will give you the number, making S the yearly subscription cost of the service, F the foreign transaction fee percentage, and C the cashback percentage:

(S + (S/F) * C) / F

For Revolut Metal, with their variable cashback, figuring out the number is a bit more annoying. But we’re also talking about 1% in the best case scenario (all non-European spend). So the basic number (€5673) only goes down to €5616. The 0.1% cashback option of all European spend is so minimal that it’s not worth calculating exactly.

So what should you do if you don’t usually spend that kind of money on foreign transactions? You can still use the Revolut and Curve and other fintech services without paying for them, and grab the best deal you can until they go bust. Or if you don’t want to bother, you can just spend on your normal cards, get your usual perks and ignore the need for no foreign transaction fees.

Indeed, if your options are spending on Curve attached to a debit card with no cashback and no perks, or spend on an American Express Platinum Cashback Credit Card, you would need to spend more than £5330 a year in foreign transactions for it to be worth it — and that’s assuming you don’t qualify for the higher tier. And this is probably the worst case scenario for the UK, for a non-zero foreign transaction fee card.

Is Revolut Still a Good Thing?

You may remember that a few years ago I wrote a positive review of Revolut, the fintech startup that provides payment cards with stored value and no foreign transaction fees. I have been using it for a long time by now, and had mostly stood by that review, until the second half of last year, where things started to appear more complicated. Given the current flurry of stories on the company, from silly advertising shenanigans to uncovering of poisonous working conditions, I thought it would be a good time to write some more up to date words, as I don’t think I can recommend Revolut as much as I did before anymore.

First of all, I started feeling uneasy recommending Revolut since they started down the path of selling cryptocurrencies as an added-value feature. I hold a personal belief that participating in the trading of Bitcoin and other similar “currencies” is unethical (see Thomas’s rant on the topic), and I don’t like being associated with companies focusing on them. I have looked the other way for a while, though, because I knew that using the words “cryptocurrency” and “blockchain” make money appear out of nowhere for most startups, even when there’s no rhyme or reason for it. I just had a bad taste in my mouth for this.

The problem is that Revolut, even when I had the Premium version, built something very cool, but a bit rough around the edges. And as a customer, it is annoying to see them jumping the shark onto cryptocurrencies, instead of making location-based security actually reliable, implementing 3DSecure/VBV integrations, or finding a way to get a proper banking license and FSCS insurance (all of which would be requirements for me and most people to use Revolut as a replacement for high-street banking).

Instead, what we see is that Revolut is adding “features” trying to upsell you into their premium services. This is not entirely bad, because you need paying customers to run a business. Unfortunately my impression is that they offered and offer so much on their free tier, that they are tackling on random stuff that has nothing to do with banking itself, just to get people to sign up for their Premium and Metal tiers.

As an aside, I still don’t understand this trend of providing heavy (“18g” as they boast some companies) metal cards. The last thing I want from a credit card is to be heavy, as I barely even want to have to take it out. I’m all in favour of the trend of not embossing the name and number, preferring to print it on the back, but it does not need to be metal for it. Indeed, Curve (that I’ll get again in a moment) did exactly that.

We’ve just come back from a trip to the Continent, and what we did notice that Revolut tried to upsell us medical and travel insurance at every change of country (even when we just connected flights through third countries). This is not just annoying as we’re not interested in it (we’re European citizens, visiting European countries, and work provides both of us with a basic travel insurance), but it’s also annoying because it makes use of the location information, which I provide for the security feature, for marketing. Similarly, I recently had more notifications about them trying to upsell me Metal than actual transactions.

For a while, I actually did pay for the Premium service. Mostly under the idea of “putting my money where my mouth is”, that is to make sure that the company could keep operating a service I loved. Unfortunately it turned out a bad idea: not just because Revolut cannot replace a high street bank in the UK (no FSCS to protect your account, no BACS direct debits, etc), but also because the Premium “perks” were not something I cared about, and the dedicated service team was still useless when it came to even telling me the top-up limits when I changed the card I used for top-up.

If you already have two physical cards (and paid for it), you need to pay to replace one of them with a Premium card, if you so wish (but it gains nothing but a different colour, so I never did that). The unlimited exchange is not particularly useful when you already don’t reach the free tier’s spend, and the ATM limits is only useful if you plan to actually use cash, which I really try not to. The one interesting feature that is advertised for Premium customers, but as far as I can tell is also present as a one-off charge for non-Premium one, is the disposable virtual card, that changes PAN every time you use it. But even that is not as secure as it looks, as I’m told that vendors are still able to charge again a disposable card that already changed number.

Okay admittedly there’s the travel and medical insurance, but as I said earlier, I get a better travel medical insurance from work (and probably there’ s better out there) and a credit card such as American Express would provide a better baggage/flight insurance. This is very subjective of course, it’s well possible that for other people, with other employers, and in other countries, these insurances are actually worth it.

Speaking of circumstances, I think I might not have felt so strongly against Revolut if I was still in Ireland. Not just because they seem to have implemented SEPA DD Core support, so you can actually use it to pay your bills there, but also because the alternatives of high street banking there are significantly worse than here.

In London, I now settled on Santander as my primary bank, both for the current account and for a 0% foreign transaction fee credit card, their All-in-One Credit Card. These come to £5 per month for the account, and another £3 per month for the credit card (compare against Revolut’s premium at £6.99 and Metal tier at £12.99), and while the free foreign ATMs withdrawal are limited to Santander’s own network (limiting the countries you can use them on), this is a full-featured, FSCS-insured account, with cashback, retailer offers, and active interest on the current account’s deposit. If you don’t want (or can’t afford) a credit card, Metro Bank offers 0% foreign transaction fee for European transactions on their free accounts’ debit cards. And I’m sure that other banks have similar arrangements all over the place. Basically, the UK has a significantly wider range of offers, that make Revolut less necessary than in Ireland.

But even for Ireland, and for other countries that do not have such a selection of high-street banks, Curve – that I complained about before – decided to change their target marketing a bit, now offering a “front” for any Visa and MasterCard card to provide 0% foreign transaction fee, with their premium option existing to raise the limit of monthly transactions. That would have been something awesome to have when I lived in Dublin, to keep getting Tesco points, while not paying the 1.75% of foreign transaction fee on their credit card. (If you are interested to try that, my referral code is BG2G3).

Both Curve and Revolut have a Metal card with which they provide cashback. In the case of the former, these are retailers-limited, and I can only assume they are based on some third party’s selection of perks, as the retailers are pretty much the same that Santander and Lloyd’s provide retailers offers for. Revolut instead provides cashback on all spend, 0.1% on European spend, and 1% for non-European spend (although there does not seem to be an obvious definition of Europe on their marketing material, I assume it’s deep into the terms of service).

While cashback is always a nice bonus, it only makes sense if you can break even on the cost of one’s service by spending. With Revolut Metal, that would be an astounding £13k (thirteen thousands pound) per month in European spend, or £1299 of non-European spend. I do know some extremely frequent travellers to the States or Asia that would be able to spend the latter, but that’s more of an exception than a rule. And if you can spend the former, you probably can get more than that in interest by keeping the money in an active-interest current account, and paying with a normal credit card.

For comparison, Santander’s card I linked above costs £3/month (you don’t even need their bank account). It has 0% foreign transaction fee on all spend. And a cashback of 0.5% (five times Revolut’s European cashback) on all spend. It takes only £600 a month to break even, and that’s without counting additional retailer offers, or additional perks from their current accounts.

And even if you look at American Express (which is never considered a cheap option) and their cashback options, the numbers are significantly different. Their Platinum cashsback card is £25 per year, and includes a better travel insurance, 1% cashback on all spend to £10k and 1.25% over that. Plus retailers offers and supplementary cards for the family. Although be warned if you want to go down that road, that American Express charges you 2.99% foreign transaction fees, for every single one of their cards in the UK.

I was going to take a detour talking about foreign transaction fees, but I will leave it for another post, because it’s a lot of content, and a lot of explanation to be done there.

So the final words of this post are: I’m not sure I trust Revolut anymore. They seem to be taking “marketing risks” to get people to pay for services, but at the same time there’s very little value in their paid services. I don’t think that the company will be able to sustain the current trajectory without venture capital money, and I find scary the idea of relying on a VC-funded pseudo-bank for my own money.

Update (2019-03-27): just a few days after I wrote this blog post, I received two email from Revolut, with widely different content, that I think merit a bit of description, thus why this update.

The latest email is an announcement of new details (new sort code and account number) for their GBP accounts. This is effectively a change in intermediary bank that maintains the GBP account proxies for Revolut. Nothing particularly eventful in by itself, but there are a few notable things. The announcement is declared “great news” for their customers, but it also highlight yet another feature that high street banking would have, and Revolut lacks: redirections.

When you switch bank account with a high street bank, the bank will take care of moving standing orders, direct debits, automatic salary payments, and redirect any transfer to the old bank account to the new one. Revolut is instead telling all the customers that they have to deal with all the required changes of both payment and transfer. Not just that, but they don’t appear to guarantee any specific grace period in which both accounts would exist: they say that the new details will appear in the app before May 22nd, which is when the old account will stop working:

⚠️ Your old account details will stop working from the 22nd May 2019.

Salaries and standing orders

If you receive your salary into your Revolut account, you’ll need to send your new account details to your employer before the 22nd May. Again, we’ll let you know as soon as they arrive.

For standing orders from your external bank to your Revolut account, you’ll need to update your bank with your new details before 22nd May. For recurring payments set up from your Revolut account to another bank, you don’t need to do anything.
Revolut email arrived on 2019-03-27

To give you an idea of time frame involved, the company I work for freezes the salary payment details around the 5th of the month for payments on the 25th. This means that if the new details arrive after 5th of May, and you’re paid monthly, you may be unable to receive the salary. Hopefully, the old accounts would just reject the transfer, but even in that case, retrieving the missing salary can easily take two weeks, which for a number of people would be a significant risk.

For comparison, the previous email I received just twenty hours before, also from Revolut, had as subject «👕Should we release Revolut merch?». This is a company that just before announcing a significant disruption of service, that a high street bank would never subject their customers to, asks whether you would like to wear their brand around, making yourself not just a product, but a walking billboard.

Update 2019-01-04: see also the October update.

UK Banking, Attempt 3: Tesco Bank (and the Irish credit card)

It feels like most of what I end up writing nowadays is my misadventures across a wide range of financial service companies. But here we go (I promise I’ll go back writing about reverse engineering Really Soon Now™).

The last post on this topic was my rant, about how Fineco lacks some basic tools to be used as sole, or primary bank account in the UK. Hopefully they will address this soon, and a sane bank will be available in this country, but for now I had to find alternatives.

Since the various Fintech companies also don’t provide the features I needed, I found myself having to find a “high street bank”. And since my experience up to this point both with Barclays and NatWest was not particularly positive, I decided to look for a different option. Since I have been a mostly-happy customer of Tesco Bank for nearly four years, I decided to give their UK service a try.

At first it appeared to have an online sign-up flow that looked sweet for this kind of problem… except at the end of it, they told me to wait for them to ask me for paperwork to send them through. Turns out the request was for proof of identity (which needs to be certified) and proof of address (which needs to be in original) — the letter and form I could swear is the same that they sent me when I applied for the Irish credit card, except the information is now correct (in Ireland, the Garda will not certify a passport copy, though it appears the UK police forces would).

Let’s ignore the fact that by mailing me at that address, Tesco Bank provided their own proof of address, and let’s focus instead on the fact that they do not accept online print outs, despite almost every service (and, as I found out now, themselves) defaulting to paperless bills and statements. I actually have had a number of bills being mailed to me, including from Hounslow Council, so I have a wide range of choices of what to provide them, but as it turns out, I like a challenge and having some fun with corner cases (particularly as I already solved the immediate need for a bank account by the time I looked into this, but that’s a story for another day).

Here is a part of the story I have not told yet. When I moved to the UK I expected to have to close every account I had still in Ireland, both because Ulster Bank Private is a bloody expensive service, and because at least in Italy I was told I was not entitled to keep credit cards open after I left the country. So as soon as I was in working order over here, I switched over all the billings to Revolut. Unfortunately I couldn’t do that for at least three services (Online.net, Vodafone Italy and Wind/3 Italy) — in two cases because they insist they do not accept anything but Italian cards, while somehow still accepting Tesco Ireland cards.

While trying to figure out an ad-interim solution I got to find out that Tesco Bank has no problem with me still having the “Irish” credit card, and they even allowed me to change the address (and phone number) on file to my new London one. We had some snag regarding the SEPA direct debit, but once I pointed out that they were suggesting breaching the SEPA directives, all was good and indeed the card is debited to the EUR Fineco account.

This also means i get that card’s statements to my London address. So of course I ended up sending, to Tesco Bank, as proof of address… a Tesco Bank Ireland credit card statement. As a way of saying “Do you feel silly enough, now?” to whoever had to manually verify my address and send the paperwork back to me. Turns out it worked just fine, and I got not even a passive aggressive note about it.

Now let’s put aside the registration and let’s take a look at the services provided. Because if I have to rant, I would like at least to rant with some information to others to make up their own mind.

First off, as I said, the first part of the registration is online, after which they get in touch with you to send them the proofs they need. It’s very nice that during the whole time, they “keep in touch” by SMS: they remind you to send the paperwork back, they tell you that the account was open before you receive the snail mail, and so on.

I got a lot of correspondence from Tesco Bank: in addition to the request of proofs, and the proofs being mailed back, I received a notification about the account being opened, the debit card PIN, and a “temporary access number” to sign up online. The debit card arrived separately and through a signature-required delivery. This is a first for me in the UK, as most other cards just got sent through normal mail — except for Fineco, as they used Fedex, and they let me receive it directly at the office, despite it not being the proof of address I sent them.

Once signing up for the online banking, they ask you for an 8-digits security code, a long(er) password, and a selection of verbal question/answers, that are the usual terrible security (so as usual I’ve answered them at random and noted down what I told them the answers were). They allow you to choose your username, but they suggest it to stay the email address on file.

The login for the first time from a different computer is extremely awkward: it starts with two digits of the security code, followed by a SMS second factor authentication, followed by the password (not a subset thereof, so you can use a password manager easily for this one), all through different forms. The same happens for the Mobile Banking application (which is at least linked directly from their website, and very easy to install). The mobile banking login appears to work fairly reliably (and you’ll see on the next post why I call this out explicitly).

I set up the rent standing order on this account, and it was a straightforward and painless process, which is the same as a one-time transaction, except for saying “I want to repeat this every month” checkbox. All in all, it looks to me like it’s a saner UI than Barclays, and proper enough for the needs I have. I will report back if there is anything particularly different from this that I find over time, of course.

UK Banking, Fineco is not enough

You may remember that the last time I blogged about UK banking I had just dismissed Barclays in favour of Fineco, the Italian investment bank, branch of UniCredit, This seemed a good move, both because people spoke very good of Fineco in my circles, at least in Italy, and because the sign up flow seemed so good that it sounded like a good idea.

I found out almost right away that something was not quite perfect for the UK market, in particular because there was (and is) no way to set up a standing order, which is the standard way to pay for your rent in the UK (and Ireland, for what it’s worth). But it seemed a minor thing to worry about, as the rest of the features of the bank (ability to spend up to £10k in a single transaction by requesting an explicit lift on the card limits with SMS authentication, just to say one).

Unfortunately, a couple of months later I know for sure it is not possible to use Fineco as a primary account in the UK at all. There are two problems, the first being very much a problem to anyone, and the second being a problem for my situation. I’ll start with the first one: direct debit support.

The direct debit system, for those not used to it in Europe, is one where you give a “debtor” (usually, an utility service, such as your ISP or power company) your account details (Sort Code and Account Number in the case of the UK), and they will tell the bank to give them money at certain time of the month. And it is the way Jeremy Clarkson lost £200, ten years ago. There is a nearly identical system in the rest of the EU, called SEPA Direct Debit (with SDD Core being the more commonly known about, as it deals with B2C, business-to-consumer) debits.

After I opened the Fineco account, I checked on Payments UK’s Sort Code Checker which features were enabled for it (30-02-48) and then, as well as the time of writing, it says «Bacs Direct Debits can be set up on this sort code.» So I had no refrain in closing my Barclays account and moving all the money into the newly created account. All of my utilities were more than happy to do so, except for ThamesWater that refused to let me set up the debit online. Turns out they were the only ones with a clue.

Indeed, when in January the first debit was supposed to land, instead of seeing the debit on the statement, I saw a BACS credit of the same amount. I contacted my ISP (Hyperoptic, with the awesome customer support) to verify if something failed on their side, but they didn’t see anything amiss for them. When even Netflix showed up the same way, and both of the transaction showed up an “entry reversal” of the same amount, I knew something was off with the bank and contacted them, originally to no avail.

Indeed, a few more debits showed up the same way, so I have been waiting for the shoe to drop, which it did at the end of January, when Fineco sent me an email (or actually, a ticket, it even has a ticket number!) telling me that they processed the debits as a one-off, but to cancel them because they won’t do this again. This was professional of them, particularly as this way it does not hit my credit score at all, but it still is a major pain in the neck.

My first hope was to be able to just use Revolut to pay the direct debits, since they are all relatively low amounts, which fit my usual auto top-up strategy. When you look at the Revolut information page with your account details for GBP, the text says explicitly «Use this personal UK current account to get salary and to pay bills», which brought me hope, and indeed the Payment UK’s checker also confirmed that it supposedly accepts Bacs Direct Debit. But when I checked with the in-app chat support, I was told that, no Revolut does not support direct debits, which makes that phrase extremely misleading. At least TransferWise explicitly denies supporting Direct Debit in the sort code checker, kudos to them.

The next problem with Fineco is not actually their fault, but is still due to them not having the “full features” of a UK high street bank. I got contacted by Dexters, the real estate company that among other things manages my apartment and collects my rent. While they told me the money arrived all good when I moved to Fineco (I asked them explicitly), they sent me a scary and threatening email (after failing to reach me on the phone, I was going to be charged excessively high roaming charges to answer an unknown number)… because £12 were missing from my payment. The email exchange wasn’t particularly productive (I sent them a photo of the payment confirmation, they told me «[they] received a large sum of money[sic] however it is £12.00 that is outstanding on the account.» So I called them on Monday, and they managed to confirm that it was actually £6 missing in December, and another £6 missing in January.

Throwing this around with colleague, and then discussing with a more reasonable person from Dexters on the phone, we came to figure out that Barclays (as the bank used by Dexters to receive the rent) is charging them £6 to receive these transfers because they are “international” — despite the fact that they are indeed local, it appears Barclays apply that fee for any transfer received over the SWIFT network rather than through the Faster Payments system used by most of the other UK banks. I didn’t want to keep arguing with Dexters over the fact that it’s their bank charging them the fee, I paid the extra £12, and decided to switch the rent payment over to the new account as well. I really dislike Barclays.

I’ll post later this month on the following attempts with other bank accounts. For now I decided that I’ll keep getting my salary into Fineco, and keep a running balance on the “high street” account for the direct debits, and the rent. Right now for my only GBP credit card (American Express) I still pay the balance off Fineco via debit card payment anyway, because the credit limit they gave me is quite limited for my usual spending, particularly now that I can actually charge that card when booking flights on BA without having to spend extra money in fees.

Barclays and the single factor authentication

In my previous post on the topic I have barely touched on one of the important reasons why I did not like Barclays at all. The reason for that was that I still had money into my account with them, and I wanted to make sure that was taken care of before lamenting further on the state of their security. As I managed to close my account now, I should go on and discuss this further, even though I have touched upon the major topics of this.

Barclays online banking system relies heavily on what I would define as “single factor authentication”.

Usually, you define authentication factors as things you have or things you know. In the case of Barclays, the only thing they effectively rely upon is “access to the debit card”. Okay, technically you could say that by itself it’s a two-factor system, as it requires access to the debit card and to its PIN. And since the EMV-CAP protocol they use for this factor executes directly on the chipcard, it is not susceptible to the usual PIN-stripping attacks as most card fraud with chip-and-pin cards uses.

But this does not count for much when the PIN of the card they issued me was 7766 — and to lament of that is why I waited to close the account and give them back the card. It seems like there’s a pattern of banks issuing “easy to remember” 4-digit PINs: XYYX, XXYY, etc. One of my previous (again, cancelled) cards had a PIN terribly easy to remember for a computerist, at least not for the average person though: 0016.

Side note: I have read someone suggesting to badly scribbled a wrong PIN on the back of a card as a theft prevention. Though I like that idea, I’m just afraid the banks won’t like it anyway. Also it would take some work to make the scribble being easily misunderstood for different digits so that they can try the three times needed to block it.

You access Barclays online banking account through the use of the Identify method provided by CAP, which means you put the card into the reader, provide the PIN, and you get an 8-digits identifier that can be used to login on the website. Since I’m no expert of how CAP works internally, I will only venture a guess that this is similar to a counter-based OTP, as the card has no access to a real-time clock, and there is no challenge provided for this information.

This account access sounds secure, but it’s really not any more secure than an username and password, at least when it comes to dealing with phishing. You may think that producing a façade that shows the full Barclays login, and proxies the responses in real time is a lot of work, but the phishing tools are known for being flexible, and they don’t really need to reproduce the whole website, just the parts they care about getting data from. The rest can easily be proxied as it is without any further change, of course.

So what can we do once you can fool someone into logging in to the bank? Well, you can’t really do much, as most of the actions require further CAP confirmation: wires, new standing orders, and so on so forth. You can, though, get a lot of information about the victim, including enough proofs of address or identity that you can really mess with their life. It also makes it possible to cancel things like standing orders to pay for rent, which would be quite messy to deal with for most people — although most of the phishing is not done for the purpose of messing with people, and more to get their money.

As I said, for sending money you need to have access to the CAP codes. That includes having access not only to the device itself, but also the card and the PIN. To execute those transactions, Barclays will ask you to sign a transaction by providing the CAP device with the account number and the amount to wire. This is good and it’s pretty hard to tamper with, hopefully (I do not make any guarantee on the implementation of CAP), so even if you’re acting through a proxy-phishing site, your wires are probably safe.

I say probably, because the way the challenge-response is implemented, only the 8-digits account number is used during the signature. If the phishers are attacking a victim that they studied for long enough, which may be the case when attacking businesses, you could know which account they pay every month manually, and set up an account with the same number at a different bank (different sort code). The signature would be valid for both.

To be fair to Barclays, implementing the CAP fully, the way they did here, is actually more secure than what Ulster Bank (and I assume the rest of RBS Group) does, with an opaque “challenge” token. While this may encode more information, the fact that it’s opaque means there is no way for the user to know whether what they are signing is indeed what they meant to.

Now, these mitigations are actually good. They require continuous access to the card on request, and that makes it very hard for phishing to just keep using the site in the background after the user logged in. But they still rely on effectively a single factor. If someone gets a hold of the card and the PIN (and we know at least some people will write the real one on the back of the card), then it’s game over: it’s like the locks on my flat’s door: two independent locks… except they use the same key. Sure, it’s a waste of time to pick both, so it increases the chances a neighbour would walk in on wannabe burglars trying to open the apartment door. But there’s a single key, I can’t just use two separate keychains to make sure a thief would only grab one of the two, and if anyone gets it from me, well, it’s game over.

Of course Barclays knows that this is not enough, so they include a risk engine. If something in the transactions don’t comply with their profile of your activity, it’s considered risky and they require an additional verification. This verification happens to be in form of text messages. I will not suggest that the problem with these is with GSM-layer attacks, as that is still not (yet) in the hands of the type of criminals aiming at personal bank accounts, but there is at the very least the risk that a thieve would get a handle of my bag with both my card and my phone, so the only “factors” that are still in my head, rather than tied to the physical objects, are the (provided) PIN of the card, and the PIN of the phone.

This profile fitting is actually the main reason why I got frustrated with Barclays: since I had just opened the account, most of the transactions were all “exceptional”, and that is extremely annoying. This was compounded by the fact that my phone provider didn’t even let me receive SMS from the office, due to lack of coverage (now fixed), and the fact that at least for wires, the Barclays UI does not warn you to check your phone!

There is also the problem with the way Barclays handle these “exceptional transactions”: debit card transactions are out-and-out rejected. The Verified by Visa screen tells you to check your phone, but the phone will only ask you if it was your transaction or not, and after you confirm it is, it’ll ask you to “retry in a couple of minutes” — retrying too quickly will lead to the transactions being blocked by the processor directly, with a temporary card lock. The wire transfer one will unblock the execution of the wire, which is good, but it can also push the wire to after the cut-off time for non-“Faster Payments” wires.

Update (2017-12-30): since I did not make this very clear, I have added a note about this at the bottom of my new post, about the fact hat confirming these transactions only need you to spoof the sender, since the content and destination of the text message to send are known (it only has to say “Y”, and it’s always to the same service number). So this validation should not really count as a second factor authentication for a skilled attacker.

These are all the reasons for which I abandoned Barclays as fast as I could. Some of those are actually decent mitigation strategies, but the fact that they do not really increase security, while increasing inconvenience, makes me doubt the validity of their concerns and threat models.