Citibank One Time Password (OTP)

[wafliron]

I agree with you when you disagreed with me earlier when I said something like "it's not too bad"

With the irony being that my dislike has now tempered somewhat - my reply to you was prefaced on there not being any self-service back-up option, which clearly an app would be. Still doesn't come close to being sufficient, but better than nothing.

That does beg the question though - what sort of self-service option could Citibank implement that would make this system "reliable" enough (ignoring "just not implementing it", for now)?
- Web-based OTP app maybe - but that somewhat defeats the purpose of two-factor authentication (better than not having it at all from a security standpoint, but very sub-optimal compared to SMS / token / app / etc).
- The option to obtain a physical OTP token - still prone to loss, plus costs $$, inconvenient, etc
- OTP "cheat sheets" (a set of OTP passwords which will always work, but are can only be used once), as offered by some OTP vendors - still prone to loss, costs $$ (but you'd assume minimal), inconvenient, requires pre-planning, etc
- The ability to call them and obtain a OTP from their call centre? This is probably the best "final back-up" option I can think of - works as long as you can access a phone (likely, if you can access the net), a hassle but should only be needed in emergencies, doesn't require extra cost, pre-planning, etc. I guess there is the possibility of abuse - if someone, e.g., keylogged your Citibank username and password, they could also have obtained other security info used to ID you over the phone - but pretty unlikely.

While I'd prefer Citi to just drop the whole damn system, a combo of SMS + OTP-generator app + call them to obtain an OTP in an emergency is probably workable almost all of the time.

 

[Newk]

when you ring them they authenticate you (sorry for the clumsy terminology) by asking stuff that you sometimes need web access for...unless you have an encyclopaedic memory of your credit card transactions. I for one always fail at the point when they ask for recent transaction(s)

I GUESS you can get the balance without the OTP and then they might be happy with DOB and mother's maiden name etc.
Fascinating subject. I wonder if they have proper statistical proof that the OTP is safer then the "secret questions" method?

 

[wafliron]

when you ring them they authenticate you (sorry for the clumsy terminology) by asking stuff that you sometimes need web access for...unless you have an encyclopaedic memory of your credit card transactions. I for one always fail at the point when they ask for recent transaction(s)

I often fail at that point too - but then they normally revert to asking other questions? Plus, for their CCs at least, they don't seem to ask the "recent transaction" question if you enter the CC number and telephone PIN.

Fascinating subject. I wonder if they have proper statistical proof that the OTP is safer then the "secret questions" method?

I can't point you at a specific reference, but I can assure you that OTP "safer" - way safer.

By far the most common attack vectors for compromising internet banking accounts (in fact, any online account) are keylogger-laden viruses and phishing attacks.

In both cases, the attacker gets to observe all information the victim enters - so they don't just get the username and password, they also get the answer(s) to the secondary security question(s), and can later use them to compromise the user's account. With multiple secondary security questions it requires the attacker to observe multiple account accesses (or have a bit of luck that the same questions are asked when they try to access the account later), which makes it a bit harder for them to compromise an account, but not that hard.

With two-factor authentication ("something you know, and something you have" - e.g. a One-Time Password delivered via SMS, mobile app, physical token, etc) the attacker can still observe username, password and OTP as they're entered, but the information is useless to them as the OTP, by definition, only works once - they can't later use the information they've obtained to access the victim's account.

 

[cove]

I get the ATO payment figure correct on that question but I can muff relative questions.

 

[wafliron]

I get the ATO payment figure correct on that question but I can muff relative questions.

That's one I can always quote too cove - but personally I'm hesitant to draw any additional attention to ATO payments.

 

[cove]

I would be happy with a key ring thingy even though I have several already.
Have been putting some personal expenses on each card to mix it all up.

 

[Newk]

I would be happy with a key ring thingy even though I have several already.
Have been putting some personal expenses on each card to mix it all up.

yes, where I get into trouble. Some days I'd use three or more cards for various reasons...activating points offers, mixing up ATO transactions, using best card for the situation and so forth. Some weeks cards go into hibernation for a while if it's close to the end of the billing cycle.

So on the odd occasion I get asked to provide details of recent transactions my mind goes blank. So now, as often as I can, when I make these calls I have the web page open in front of me

 

[cove]

Yes that works well Newk. I try not to call and if it is 4 calls a year for the 2 cards I think I am pestering them.

 

[Cruiser Elite]

I would be happy with a key ring thingy even though I have several already.

Again useless if you want to access when you o/s - I currently have 5 of those 'key ring thingys' (tokens) in my desk drawer.

 

[cove]

They work overseas (those key thingys)

 

[Cruiser Elite]

They work overseas (those key thingys)

They may do mate - but not likely that I will be adding them to the 'must take' kit.

cove if you could see a complete list of s**t I have left in hotels around the world you would understand why - list longer than War and Peace.

 

[aasz1978]

In my opinion, OTP is the stupidest invention of all the banking enhancements I've ever come across with any financial institution in the world.

I have logged my complaints with them about 3-4 months ago and clearly they don't really care...

Quite seriously, are they really that dense for not even noticing any of the following:
1. THat it is stupid just to view transactions, OTP is needed
2. That they haven't thought about not everyone has a mobile and not every mobile holder necessarily has good signals
3. That the SMS doesn't always get delivered

 

[dajop]

Found this on the FAQ about OTP implementation this afternoon, I will add my number and see if it works. However it will take 3-5 days to add, so if travelling overseas for short time, it may not be a good solution.

Can I receive the Citibank OTP to an overseas mobile number?

Yes, the Citibank OTP can be sent to most international mobile numbers and is optimised for the following 10 countries. If you experience any issues receiving the OTP to your international mobile number please contact us on +61 2 8225 0615. Australia Malaysia China Philippines Hong Kong Singapore India Taiwan Indonesia Thailand Make sure you update your overseas mobile phone number on Citibank Online and include the country code (without the + sign) and your mobile number. You can start to generate OTP using this number within 3-5 days.

 

[adelaideson]

I have deleted my mobile phone number from my profile so hopefully they will leave me alone.

 

[DC3]

I have deleted my mobile phone number from my profile so hopefully they will leave me alone.

Why didn't I think of that? Anyway, I've sent them an email expressing my disagreement and disappointment that they are trying to make OTP compulsory.

And welcome, adelaideson.

 

[spentan]

I just got an email saying the security questions will be disabled and OTP will be permanent.

ffs, hate OTP.

 

[haydensydney]

Interestingly, when I login I'm not prompted for the OTP. I go straight to my account summary screen. However if I want to go into transaction history, or make a payment - this is where the OTP is triggered. I'm not sure if this is a bug or correct behaviour. Occasionally I land on the transaction summary screen and a few seconds later the OTP page will mysteriously appear. Strange.

Overall I'm not that upset over the move to OTP - I think it's a sign of the times and we can't really do anything about it other than to switch bank.

 

[Cruiser Elite]

Why didn't I think of that?

+1 - yes why didn't I think of that - just been online and deleted mobile phone number - will be interesting to see that happens 'in a few weeks'.

 

[zzyss]

I don't mind the OTP much, but if they get rid of the security questions what will people without mobiles do?

I'm also a Yodlee user, and because its workaround for the OTP actually triggers the OTP, I'm constantly getting SMS's from Citibank with new codes. It'd probably cost them a pretty penny if a lot of users are doing this.

 

[jingles]

I would be happy with a key ring thingy even though I have several already.

So would I.
I never really liked the idea of having one until I opened a bank account that required me to have one and I found out that it wast such a pain.

I came to like it even more when I was overseas recently and had my phone stolen.
As Citibank hasn't made OTP mandatory I was still able to access my account however that wast the same for some of my accounts with other banks.

Luckily though my main bank account uses a physical token so I still had access to my money.

Citibank could at least look at the OTP implementation by PayPal.
If you have your PayPal account to use your mobile phone as a OTP device and do not have your phone with you then you can still log in by answering some security questions such as information about your credit cards or bank accounts registered with paypal or other typical security questions.

However, according to the Citibank website a physical token will also be available.
I would like to see the ability to use your mobile phone or the physical token however I think you will have the choice of SMS only or physical token only.

-----

On another note, I found this article while looking for something completely unrelated however I think it is slightly relevant to the introduction of OTP
Online fraud rate 'almost zero': Citibank Australia
October 14, 2010

CITIBANK Australia's fraud rates for online banking are "almost zero" thanks to its tight security processes, according to chief executive Roy Gori.
Mr Gori said he could not recall the last fraud-related incident to hit the bank's online system.
"Our (online) fraud rates are almost zero," he told reporters in Sydney today.
"I won't say it's zero because you can't ever say that, but I can't remember over the last 12 months an internet fraud at all.
Citibank has in excess of 200,000 registered online users.

There is also this, which I guess never took off as I had never heard about it until I read the article.

The bank has also jumped into voice biometrics, launching a trial six weeks ago in its collection department.
Mr Gori said voice recognition was one way to reduce the coughbersome process of identification Citibank currently has in place.
Citibank chose to test voice biometrics as it has a high accuracy rate. Mr Gori said he tried to disguise and change his voice to beat the system, but to no avail.
The bank would be in a position to roll out the system "in a big way" in three months, but customers first had to opt-in to the voice system.

-----

So in 2010 Citibank had over 200,000 registered online users and had a fraud rate of zero (or very close to it) using the on-screen keyboard and the three security questions.
Which brings me to the question why change? Especially when the new security measure has several drawbacks.

There are many cases I can think of where people have had their accounts fraudulently used due to the security that SMS tokens do not provide.

This article about someone who had their CBA account fraudulently used is from a few years ago however it goes into the details of how SMS security is vulnerable
Phone porting used to unlock net banking codes - Security - Technology - News - iTnews.com.au

And then we come to an article from the end of last year (Some of the interesting points below)
Telcos declare SMS 'unsafe' for bank transactions - Security - Technology - News - iTnews.com.au
Nov 9, 2012

Telcos declare SMS 'unsafe' for bank transactions
The lobby group for Australian telcos has declared that SMS technology should no longer be considered a safe means of verifying the identity of an individual during a banking transaction.
Security experts have warned about the inherent lack of security posed by SMS technology for several years.
As far back as 2008, Australian security expert Stephen Wilson noted that “SMS was not designed to act as a second authentication factor” and its use as one is “probably going to leave [customers] vulnerable to frauds that exploit their credulity or naivety”.
There are 54 million bank accounts active in Australia, according to the Reserve Bank, and 35 million credit accounts.
The cost of replacing SMS authentication with tokens for debit accounts alone would cost the banking sector close to $5 billion*.

*Yes, this is also the telcos shifting the blame from themselves when they could simply tighten the ability to port a phone number which would also strengthen SMS based security.
-----

Now, in 2010 Citibank essentially had no online fraud while other bank customers were having their accounts hijacked using SMS security. The telcos and other experts have said that SMS security is not a viable solution to prevent fraud yet Citibank is moving form a proven secure authentication method to one with already established flaws.