SMS Login Verification - Argh

[Mr_Orange]

The point is that there are much better ways to do MFA than a dumb SMS, like using one of the authenticator apps that works wherever you are online or offline.

 

[Pushka]

Even ATO use 2FA via SMS for Single Touch Payroll lodgements.

I don’t have that? I use MYOB.

 

[Himeno]

That 2FA is used itself isn't the issue. The problem is how that 2FA is set up and when it is used. eg. my bank has 2FA, but it doesn't make you use it every time you log in. Only when you make a large transaction, change details or make similar transactions repeatedly.

For an airline to use an SMS system, when it can reasonably expect many of its users to not be able to access SMS, is a problem.
Forcing "security questions" from a preset list, and only that preset list, is a problem.

If a given implementation of 2FA makes using the account unreasonably difficult or problematic, the user is going to reduce access, or cancel the account entirely. A 2FA system should not prevent legitimate access to the account, many 2FA systems do.

 

[odysseus]

I don't see people having a problem with change. Only people having a problem with a poorly designed implementation.

Just because something has changed doesn't automatically make it better.

 

[jastel]

Geez you people are lucky I can barely get an SMS from someone on the same day in my town in Australia...

 

[Chicken]

Here is another article, for those people who say we don't need to beef up security for QFF accounts, because who would bother?

Just someone copy and paste into the wrong CC, without all the PR disasters, still brought the company into a halt, imagine if this was to happen to Qantas. That's why we need to have security (not saying SMS is the best and the be all and end all)

When 'CC' should have been 'BCC': How an email gaffe cost one Australian company dearly (Sydney Morning Herald 02 Aug 2019)

The problem began when the employee mistakenly pasted 300 email addresses in the "carbon copy" or "CC" email field, instead of the "blind copy" or "BCC" field, a technological misstep familiar to almost anyone using email in 2019.

While no serious harm eventuated, six-figures later the company had self-reported to the Office of the Australian Information Commissioner, eight employees had worked full-time on the matter for a number of weeks, and costly advice had been sought from both lawyers and a well-known global consulting firm.

 

[Tallfont]

Here is my 10c worth on this matter and maybe someone at Qantas with a bit of influence or common sense actually reads it.

I live in Perth. I travel regularly to Port Moresby on Business. My trips to PNG are usually 4-6 weeks in duration. I have an AUS mobile and a PNG mobile. Simple reason for that is that when I am in PNG people will not call me on an AUS phone internationally roaming. They will of course call a local number.

I have absolutely nothing against Multi Factor Authentication although I am at a loss as to what is so valuable in my QF FF account. I believe MFA is the way to go especially in this day and age but it needs to be done in a way that is usable. Even more so I would think when you are an international airline.

I have MFA for several other accounts. My two Bank accounts both allow me to log in without MFA although to make certain transfers/transactions I either have to use a bank specific app or a supplied dongle. My online accounting package uses Google Authenticator. None of these MFA devices requires an internet or mobile phone connection.
Did Qantas's IT department decide that these types of MFA would just be too easy for customers of an international airline to use? No, let's use SMS, that will cause them a bit of a hassle if they don't want to use their phone overseas.

So, after talking for 15 minutes with someone at Qantas I find out that I now have to call them each time I switch between countries to change my phone number so I can receive the SMS messages! That's so smart Qantas!

 

[Pleb Status]

Here is my 10c worth on this matter and maybe someone at Qantas with a bit of influence or common sense actually reads it.

I live in Perth. I travel regularly to Port Moresby on Business. My trips to PNG are usually 4-6 weeks in duration. I have an AUS mobile and a PNG mobile. Simple reason for that is that when I am in PNG people will not call me on an AUS phone internationally roaming. They will of course call a local number.

I have absolutely nothing against Multi Factor Authentication although I am at a loss as to what is so valuable in my QF FF account. I believe MFA is the way to go especially in this day and age but it needs to be done in a way that is usable. Even more so I would think when you are an international airline.

I have MFA for several other accounts. My two Bank accounts both allow me to log in without MFA although to make certain transfers/transactions I either have to use a bank specific app or a supplied dongle. My online accounting package uses Google Authenticator. None of these MFA devices requires an internet or mobile phone connection.
Did Qantas's IT department decide that these types of MFA would just be too easy for customers of an international airline to use? No, let's use SMS, that will cause them a bit of a hassle if they don't want to use their phone overseas.

So, after talking for 15 minutes with someone at Qantas I find out that I now have to call them each time I switch between countries to change my phone number so I can receive the SMS messages! That's so smart Qantas!

If you are not a prisoner of the 'fruit company', get yourself a dual SIM phone (certain Galaxy S10, Galaxy Note 9 and Huawei models for example). Solves the SMS authorisation problem once and for all (for all companies that use it, not just QF) and a host of other issues whilst travelling.

I doubt QF will do anything at this point so it is up to you to make your own life easier. This solution worked fine for me when 2FA kicked in recently whilst I was overseas. Not dealing with QF at all would make things even easier...

 

[jpp42]

I am only getting SMS authentication when I login to Qantas Money. It's not required for the regular login on the booking or frequent flyer web site. To me this is acceptable as the Qantas Money access to credit card information is a lot more sensitive. But I fully agree that something like Google Authenticator for MFA would be ideal.

 

[Tallfont]

If you are not a prisoner of the 'fruit company', get yourself a dual SIM phone (certain Galaxy S10, Galaxy Note 9 and Huawei models for example). Solves the SMS authorisation problem once and for all (for all companies that use it, not just QF).

I doubt QF will do anything at this point so it is up to you to make your own life easier. This solution worked fine for me when 2FA kicked in recently whilst I was overseas.

Well, yes I am captive to that "fruit company"!
But even a dual sim phone wouldn't really fix the issue would it? If QF had my AUS mobile for the MFA SMS and I was in PNG I would have to have the AUS (Telstra) connection active to receive it wouldn't I? That's $10 a day for roaming or $10 just to receive the SMS.

 

[Pleb Status]

Well, yes I am captive to that "fruit company"!
But even a dual sim phone wouldn't really fix the issue would it? If QF had my AUS mobile for the MFA SMS and I was in PNG I would have to have the AUS (Telstra) connection active to receive it wouldn't I? That's $10 a day for roaming or $10 just to receive the SMS.

It does not cost anything to receive a text whilst overseas. So no issues there.

 

[Chicken]

To all the people about SMS from Qantas, how do you use your credit card on the internet?

The ONLY authentication from Mastercard SecureCode and Verified by Visa is SMS, if you can't receive SMS, you cannot use your credit card.

 

[Tallfont]

It does not cost anything to receive a text whilst overseas. So no issues there.

I understand that but the Telstra overseas day pass is $10 a day once you hook in to an overseas network whether you do something or do nothing. When I travel to countries other than PNG I am happy with that for the convenience. Not happy to pay, say, $350 for a five week trip. Or $10 just to receive and SMS.

 

[Tallfont]

To all the people about SMS from Qantas, how do you use your credit card on the internet?

The ONLY authentication from Mastercard SecureCode and Verified by Visa is SMS, if you can't receive SMS, you cannot use your credit card.

Never had that issue but I mostly use AMEX.

 

[Pleb Status]

I understand that but the Telstra overseas day pass is $10 a day once you hook in to an overseas network whether you do something or do nothing. When I travel to countries other than PNG I am happy with that for the convenience. Not happy to pay, say, $350 for a five week trip. Or $10 just to receive and SMS.

You do not need to sign up for the day pass on Telstra to roam. Just change to 'pay as you go' roaming and it will cost you nothing as long as you do not make or receive any calls or send any texts. You can then receive texts for free for months if you wish.

PNG is a zone 1 country on Optus, so on the appropriate plan, you could do anything you want (calls, SMS, data) for no additional cost per month.

SIM Only Plans | Mobile Phones - Optus

Get a SIM only plan with awesome inclusions from Optus when you bring your own phone. Shop online & buy an Optus SIM with free shipping now.

www.optus.com.au

Change from QF and Telstra to VA and Optus and you will be set...

Edit: Some Amex purchases require SMS codes as well...

 

[jpp42]

The ONLY authentication from Mastercard SecureCode and Verified by Visa is SMS, if you can't receive SMS, you cannot use your credit card.

That's not really true. There are many different ways that merchant banks can process different types of credit card transactions, and they certainly don't need to use Verified by Visa/Mastercard SecureCode in all situations. The online vendors I use most frequently most certainly do not use this - they have their own MFA or other systems to ensure the card use is genuine.

Even as a consumer I believe there is a way to set up a PIN to use in SecureCode in place of the SMS auth, as an alternative if you don't have SMS available. The drawback of this is that you must set it up in advance, it can't be spur of the moment like the SMS auth allows.

 

[Tallfont]

You do not need to sign up for the day pass on Telstra to roam. Just change to 'pay as you go' roaming and it will cost you nothing as long as you do not make or receive any calls or send any texts. You can then receive texts for free for months if you wish.

PNG is a zone 1 country on Optus, so on the appropriate plan, you could do anything you want (calls, SMS, data) for no additional cost per month.

Change from QF and Telstra to VA and Optus and you will be set...

Edit: Some Amex purchases require SMS codes as well...

Very good point Pleb_Status!

I am almost certainly going to give Telstra the flick in a couple of months when the contract is out. I did it to VA a few years ago and I couldn't contemplate going back!

Getting a bit off topic. I still believe they could have thought this through a bit more and used an authentication app instead of SMS!

 

[Pushka]

If you are not a prisoner of the 'fruit company', get yourself a dual SIM phone (certain Galaxy S10, Galaxy Note 9 and Huawei models for example). Solves the SMS authorisation problem once and for all (for all companies that use it, not just QF) and a host of other issues whilst travelling.

I doubt QF will do anything at this point so it is up to you to make your own life easier. This solution worked fine for me when 2FA kicked in recently whilst I was overseas. Not dealing with QF at all would make things even easier...

So we need to buy ourselves a new phone to deal with this as per the poster above?

To all the people about SMS from Qantas, how do you use your credit card on the internet?

The ONLY authentication from Mastercard SecureCode and Verified by Visa is SMS, if you can't receive SMS, you cannot use your credit card.

If you’ve registered that transferee previously then NAB doesn’t send another text.

 

[Pleb Status]

So we need to buy ourselves a new phone to deal with this as per the poster above?

A possible solution to the problem which will work (for all companies, not just QF) and costs little if you are going to buy a new phone anyway. I have been dual SIM since 2015 and l made sure my S10+ was also a dual SIM.

QF were made aware of the problems (by yourself if memory serves correct) and have chosen to ignore all of the suggestions provided. You either work with the hand that has been dealt, complain somewhere where no one important is listening or leave QF...

 

[Pushka]

A possible solution to the problem which will work (for all companies, not just QF) and costs little if you are going to buy a new phone anyway. I have been dual SIM since 2015 and l made sure my S10+ was also a dual SIM.

QF were made aware of the problems (by yourself if memory serves correct) and have chosen to ignore all of the suggestions provided. You either work with the hand that has been dealt, complain somewhere where no one important is listening or leave QF...

Or we can continue to plug for Qantas to change their method of dual log in by sending emails with codes and not simply SMS. MYOB (accounting software) does this.