SMS Login Verification - Argh

[Pleb Status]

Or we can continue to plug for Qantas to change their method of dual log in by sending emails with codes and not simply SMS. MYOB (accounting software) does this.

How many years have you been doing this? And what has changed?

 

[odysseus]

Here is another article, for those people who say we don't need to beef up security for QFF accounts, because who would bother?

Just someone copy and paste into the wrong CC, without all the PR disasters, still brought the company into a halt, imagine if this was to happen to Qantas. That's why we need to have security (not saying SMS is the best and the be all and end all)

When 'CC' should have been 'BCC': How an email gaffe cost one Australian company dearly (Sydney Morning Herald 02 Aug 2019)

The problem began when the employee mistakenly pasted 300 email addresses in the "carbon copy" or "CC" email field, instead of the "blind copy" or "BCC" field, a technological misstep familiar to almost anyone using email in 2019.

While no serious harm eventuated, six-figures later the company had self-reported to the Office of the Australian Information Commissioner, eight employees had worked full-time on the matter for a number of weeks, and costly advice had been sought from both lawyers and a well-known global consulting firm.

You conveniently skipped the paragraph that really brought the cost of the issue. Also the company didn't "get brought to a halt."

"But when the company's chief information officer was unable to find a company data breach response plan, legal advice from a top-tier Australian law firm had to be sought."

The article was about the need for policies and plans, not that that copy/paste issue caused major detriment of itself. Qantas would be a completely different situation, and using Qantas' current policies or being more flexible is not going to cause anything like the above.

 

[odysseus]

To all the people about SMS from Qantas, how do you use your credit card on the internet?

The ONLY authentication from Mastercard SecureCode and Verified by Visa is SMS, if you can't receive SMS, you cannot use your credit card.

I honestly can't remember the last time I got an SMS verification online. It'd be <1% of online transactions I do. And I don't think that's indicating that 99% of vendors have poor security.

 

[Pushka]

How many years have you been doing this? And what has changed?

It’s only just been rolled out across the membership in last 2 weeks. Feedback en masse just started.

 

[Pleb Status]

I honestly can't remember the last time I got an SMS verification online. It'd be <1% of online transactions I do. And I don't think that's indicating that 99% of vendors have poor security.

The system is supposed to be 'intelligent' and learns your purchasing history to reduce the number of interventions required. If you do similar purchases all of the time, there is no need to get in the way.

I know I used to have to authorise SQ purchases by SMS code but no longer need to. The system has learnt that I make SQ purchases of a certain value and now lets these through.

Amex actually locked my card when I tried to make two Deutsche Bahn bookings in quick succession (it rejected the second purchase) and sent me an SMS stating that I needed to call back to Australia to get it unlocked. I can now make DB bookings without issue.

 

[Pleb Status]

It’s only just been rolled out across the membership in last 2 weeks. Feedback en masse just started.

You were not part of the trial group selected in March 2017 and have not given significant feedback directly to QF since then (which I assume was largely ignored)?

QF trialling two-factor authentication for QFF accounts

They're coming after your frequent flyer points "Qantas won't divulge just how common frequent flyer identity theft is, but it's common. (The airline, like the banks being a bit vague about the extent of credit card fraud, says it's a security issue, not wanting to encourage the criminals. I...

www.australianfrequentflyer.com.au

 

[downgraded]

I understand that but the Telstra overseas day pass is $10 a day once you hook in to an overseas network whether you do something or do nothing. When I travel to countries other than PNG I am happy with that for the convenience. Not happy to pay, say, $350 for a five week trip. Or $10 just to receive and SMS.

and we come back to the question of why not simply select the option "Verify another way..." when and if you get the MFA verification. No SMS required.
The SMS is only an issue if you doggedly refuse to use the alternative mechanism presented on the authentication screen.

 

[Ausbt]

I lost my (well, the company's) iPhone at the start of a 4 week UK trip. Well, I left it on a bus. I immediately bought another and used Find My Iphone to both locate it (uselessly) and then nuke-it-from-orbit. But anyway, losing your phone number is the real deal killer here - you simply cease being able to authenticate a range of services and apps you had been taking for granted. I can forget about bank transfers and ...oh yeah, my tax return. I completed it on about 5 July but had held off filing the thing because that's what the ATO publicised - don't file too early. And MyGov? SMS authentication

 

[Pushka]

You were not part of the trial group selected in March 2017 and have not given significant feedback directly to QF since then (which I assume was largely ignored)?

QF trialling two-factor authentication for QFF accounts

They're coming after your frequent flyer points "Qantas won't divulge just how common frequent flyer identity theft is, but it's common. (The airline, like the banks being a bit vague about the extent of credit card fraud, says it's a security issue, not wanting to encourage the criminals. I...

www.australianfrequentflyer.com.au

Yes I was part of the trial commenced 2 years ago. I gave feedback via Twitter and Qantas social media team who called me back who said they’d received much negative feedback but Qantas were proceeding the roll out. So I guess you are right in that they don’t give a diddly squat.

 

[Pushka]

and we come back to the question of why not simply select the option "Verify another way..." when and if you get the MFA verification. No SMS required.
The SMS is only an issue if you doggedly refuse to use the alternative mechanism presented on the authentication screen.

And again I say that if you are booking for a third party and were not notified of the roll out last week you wouldn’t know any of those details. And even having these details doesn’t stop the person who is being booked for from receiving a text and wondering what that’s all about.

 

[downgraded]

And again I say that if you are booking for a third party and were not notified of the roll out last week you wouldn’t know any of those details. And even having these details doesn’t stop the person who is being booked for from receiving a text and wondering what that’s all about.

If you're booking for a third party that third party is probably in breach of the T's&C's if they've giving you access to their account.

 

[Pushka]

If you're booking for a third party that third party is probably in breach of the T's&C's if they've giving you access to their account.

So TA’s are in breach?

 

[downgraded]

So TA’s are in breach?

The member is:
6.3 The Card, Membership number and PIN are valid for use only by the Member

 

[Pushka]

The member is:
6.3 The Card, Membership number and PIN are valid for use only by the Member

So TA’s are in breach. Who wants to tell them...

 

[downgraded]

So TA’s are in breach. Who wants to tell them...

???
The contract is with the member.

 

[Pushka]

???
The contract is with the member.

Yes. Agree. Anyone who uses a TA to make an awards booking as an example is in breach. Let’s see how that plays out.

 

[davidj]

The SMS is only an issue if you doggedly refuse to use the alternative mechanism presented on the authentication screen

What are the other options?

 

[downgraded]

What are the other options?

Secret questions.

 

[Himeno]

Secret questions.

Is it just the 4 questions posted earlier in this thread?
None of them are really "secret" and one of them I've never given an answer to QF for.

 

[Vic]

I've never seen a plan, pre-paid or post-paid which charges to receive SMS while roaming.

Really? I'm sure I can dig out bills from 2010 to about 2015 where I was charged for receiving international SMS. Certainly this was very common in the naughties and 90s.