Citibank One Time Password (OTP)

[SIA1A]

Citibank has now implemented this pain of a system.

After logging on, the system requests user entry of the OTP which is delivered by SMS. That's fine if (a) you have your mobile by your side and (b) have good reception. Lousy if you have misplaced your mobile (eg lost it while travelling and actually need money) or are in a location with no coverage (eg on my farm) - or are overseas and using a foreign SIM. But that's not all. Once logged on, the system requests the entry of a new OTP every 8 minutes (sent via SMS every time). It sure ain't One Time.

At log-on, we have the choice of by-passing OTP and instead using the usual semi-random security question. I wonder how long this will remain an alternative?

I notice that for now, OTP is not being used on Citi's mobile website (neither is the security question) - entry to mobile banking simply requires a username and password.

This all seems rather slap dash. On the one hand, there's an intrusive heavy-handed system being introduced on the full website while over in mobile land, security procedures are basic, speedy and user friendly. Presumably neither route is losing Citibank significant money via fraud, otherwise the relevant route would have been closed down long ago.

 

[lovestotravel]

I really really dislike the Citibank website!

 

[Must...Fly!]

It would also be good if they delivered the SMS...

 

[serfty]

For now it is optional - but nagging:

□ YES. I want OTP to be enabled for my online banking transactions! Please send it to xx_xx_x8866.

■ NO. Allow me to continue to bank online after signing in with my security question.

I hope they don't implement it compulsorily.

 

[Mal]

Good idea. Poor implementation though.

Btw otp are safer but not safe...

Sent from my GT-I9100 using AustFreqFly

 

[greenfrog86]

Citibank has now implemented this pain of a system.

After logging on, the system requests user entry of the OTP which is delivered by SMS. That's fine if (a) you have your mobile by your side and (b) have good reception. Lousy if you have misplaced your mobile (eg lost it while travelling and actually need money) or are in a location with no coverage (eg on my farm) - or are overseas and using a foreign SIM. But that's not all. Once logged on, the system requests the entry of a new OTP every 8 minutes (sent via SMS every time). It sure ain't One Time.

At log-on, we have the choice of by-passing OTP and instead using the usual semi-random security question. I wonder how long this will remain an alternative?

I notice that for now, OTP is not being used on Citi's mobile website (neither is the security question) - entry to mobile banking simply requires a username and password.

This all seems rather slap dash. On the one hand, there's an intrusive heavy-handed system being introduced on the full website while over in mobile land, security procedures are basic, speedy and user friendly. Presumably neither route is losing Citibank significant money via fraud, otherwise the relevant route would have been closed down long ago.

I also get these messages when aggregator websites like ANZ Money Manager try to log into Citi... ugh

FYI the mobile apps use the security passwords in addition to your username and password.

 

[SIA1A]

FYI the mobile apps use the security passwords in addition to your username and password.

Are you talking the Android Play app?

I've found that none of the iTunes mobile app, the Safari mobile browser on an iPhone and the Samsung/Android mobile browser require a security password. I think I noticed somewhere in Citi's FAQs that this is exactly what Citi currently intends and has been the case for many months.

 

[pauly7]

It's a good idea and not compulsory so If you can't manage it then don't opt in

 

[serfty]

It's a good idea and not compulsory so If you can't manage it then don't opt in

But it nags - appears every time one logs in - it's another step with two careful clicks - and you have to be careful since it's not far from the opt-in to the opt-out radio buttons.

All that on top of the following: To log in to Citibank online, already one has to enter ID, click in password field, painful mouse click-able password entry pop-up, then ok, then ok, then the need to read one of three registered questions and correctly type the answer, then another click on continue.

 

[Ewing]

I stupidly clicked yes. The sms didn't arrive and I got locked out of my account.

Fortunately I have another login, but that just gives me access to my credit card and not my Plus account so I'll need to get it unlocked.

Most annoying.

Sent from my LT26i using AustFreqFly

 

[SIA1A]

I stupidly clicked yes. The sms didn't arrive and I got locked out of my account.

I wouldn't call that stupid. What you are really saying is that Citi has implemented a system that has a high probability of failure. Not at all well implemented. Bad bad bad.

....and I agree!

 

[simongr]

Online banking security is a real challenge. I bank with a credit union and have user/pass plus there is a captcha type thing. I used to have a rsa style token which I misplaced so now have an SMS security option if I want to transfer/pay/bpay more than $5K.

I find it ok but like you it is annoying when travelling and it means that my wife can't access the account - although I have had an SMS in the middle of night when overseas when she tried to log in...

 

[greenfrog86]

Are you talking the Android Play app?

I've found that none of the iTunes mobile app, the Safari mobile browser on an iPhone and the Samsung/Android mobile browser require a security password. I think I noticed somewhere in Citi's FAQs that this is exactly what Citi currently intends and has been the case for many months.

I have an iphone and the app has always asked me to enter my username, my password, and an answer to one of my three security questions...

Just got an android yesterday (for use when travelling overseas with a local sim) and the Citibank App for Android also asks me to answer one of my security questions...

And to clarify, I have signed up for the OTP so get that every time I log into the full website...

 

[DeKa]

I also get these messages when aggregator websites like ANZ Money Manager try to log into Citi... ugh

ANZ Money Manager (Yodlee) have figured out how to get around this and can log in now

 

[pauly7]

But it nags - appears every time one logs in - it's another step with two careful clicks - and you have to be careful since it's not far from the opt-in to the opt-out radio buttons.

Ok well just be careful with your clicking then...

 

[hummel]

It would also be good if they delivered the SMS...

Glad I'm not the only one...

 

[DeKa]

But it nags - appears every time one logs in - it's another step with two careful clicks - and you have to be careful since it's not far from the opt-in to the opt-out radio buttons.

All that on top of the following: To log in to Citibank online, already one has to enter ID, click in password field, painful mouse click-able password entry pop-up, then ok, then ok, then the need to read one of three registered questions and correctly type the answer, then another click on continue.

Password storage tools like 1Password can fill the right fields for Citibank. It's a good solution, and solves the annoyance of the pop up on screen keyboard.

 

[serfty]

Password storage tools like 1Password can fill the right fields for Citibank. It's a good solution, and solves the annoyance of the pop up on screen keyboard.

Citibank use an onscreen virtual mouse click-able keyboard - so such tools don't generally work.

 

[DeKa]

Citibank use an onscreen virtual mouse click-able keyboard - so such tools don't work.

1Password does work with Citibank - trust me. It must input the text into the same HTML field that the onscreen keyboard does.

 

[wafliron]

1Password does work with Citibank - trust me. It must input the text into the same HTML field that the onscreen keyboard does.

That'll be exactly what it does. As part of working with AwardWallet to add CitiRewards support to their service I did some testing of the password field, and as long as the value attribute is set correctly when you submit the form it works fine. Doesn't matter how you set this field - onscreen keyboard, Firebug, programmatically, etc.

And to stay on topic: dammit the new OTP prompt is irritating!!!