FNB backtracks on decision to block password managers

NeoAcheron

Well-Known Member
Joined
Jun 30, 2011
Messages
117
These people just don't have anything better to do.

Just because my device is stolen, it doesn't mean that people would magically know my password to log in, nor know the password to unlock the password vault.

They are catering for a risk that isn't there. How many people here have had their devices stolen and then subsequently had their accounts cleared via EFT from said device?

I think it's much more likely that you pick a stupid password that is easy to remember, and have a random skelm guess it, to gain access to your account. A lot of dumbass people still use password123 for everything...

This feature was dreamt up by some corporate moron that woke up from a bad whiskey induced dream, and decided that he needed to show his smarts by enforcing this.
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
33,623
Yeah unless someone gets hold of that password and key you used then all your passwords are in one easy place
In which case they would need to steal my phone, know that PIN and then my banking password.

Highly unlikely event.

And if it does happen the first thing I'll do is change that very password.
 

Moto Guzzi

Senior Member
Joined
Apr 24, 2004
Messages
609
FNB backtracks on decision to block password managers

FNB recently implemented a new policy on its online banking portal which prevented users from pasting their passwords or using their browser's auto-fill function to complete their login details.

The company has backtracked on this decision following backlash from tach-savvy users, however, as these customers pointed out that preventing the use of password managers made their banking details less secure.
FNB alone is not going to get the worlds Digital-House digitally in order. The worlds digital House is a security mess, and they want us to navigate with our hard earned money through that as if nothing is wrong. This online living is going to shock proof the world in near future.
 

walter_l

Active Member
Joined
Feb 3, 2010
Messages
74
Good on them for reverting this snafu. Can we now also get them to use a secure [T]OTP technology? That way we can stop using SMS for OTPs in a country where cloning SIM cards is a huge problem.

Does FNB or any other bank have secure document upload facilities yet?
 

another_account

New Member
Joined
Nov 28, 2018
Messages
5
Finally, they've had this policy for like a year on their app and it really bugged me, was so happy when I saw that they were briefly on the front of hacker news for their stupid policy
 

Johnatan56

Honorary Master
Joined
Aug 23, 2013
Messages
24,955
Good on them for reverting this snafu. Can we now also get them to use a secure [T]OTP technology? That way we can stop using SMS for OTPs in a country where cloning SIM cards is a huge problem.

Does FNB or any other bank have secure document upload facilities yet?
You mean this: https://www.fnb.co.za/ways-to-bank/smart-incontact.html for the OTP, they already do so. Not sure about the second.
 

Jade @ ZA Domains

ZA Domains representative
Company Rep
Joined
Nov 17, 2015
Messages
424
FNB backtracks on decision to block password managers

FNB recently implemented a new policy on its online banking portal which prevented users from pasting their passwords or using their browser's auto-fill function to complete their login details.

The company has backtracked on this decision following backlash from tach-savvy users, however, as these customers pointed out that preventing the use of password managers made their banking details less secure.
No mention of the fact that Troy owned them on twitter, and called them out for their amateur decision?

No communication to their clients after reverting such a change?

If FNB want to get serious about protecting the login page their are many other ways to do it and their clients have suggested these methods on Twitter.

Glad it’s sorted and this change wasn’t done over payday weekend
 

steveapple

Active Member
Joined
Apr 8, 2013
Messages
45
I had this discussion with FNB's IT a while back when they changed their cellphone app to prevent the pasting of a password from a password safe via the clipboard which is auto-cleared as the pw safe is shut down. I believe that using such a pw safe is safer because: 1. it makes it easy to use a very different unrelated password for each site and app (and I have unique pw's to literally hundreds of apps, websites, databases and other logins; too many to otherwise remember), 2. the pw safe generates a "secure" password (both in lengthy and quasi-randomness) that one does not need to ever view nor remember. Without the pw safe, one would be drawn to using a similar, easy to remember and simple to hack or crack pw's across many apps and logins. I do not know about other mybroadbanders, but my brain simply has no capacity to remember much, let alone haundreds of complex passwords!
FNB was adamant that preventing pasting from a pw safe and forcing people to remember their supposedly complex pw's was safer. Ultimately, the person I spoke to effectively admitted that it was more about closing potential legal loopholes through which the bank could be held liable if a pw was stolen, than it was about inate and better security for the client!
 

walter_l

Active Member
Joined
Feb 3, 2010
Messages
74
You mean this: https://www.fnb.co.za/ways-to-bank/smart-incontact.html for the OTP, they already do so. Not sure about the second.
inContact doesn't work for credit cards (at least not mine). Let's not even go into all the silly ways in which debit and credit cards do the same things in very different ways.

Regardless, I'm quite unconvinced by the security of inContact. An open, industry standard protocol would allow clients better security. inContact feels more like a tactic to force clients to use the app.

Since I joined FNB I've noticed that their service towards me has become a lot more focused on selling me their products, rather than providing banking services.
 

Johnatan56

Honorary Master
Joined
Aug 23, 2013
Messages
24,955
inContact doesn't work for credit cards (at least not mine). Let's not even go into all the silly ways in which debit and credit cards do the same things in very different ways.

Regardless, I'm quite unconvinced by the security of inContact. An open, industry standard protocol would allow clients better security. inContact feels more like a tactic to force clients to use the app.

Since I joined FNB I've noticed that their service towards me has become a lot more focused on selling me their products, rather than providing banking services.
I'm trying to understand why this is a bad thing? The app requires that you have at least logged in once on that device and you can revoke the app's access to messages at any time, unlike e.g. SMS where anyone can just pop out your SIM, move it to their phone and get the messages, or SIM swap.

In terms of industry standard protocol, would you mind elaborating on this? Do you mean you want them to allow other apps to be used for banking via oauth? I don't see how that's similar to inContact though, unless you mean you want another app to be able to respond to authenticate a transaction?

In terms of credit card, should be the same. Your OTP message coming in as a number to type in to the browser has to do with the payment gateway and not FNB, confirming a payment as an option does exist in the FNB app and I have used it before, just can't remember where right now as it's been a long time.

You can enable inContact via ATM, and if other devices have been set as "trusted, you can do so via e.g. the app, settings > message > inContact.
 

walter_l

Active Member
Joined
Feb 3, 2010
Messages
74
I'm trying to understand why this is a bad thing? The app requires that you have at least logged in once on that device and you can revoke the app's access to messages at any time, unlike e.g. SMS where anyone can just pop out your SIM, move it to their phone and get the messages, or SIM swap.
The irony is that you need less than that to complete a transaction via the website. It was particularly infuriating to have to wait for a week (or was it 2?) after buying a new phone before I can use the app. Claiming that such a waiting period increases security is demonstrably incorrect.

The app presents a greater risk to client security in the possibility of locking yourself out of your account when you don't have access to your phone. I agree that SMS is worse, though.

In terms of industry standard protocol, would you mind elaborating on this? Do you mean you want them to allow other apps to be used for banking via oauth? I don't see how that's similar to inContact though, unless you mean you want another app to be able to respond to authenticate a transaction?
As a concrete example: TOTP (as used in Google Authenticator). Essentially inContact is a "something you have" authentication mechanism, as opposed to "something you know" (passwords) or "something you are" (biometrics). That is what OTPs verify. Using TOTP would allow clients greater security in that they can choose the client they want to use, and even generate OTPs offline. I.e. it's better security in terms of availability, and no less secure in any other way. There's a reason why it's the go-to 2FA method for the biggest of companies.

By contrast, all we have to go on regarding inContact is FNB's claim that it's "secure" (they're track record notwithstanding), and that we simply have to accept the unnecessary privacy violation that is the mandated use of the app.

Your OTP message coming in as a number to type in to the browser has to do with the payment gateway and not FNB, confirming a payment as an option does exist in the FNB app and I have used it before, just can't remember where right now as it's been a long time.
The SMS's (!) come from FNB, or at it claims to. In some cases they don't even bother. Even when the amounts are higher than for other SMS-verfied transactions. Regardless, it's still their responsibility.
 

Johnatan56

Honorary Master
Joined
Aug 23, 2013
Messages
24,955
The irony is that you need less than that to complete a transaction via the website. It was particularly infuriating to have to wait for a week (or was it 2?) after buying a new phone before I can use the app. Claiming that such a waiting period increases security is demonstrably incorrect.
Yes, agreed, this annoyed me insanely, I even asked the call center lady to talk to the supervisor wtf I am waiting for, what they actually want you to do is an (or mutliple?) EFT payment from your phone over like R300 or something, which is absurd, I always pay from my desktop; FNB is not clear on this at all and it shouldn't even be a requirement, should be I can approve from an already trusted device with e.g. 48 hours to dispute it from any logged in device.

That doesn't mean you can't use the app though, just that you can't use security things like FNB Pay (NFC Payments), and trying to do an EFT payment requires that you give a linked card's number + PIN, it did not stop me from logging in and getting OTP messages.
The app presents a greater risk to client security in the possibility of locking yourself out of your account when you don't have access to your phone. I agree that SMS is worse, though.

As a concrete example: TOTP (as used in Google Authenticator). Essentially inContact is a "something you have" authentication mechanism, as opposed to "something you know" (passwords) or "something you are" (biometrics). That is what OTPs verify. Using TOTP would allow clients greater security in that they can choose the client they want to use, and even generate OTPs offline. I.e. it's better security in terms of availability, and no less secure in any other way. There's a reason why it's the go-to 2FA method for the biggest of companies.

By contrast, all we have to go on regarding inContact is FNB's claim that it's "secure" (they're track record notwithstanding), and that we simply have to accept the unnecessary privacy violation that is the mandated use of the app.
1. Locking out risk
You could use any trusted device? Do you mean requiring that you have to have the app to login anywhere? It only requests confirmation if first time on a new device, since I have a desktop logged in once, and phone, neither will decline my login, I'll just get an email and a message saying someone logged in.

3. In terms of TOTP, like GA.
They're actually a bit annoying to use due to it always being generated, so often I am stuck waiting until a new code is refreshed before typing it in. What happens with e.g. GA if I want to move to a new phone since the key is stored offline on the device and not in the cloud? Am I going to start generating more keys? Seems a strange solution to use, rather have in-app confirmation button of the payment as you won't do more than one payment at a time, with the ability to fall back to email.

4. Security and privacy violation
The OTP via message already has a lot of research behind it, not sure what you mean by unproven? Message via app is more secure than SMS as it requires login beforehand, so you'd have to be able to login to the system before you can get access to the OTP. I think I'd be more worried about the authentication hack than the OTP exploitation.

What privacy violation? You'll have to be more clear on that.

The SMS's (!) come from FNB, or at it claims to. In some cases they don't even bother. Even when the amounts are higher than for other SMS-verfied transactions. Regardless, it's still their responsibility.
inContact I mean via app, not via SMS. The SMS is an on-top of thing, wish I could totally disable for OTP actually, and only have SMS for payments.
 

kolaval

Expert Member
Joined
May 13, 2011
Messages
3,281
Best thing about a password manager is that you can have a password like

sdlgnsogihzskdgbrdg65dh4g61hb54fg65n1sf35c15b65g46543bn21sf65hb1s3d2f1b3
zxd1v3xhb35xf1b3s51dhgb65sx1hb31bh65rtst1hb1xh3bn1rf65ghn32h1b651n31bn

and not need to worry about remembering it.
Thanks, what's your account number again?
 

kolaval

Expert Member
Joined
May 13, 2011
Messages
3,281
LoL I also dont want to work to get my password. I will just remember my password.

Like I mentioned earlier, good on FNB....I shall continue to do stuff my way.

If PlayStation is hacked again and the pests try to use my account after 30 days they will not have access. Passwords on my side keep changing every 30 days.
P@ssword1, P@ssword2,P@ssword3...
 

krycor

Honorary Master
Joined
Aug 4, 2005
Messages
14,901
Yes, agreed, this annoyed me insanely, I even asked the call center lady to talk to the supervisor wtf I am waiting for, what they actually want you to do is an (or mutliple?) EFT payment from your phone over like R300 or something, which is absurd, I always pay from my desktop; FNB is not clear on this at all and it shouldn't even be a requirement, should be I can approve from an already trusted device with e.g. 48 hours to dispute it from any logged in device.

That doesn't mean you can't use the app though, just that you can't use security things like FNB Pay (NFC Payments), and trying to do an EFT payment requires that you give a linked card's number + PIN, it did not stop me from logging in and getting OTP messages.

1. Locking out risk
You could use any trusted device? Do you mean requiring that you have to have the app to login anywhere? It only requests confirmation if first time on a new device, since I have a desktop logged in once, and phone, neither will decline my login, I'll just get an email and a message saying someone logged in.

3. In terms of TOTP, like GA.
They're actually a bit annoying to use due to it always being generated, so often I am stuck waiting until a new code is refreshed before typing it in. What happens with e.g. GA if I want to move to a new phone since the key is stored offline on the device and not in the cloud? Am I going to start generating more keys? Seems a strange solution to use, rather have in-app confirmation button of the payment as you won't do more than one payment at a time, with the ability to fall back to email.

4. Security and privacy violation
The OTP via message already has a lot of research behind it, not sure what you mean by unproven? Message via app is more secure than SMS as it requires login beforehand, so you'd have to be able to login to the system before you can get access to the OTP. I think I'd be more worried about the authentication hack than the OTP exploitation.

What privacy violation? You'll have to be more clear on that.


inContact I mean via app, not via SMS. The SMS is an on-top of thing, wish I could totally disable for OTP actually, and only have SMS for payments.
My problem with SMS OTP is it uses a proven unsecured channel for authorization which is dumb when u consider what other commands are authorized via this.

Even if you enable Incontact (secure data channel to device) it will still send auth otp via sms.
 

Johnatan56

Honorary Master
Joined
Aug 23, 2013
Messages
24,955
My problem with SMS OTP is it uses a proven unsecured channel for authorization which is dumb when u consider what other commands are authorized via this.

Even if you enable Incontact (secure data channel to device) it will still send auth otp via sms.
Yes, I want the option to totally disable the SMS option, I'd enable it instantly, I only want that payments have been done via SMS as I don't really care about someone else knowing about it.
What are the odds of SMS OTP failing you, security wise?
Easy, someone number ports your SIM, or steal your phone, unless you have it set to no notifications on the lock screen, SMS one usually shows the OTP number on the lock screen.
 
Top