Citibank One Time Password (OTP)

[jingles]

There are a few potential issues with physical tokens.
. The entry of the number is eavesdropped on (normally done when a computer is infected with certain malware). [Shared with SMS]
. The user writes their pin number (or other required number) on the token.

With PHONES:
.

I believe that the tokens do not really suffer form being eavesdropped on as they are valid for much less time than an SMS code is so even if someone has the code you used it will have likely expired once they have it/try to use it
Plus once you have used your token code it will not be accepted for another login even if it could still be valid.
The same appears to be true for citibank SMS so as long as you login as soon as you have typed the code in, if your computer is compromised the token code or sms code is of no use to anyone.
If you were to walk away after typing the code in without logging in then someone watching your computer through malware could potentially use the sms code as it is valid for 8 minutes.

There really is not any room to write a username/password on the typical keyring tokens issued however it is possible to store all your account information in plain text in a mobile phone.

(and tokens are expensive, likely around $10, but I'm not privy to corporate pricing)

I have heard of prices much more expensive than that.
$25-$100 is the usual prise bracket that I have heard. However, i do find it hard to see big banks spending $25 on a token for each customer.

All valid points. On balance I still reckon SMS is slightly safer though, given the more likely risky-scenarios are all on the token side of the equation - i.e. likely to take longer to notice a loss/theft of token, user writing PIN on token.

But even if you lose your token it has no identifying marks on it, if you lose your phone it could have your user name and password allowing someone to quickly gain access to your account (though, it is probably unlikely)

---

One thing I do find interesting is that in 2011 for CBA/Netbank mobile phone porting fraud (sms security) had the lowest count of fraud however the highest amount of money stolen for all fraud which occured whereas man in the browser attacks (used with tokens) had the highest count of fraud however the actual amount of money taken was relatively low.

This was in part due to how netbank used the token code as once it was entered anything could be done in the account without further verification whereas with sms security each transaction needs a unique sms code. I don't know if this has since been changed as i am not a netbank customer.
The current citibank system is much like the combank token system in that one code can be used for many transactions.

 

[Mal]

I believe that the tokens do not really suffer form being eavesdropped on as they are valid for much less time than an SMS code is so even if someone has the code you used it will have likely expired once they have it/try to use it
Plus once you have used your token code it will not be accepted for another login even if it could still be valid.

However, if your passcode is compromised when you enter it into the keyboard, then there can be issues. Several banking trojans do this type of attack.

There really is not any room to write a username/password on the typical keyring tokens issued however it is possible to store all your account information in plain text in a mobile phone.

I've worked with RSA tokens for many years. People find ways to attach their pin to the tokens ... Stickytape works (for example).

I have heard of prices much more expensive than that.
$25-$100 is the usual prise bracket that I have heard. However, i do find it hard to see big banks spending $25 on a token for each customer.

the last commercial price I saw for RSA tokens (and they aren't the cheapest) was about $50 for a 4 year token (250+ min purchase). However, if a bank was buying 1000+ or 2500+ or even 10000+ the price would have come down a lot more. I was estimating the $10 on a purchase of about 10K-100K tokens.

But even if you lose your token it has no identifying marks on it, if you lose your phone it could have your user name and password allowing someone to quickly gain access to your account (though, it is probably unlikely)

Depends how the token is stored. Is it on your keyring with your Blockbuster card? Just as identifiable IMHO.

One thing I do find interesting is that in 2011 mobile phone porting fraud (sms security) had the lowest count of fraud however the highest amount of money stolen for all fraud which occured whereas man in the browser attacks (used with tokens) had the highest count of fraud however the actual amount of money taken was relatively low.

This was in part due to how netbank used the token code as once it was entered anything could be done in the account without further verification whereas with sms security each transaction needs a unique sms code. I don't know if this has since been changed as i am not a netbank customer.
The current citibank system is much like the combank token system in that one code can be used for many transactions.

Not really sure.

In fact (as an interesting aside), I had a fraud alert with my UK bank recently. I had been using their Android App over both Wifi and Mobile networks, including making 3rd party payments to others (over both networks). It appears that their app was incorrectly coded, and sent something through with the payments that shouldn't have been sent unencrypted. The mess it caused me was immense ... I had to recreate my Internet Banking account (my old one was deleted), Remember a new user ID, re-configure the app on my mobile etc. Almost tempted to ask the bank involved for 100 pounds compensation for their screw-up...

 

[wafliron]

I believe that the tokens do not really suffer form being eavesdropped on as they are valid for much less time than an SMS code is so even if someone has the code you used it will have likely expired once they have it/try to use it

There's nothing inherent in the two different technologies which says SMS codes need to be valid for longer than token codes (unless you want a validity-time of only a couple of seconds, I guess). The length of validity of the SMS code is a configurable option with the OTP solution we use at work, and I'd assume it would be the same with most SMS and token-based OTP systems. In our particular we set out SMS codes to be valid for 60 seconds, which is the same as the shortest-validity-time tokens I've ever personally come across.

 

[Mal]

There's nothing inherent in the two different technologies which says SMS codes need to be valid for longer than token codes (unless you want a validity-time of only a couple of seconds, I guess). The length of validity of the SMS code is a configurable option with the OTP solution we use at work, and I'd assume it would be the same with most SMS and token-based OTP systems. In our particular we set out SMS codes to be valid for 60 seconds, which is the same as the shortest-validity-time tokens I've ever personally come across.

Agree. Rsa security does 30 sec tokens. Used to have them for admin purposes.

 

[wafliron]

One, all be it minor, benefit of the OTP for me at least is Award Wallet is now working for my Citiselect, before I couldn't get it to load it just kept asking me a continuous stream of my security questions.

Ironically, AwardWallet did actually work for CitiRewards point balances prior to OTP - I know because I worked with them to get it setup ~9 months ago, and to fix it when the "do you want to enable OTP now?" question was introduced into the logon process. It does ask you the security questions, as you noted, but it actually remembers your answers - so once you'd answered all five questions via AwardWallet it could then auto-check your balances without manual intervention.

 

[qaz]

http://www.citibank.com.au/global_images/edm/mar8/vimages/header.jpg

just spoke with citibank - there is no need to request a hard token generator as apparently it will be automatically posted to all cardholders before 21st april

 

[serfty]

http://www.citibank.com.au/global_images/edm/mar8/vimages/header.jpg

just spoke with citibank - there is no need to request a hard token generator as apparently it will be automatically posted to all cardholders before 21st april

Yeah right - all I received was an email indicating I can download an app (iStuff, giigle and soon winnies ...)

 

[DeKa]

New iPhone app update now available.

 

[DeKa]

New iPhone app update now available.

And it works perfectly .. even with aircraft mode switched on, so no data connection is required. It's basically an "RSA token" in software.

 

[cgichard]

Not Citibank, but I've recently opened an ING Orange Everyday account which would usually use the SMS system, but as I have no mobile phone they eventually sent me a 'hard' token instead, but I had to push for it. When it failed to arrive within the 5 business days as promised I contacted them again, received profuse apologies and another was sent which did arrive quite quickly.
I thought nothing of it at the time, but having skimmed this thread, I'm now wondering whether I (or ING) should be concerned about the first one having gone missing. Is it potentially a security risk? Of course, it is possible that it was not actually sent out the first time, due to an oversight, but they would surely have a record of the serial number.

 

[oz_mark]

Virgin Money have, not surprisingly, gone down the same OTP path. Downside, is that I am currently can't get past the initial screen, as apparently I don't have a registered phone number.

Not Citibank, but I've recently opened an ING Orange Everyday account which would usually use the SMS system, but as I have no mobile phone they eventually sent me a 'hard' token instead, but I had to push for it. When it failed to arrive within the 5 business days as promised I contacted them again, received profuse apologies and another was sent which did arrive quite quickly.

I thought nothing of it at the time, but having skimmed this thread, I'm now wondering whether I (or ING) should be concerned about the first one having gone missing. Is it potentially a security risk? Of course, it is possible that it was not actually sent out the first time, due to an oversight, but they would surely have a record of the serial number.

My ING accounts don't have any of that - but the missing token, if they have implemented their systems correctly, shouldn't matter too much.

 

[zzyss]

Well the update went ahead, obviously because I started getting OTP SMS messages triggered by Yodlee every hour, instead of every day.

I have the updated app, but no sign of the OTP device in the mail.

 

[Jane-Doe]

I have connected with the iPhone app and ANZ MoneyManagar, so I expect XERO/Yodlee will do likewise. ANZ MoneyManager asked for a manual update and then requested i enter the secure code, which the iPhone app generated.

 

[oz_mark]

Well the update went ahead, obviously because I started getting OTP SMS messages triggered by Yodlee every hour, instead of every day.

I have the updated app, but no sign of the OTP device in the mail.

The website says that hard tokens need to be requested.

 

[dajop]

OTP now working fine with my Singapore mobile. App on my ipod/ipad apps not working over wifi as it sends authorisation code over network to my phone, so it seems app only good if have device with telephony.

 

[zzyss]

I have connected with the iPhone app and ANZ MoneyManagar, so I expect XERO/Yodlee will do likewise. ANZ MoneyManager asked for a manual update and then requested i enter the secure code, which the iPhone app generated.

Yeah, looks like it's going to be regular manual updates hereonin.

 

[wind_]

Well I've just gotten off the phone asking for a credit limit increase (no go) and asked about hard token generators.

Apparently I'm not eligible because I've got an Android phone and that you have to fulfil certain requirements. When I asked what happens when I've run out of power or don't have my phone with me, she suggested I just charge it lol.

Friendly lady though.

 

[serfty]

Well I've just gotten off the phone asking for a credit limit increase (no go) and asked about hard token generators.

Apparently I'm not eligible because I've got an Android phone and that you have to fulfil certain requirements. When I asked what happens when I've run out of power or don't have my phone with me, she suggested I just charge it lol.

Friendly lady though.

I simply told them I don't use a mobile phone anymore ... told to expect the token in 5 - 10 days ...

 

[kpc]

I simply told them I don't use a mobile phone anymore ... told to expect the token in 5 - 10 days ...

:shock::mrgreen:

 

[DeKa]

OTP now working fine with my Singapore mobile. App on my ipod/ipad apps not working over wifi as it sends authorisation code over network to my phone, so it seems app only good if have device with telephony.

Are you sure? OTP via the iPhone app works for me with aircraft mode switched on, so I don't think connectivity is required.