Citibank One Time Password (OTP)

[oz_mark]

Interestingly, when I login I'm not prompted for the OTP. I go straight to my account summary screen. However if I want to go into transaction history, or make a payment - this is where the OTP is triggered. I'm not sure if this is a bug or correct behaviour.

I understand from what I was sent regarding this, is that it is the designed behaviour.

 

[jingles]

I understand from what I was sent regarding this, is that it is the designed behaviour.

Which is not the smartest idea as if you have your account set up to show full account numbers (instead of all but the last few numbers shown by an 'x') someone can sign in to you account and get your credit card number.
That couldnt be done with the old system

 

[casanovawa]

I just got an email saying the security questions will be disabled and OTP will be permanent.

ffs, hate OTP.

Bunch of w**kers... So what will i now do now when i go on my 5-6 week overseas holidays when i routinely don't buy an overseas sim and just use my mobile for accessing wifi... Have to friggin preload the thing up with several thousands??? Or give my details to someone back at home to fiddle with my account??

The cough could have used their brains and allowed you to opt in or out and take your own chances... Anyone know who i can call or email and give a serve to about this???

 

[jingles]

Bunch of w**kers... So what will i now do now when i go on my 5-6 week overseas holidays when i routinely don't buy an overseas sim and just use my mobile for accessing wifi... Have to friggin preload the thing up with several thousands??? Or give my details to someone back at home to fiddle with my account??

If you take your phone with you and leave your Australian sim card in it then you can still receive the OTP messages as long as you activate global roaming.
I know on Telstra and Optus it is free to receive an SMS when roaming.

The cough could have used their brains and allowed you to opt in or out and take your own chances... Anyone know who i can call or email and give a serve to about this???

There will be a physical token so you dont need to have an SMS.

If you find someone to complain to feel free to refrence the points I raised here http://www.australianfrequentflyer....one-time-password-otp-41950-8.html#post766039

 

[DC3]

The implementation of OTP has got to be the most ridiculous thing yet.

 

[casanovawa]

I guess it might be being implemented across the board of their accounts, but one of the main attractions of this particular account i opened was no fees and especially no foreign transaction fees, which means people travelling overseas are going to be attracted to it.... I'm not inclined to activate global roaming, or anything that might find me coming back to Australia to find a several hundred dollar bill...

So how and where again do you get this physical token?? And you carry this on you??? Because that is safer somehow???

 

[DC3]

If you take your phone with you and leave your Australian sim card in it then you can still receive the OTP messages as long as you activate global roaming....

Yes, but global roaming can be such a huge money pit. I used it on one trip, but never again. Now I always use a local sim card.

 

[DC3]

... There will be a physical token so you dont need to have an SMS ...

I'm interested in the token. Do you have a link to this, please?

 

[Hammando]

One, all be it minor, benefit of the OTP for me at least is Award Wallet is now working for my Citiselect, before I couldn't get it to load it just kept asking me a continuous stream of my security questions.

Apart from that i agree it is a pain in the you know what

 

[jingles]

I'm not inclined to activate global roaming, or anything that might find me coming back to Australia to find a several hundred dollar bill...

So how and where again do you get this physical token?? And you carry this on you??? Because that is safer somehow???

Yes, but global roaming can be such a huge money pit. I used it on one trip, but never again. Now I always use a local sim card.

Global roaming is only expensive if you use it for calls, i always travel with it on and have never come back to a large bill.
Charges can not appear unless you do something to cause them.

If you dont make or answer calls there are no charges. Most/all modern phones detect when they are roaming so will disable data connections automatically.
The only other thing you need to do is disable voicemail if you are going to leave your pone turned on so your calls are not diverted to it otherwise you are charged an international call diversion to divert from your phone to your voicemail (I'm pretty sure this is simply an easy way for phone companies to make money as where your phone physically is has nothing to do with voicemail)

I'm interested in the token. Do you have a link to this, please?

There is not really any information about it, only somethign which says a token will exist.

https://www.citibank.com.au/AUGCB/JSO/signon/DisplayUsernameSignon.do
Click on FAQs
Click on 'Can I still bank online if I don't have access to my mobile phone?'
The last scentence states 'A hard token OTP generator will also be available.'

casanovawa, to answer your question above.
A phyiscal token is safer than SMS, see my post on page 8.

 

[Mal]

A physical token is generally safer than SMS, but both have downsides. If a computer where you enter the token has been compromised, then all bets are off as to which is safer.

I have a keypad for one of my UK bank accounts, and it annoys me. http://buhjillions.files.wordpress.com/2008/06/cardreader.jpg is an image of what it looks like. Similarly, Commbank, still requires me to have an AU based phone to add new billers etc (Granted, I could swap to a token, and that would solve the issue).

Everything said, I love how people say "I don't want security on my account". Do you really think banks want to implement impediments to customers spending money? No. However, it is a very scary world out there and banks have to both try and compete and stop the bad guys.

 

[DC3]

... There is not really any information about it, only somethign which says a token will exist.

https://www.citibank.com.au/AUGCB/JSO/signon/DisplayUsernameSignon.do
Click on FAQs
Click on 'Can I still bank online if I don't have access to my mobile phone?'
The last scentence states 'A hard token OTP generator will also be available.' ...

Ok. Thanks jingles. I would never have found that piece about the token.

My issue with global roaming was due to me using wi-fi. I had large data charges when there should have been none. Maybe it was caused whenever the wifi dropped out or the phone picked up a stronger signal from a telco and I didn't pick up on it. I'll never know. However, data charges while roaming are horrendous.

 

[Major]

To access any function of my Virgin money CC (citibank) online my only option is OTP after logging in. I am no longer able to use security questions as access.

Initially I had a choice but this is now not available.
I don't have a problem with this, but can see the need to sort global roaming issues whilst OS.

With a bit of PPPPPP I have arranged for auto payment when OS

 

[jingles]

A physical token is generally safer than SMS, but both have downsides. If a computer where you enter the token has been compromised, then all bets are off as to which is safer.

I have a keypad for one of my UK bank accounts, and it annoys me. http://buhjillions.files.wordpress.com/2008/06/cardreader.jpg is an image of what it looks like. Similarly, Commbank, still requires me to have an AU based phone to add new billers etc (Granted, I could swap to a token, and that would solve the issue).

Everything said, I love how people say "I don't want security on my account". Do you really think banks want to implement impediments to customers spending money? No. However, it is a very scary world out there and banks have to both try and compete and stop the bad guys.

I believe that the only way hackers have around tokens at the moment is with malware called Zeus, or man in the browser attacks.
What they do is alter what you see on the bank website.
I know of one attack which when you signed in offered to guide you through the security process, including making a "dummy" transaction to a bank account which was really the hackers bank account.

I dont mind the tokens however I think that I would draw the line at the keypad style like the one you have that requires you to insert your card.

I dont think that people do not want security it is just the chosen system that citibank is implementing that people object to. According to citibank themselves, their security question system had a zero/almost zero fraud date.

Ok. Thanks jingles. I would never have found that piece about the token.

My issue with global roaming was due to me using wi-fi. I had large data charges when there should have been none. Maybe it was caused whenever the wifi dropped out or the phone picked up a stronger signal from a telco and I didn't pick up on it. I'll never know. However, data charges while roaming are horrendous.

No worries DC3
I also think it is well hidden, there are also plenty of other Questions on the FAQs that could do with that sentence being added

The data charges are huge, especially when you look at some Blackberry BIS plans which offer unlimited data when roaming!
Make sure your phone doesn't have data roaming enabled if you want to travel with global roaming again.
If you are really worried or want to be extra sure then delete the APN settings out for your phone (Including the MMS setting otherwise you will pay to recieve MMSs). If your phone does not have an APN defined it will be unable to connect to the internet over the mobile phone network. If you have an older phone that does not have a setting for data roaming deleting the APNs are your best bet.

 

[DeKa]

I'm interested in the token. Do you have a link to this, please?

I don't think it's going to be a physical token - it will be a software token in the Citibank app.... I suspect you will not need to be online to do this - the tokens run some algorithm to generate the OTP.

We'll also release a new version of our mobile app which will include the MobilePass feature - another way you can generate an OTP when banking online from your desktop or mobile device.

As an example, RSA (EMC) who are one of the major phyiscal token vendors have a software version for all major mobile OSs:
http://australia.emc.com/security/r...henticators.htm#!offerings_for_mobile_devices

 

[jingles]

I don't think it's going to be a physical token - it will be a software token in the Citibank app.... I suspect you will not need to be online to do this - the tokens run some algorithm to generate the OTP.

As an example, RSA (EMC) who are one of the major phyiscal token vendors have a software version for all major mobile OSs:
http://australia.emc.com/security/r...henticators.htm#!offerings_for_mobile_devices

It will be a physical token.
As the scentence "A hard token OTP generator will also be available." is under the question "Can I still bank online if I don't have access to my mobile phone?" they have to be referring to a physical token, not a software token as if you do not have access to your mobile phone the software token will not work.
Plus the software token would not be a "hard token"

Symantec also does a software token application for computers and mobile devices called Symantec VIP
Two-Factor Authentication, One Time Password (OTP) Symantec Validation and ID Protection Service (VIP) | Symantec
Offering verification through the computer version could also be a good way to keep people happy.
There is no token to loose, no sms to worry about and if you have your computer you can access your account.

 

[DeKa]

It will be a physical token.
As the scentence "A hard token OTP generator will also be available." is under the question "Can I still bank online if I don't have access to my mobile phone?" they have to be referring to a physical token, not a software token as if you do not have access to your mobile phone the software token will not work.
Plus the software token would not be a "hard token"

Symantec also does a software token application for computers and mobile devices called Symantec VIP
Two-Factor Authentication, One Time Password (OTP) Symantec Validation and ID Protection Service (VIP) | Symantec
Offering verification through the computer version could also be a good way to keep people happy.
There is no token to loose, no sms to worry about and if you have your computer you can access your account.

Ok but at least some of Citi's Comms have said it would be a soft token built into the Citi app.

Newk's post I quoted was a copy paste of one of Citi's Comms.

 

[wafliron]

A physical token is generally safer than SMS...

Interesting. Why do you say that a physical token is generally safer?

As far as I can see, both offer the same inherent level of security (except perhaps the possibility of a SMS being intercepted during transmission, but that's a pretty damn unlikely scenario). The one benefit SMS does offer though, is the fact that you're unlikely to not notice that you've lost / had your phone stolen - and you're likely to get the old SIM cancelled quickly. Whereas you may not notice the token is gone until some time has passed.

Maybe I'm missing something though?

 

[Mal]

Interesting. Why do you say that a physical token is generally safer?

As far as I can see, both offer the same inherent level of security (except perhaps the possibility of a SMS being intercepted during transmission, but that's a pretty damn unlikely scenario). The one benefit SMS does offer though, is the fact that you're unlikely to not notice that you've lost / had your phone stolen - and you're likely to get the old SIM cancelled quickly. Whereas you may not notice the token is gone until some time has passed.

Maybe I'm missing something though?

There are a few potential issues with physical tokens.
. Loss of token ESP. During the shipping stage.
. Token contains a flaw which makes numbers predictable.
. The entry of the number is eavesdropped on (normally done when a computer is infected with certain malware). [Shared with SMS]
. The user writes their pin number (or other required number) on the token.

With PHONES:
. Malware is on phone intercepting the code.
. Phone is ported or otherwise redirected.
. SMS is intercepted on phone network.
. Phone stolen or lost.

SMS codes aren't the ideal solution but banks use them due to the low cost and easy setup. They are willing to wear the potential risks vs shipping out expensive tokens to all users (and tokens are expensive, likely around $10, but I'm not privy to corporate pricing). Then they get lost, stolen, batteries run flat, may have a fixed life, they need a call centre to support lockouts and other token issues and normally pay a licence fee based on the number of cards on issue.

 

[wafliron]

There are a few potential issues with physical tokens.
. Loss of token ESP. During the shipping stage.
. Token contains a flaw which makes numbers predictable.
. The entry of the number is eavesdropped on (normally done when a computer is infected with certain malware). [Shared with SMS]
. The user writes their pin number (or other required number) on the token.

With PHONES:
. Malware is on phone intercepting the code.
. Phone is ported or otherwise redirected.
. SMS is intercepted on phone network.
. Phone stolen or lost.

All valid points. On balance I still reckon SMS is slightly safer though, given the more likely risky-scenarios are all on the token side of the equation - i.e. likely to take longer to notice a loss/theft of token, user writing PIN on token.

SMS codes aren't the ideal solution but banks use them due to the low cost and easy setup. They are willing to wear the potential risks vs shipping out expensive tokens to all users (and tokens are expensive, likely around $10, but I'm not privy to corporate pricing). Then they get lost, stolen, batteries run flat, may have a fixed life, they need a call centre to support lockouts and other token issues and normally pay a licence fee based on the number of cards on issue.

Even though we disagree over which is "safer", the latter point you make is the exact reason we chose SMS over tokens for our VPN OTP implementation at work - we simply didn't want workload of supporting physical tokens. They're a nightmare. SMS doesn't require any extra hardware, and rarely "breaks". It wasn't a major decision factor, but they're also cheaper over the long run too, when you factor in reduced support workload and the fact that you can send a whole lot of SMSes very cheaply when you use one of the various "unlimited" mobile plans for the SIMs in your SMS-sending hardware