SMS Login Verification - Argh

[nlagalle]

Seriously who came up with the idea of SMS verification for login?

• Nobody wants to pay for receiving SMS while outside of Australia
• What % of Qantas members travel overseas and pick-up local sim cards?
• SMS are not free - Qantas is paying for each MT SMS. Even higher costs to some non-AU destinations
• Australia is one of the last remaining countries in the world still hanging on to SMS.

I may never login to my Qantas on the web, ever again.

Does anyone else find SMS log-in super annoying?

None of the Australian phone plans charge for receiving an SMS.. but many people swap sims overseas so you won't get the sms.

I like MFA but using SMS isn't that secure (number can be ported out for example). whereas using one of the push authentication apps is far easier and works around the world.

 

[Chicken]

Very odd, because I am of late, up to yesterday, still able to log into my QFF account, and not QTMC (that one does need the 2fa), but logging into my QFF account, still no sms needed.

Just tried, I didn't need SMS, until I tried to go into security questions section, that's when I needed SMS.

As a point of interest, the log in at the top always has my name there already, so maybe I didn't click log out all the way.
Probably if I close the QFF page, totally close, it would just be a generic "log into your account" at the top without my name being there.

I get this even after I haven't logged in for days or week. It just means a cookie was left hehind.

I don't remember the last time an AU bank sent me an SMS.

Citi in Australia uses SMS when you add a new payer, you cannot use Citi app keygen for this purpose.

Verified by Visa and MasterCard SecureCode still use SMS.

As for the verify by other methods:
- No way to return to SMS verification once clicking verify via another method

Didn't you just complaine and don't want to use SMS?

There are other versions of the same concept. Basically, it tags your computer so airlines (and the companies that airlines sell your data to) can track you around the internet. It was designed and is useful for fraud detection, but the commercial application (aka data sales economy) is where it's most prevalent.

Microsoft, Google, PayPal, all use similar concepts, which is determined by multiple factors, like your IP address, locations, then make a risk assessment, then ask you to verify by SMS if your activity is considered unusual.

The whole SMS verification thing is a MASSIVE backwards step for Qantas and it destroys the customer experience significantly.

How can you saying moving from a 4 digit PIN to SMS verification be backward? Are you suggesting that a 4 digit PIN is more secure than SMS verification?

SMS verification is easy to be impersonated (porting the victim's mobile number), but it is better than 4 digit PIN.

If I am a dictator, I would force the whole world to use password managers like LastPass or KeePass. However, if people resist as simple as SMS, then what hope do we have?

 

[sudoer]

- Who the heck knows what date they joined QFF? I can't even find out where to see it once logged in.

It's on your membership card.

 

[andye]

Coles credit cards uses SMS to access statements. My NAB account uses SMS to verify transfers. Not a big problem for me as always have same phone

 

[Cool Cat Phil]

Coles credit cards uses SMS to access statements. My NAB account uses SMS to verify transfers. Not a big problem for me as always have same phone

Exactly- the technology works tremendously well and has done for quite sometime.

 

[Pushka]

None of the Australian phone plans charge for receiving an SMS.. but many people swap sims overseas so you won't get the sms.

I like MFA but using SMS isn't that secure (number can be ported out for example). whereas using one of the push authentication apps is far easier and works around the world.

They may or may not charge for the sms but I’ve found it’s hit or miss as to whether or receive them. If you want to preserve mobile data and stop apps pinging you when not in use, it’s easier to turn off mobile data. And use wifi where available. So it’s a pain to remember to turn on data just to receive these texts, assuming they are sent in a timely fashion and over the last 2 years that’s hit and miss.

Coles credit cards uses SMS to access statements. My NAB account uses SMS to verify transfers. Not a big problem for me as always have same phone

I have limited data and only receive sms when I’m on roaming. It’s annoying that they won’t send an email with a link as wifi is available readily these days. MYOB sends an email, other log in providers like Amazon offer an option of text or email for verification. We never rely on SMS when overseas as it’s inconsistent.

Most people I know buy an overseas SIM card.

It's on your membership card.

The issue with this release this week is that there was no warning. So third party people making bookings on someone else’s behalf could not do so. And Qantas provided little information that the info was on your card if trying to enter the site yourself. That obviously will resolve as more people realise that something has changed.

Why didn’t they just tell everyone that they were about to do this? I shouldn’t be surprised, I wasn’t told I was in the pilot study and had no option to opt out prior.

 

[ALH]

Encountered this problem yesterday with hubby's QFF account. Was updating awardwallet, first time saw it asked for a secret question, answered it however account was not updated by AW. Then later in the evening hubby said there was a strange text from QF giving him a code, he thought someone had hacked this account. So, I logged into his account, and provided the code, but it refused to accept it and LOCKED his account Now, have to figure out how to unlock it etc

Same thing here. Hubby phoned QF as per instructions on SMS and the random code was just a glitch.

Like @Pushka, I’ve had to deal with SMS for the past 2 years, and it’s been hugely annoying. I’ve given my feedback to Qantas, but must have missed the previous threads here.

....but now it’s been added to everyone’s accounts, this is the biggest PITA. I manage a dozen family accounts, both from my office PC and my laptop & Apps while travelling. A number of accounts that I manage are for family now living overseas

As for the security questions, it seems that some glitch in the system has changed our mothers maiden names so that isn’t working either.

 

[AustraliaPoochie]

Thanks Chicken, as in referring to the colleague above.

 

[drron]

commbank still use SMS.
On the last trip I had a disaster.After a windows update was logged out of everything.didn't have my phone.secondary security was to send an email.however logged out of my 3 accounts so no way to get an email.Finally a work around got me into my Hotmail account so I could then get into my gmail account so finally into my yahoo account so I could finally get into my Medical defence so I could pay for the coming year on my policy.
We do take mrsdrron's phone so an app for security would be far easier.

 

[Pushka]

Same thing here. Hubby phoned QF as per instructions on SMS and the random code was just a glitch.

Like @Pushka, I’ve had to deal with SMS for the past 2 years, and it’s been hugely annoying. I’ve given my feedback to Qantas, but must have missed the previous threads here.

....but now it’s been added to everyone’s accounts, this is the biggest PITA. I manage a dozen family accounts, both from my office PC and my laptop & Apps while travelling. A number of accounts that I manage are for family now living overseas

As for the security questions, it seems that some glitch in the system has changed our mothers maiden names so that isn’t working either.

The Qantas social media rep who called me said that he was part of the pilot as well. He disliked it immensely and said that a lot of feedback they were fielding was saying the same but Qantas were pushing it through anyway. This was about a year ago.

 

[jb747]

I’ve been dealing with this since April 2 years ago (2017) as I was one of the ones ‘selected’ for a pilot study. My feedback told them it was awful and should be stopped. Where were you then when I posted here about this?

I consistently tweeted and messaged Qantas social team about it. A year ago the Qantas team stated that despite the negative feedback it was going to be rolled out.

The problem is that whilst the people who run the frequent flyer side of things would be well aware that the the system is poor and unpopular, the IT people are a world unto themselves, and they do not care how much they inconvenience users, be they the public or employees. They will have achieved their goal of perfect security when nobody can actually log in at all.

 

[Chicken]

They may or may not charge for the sms

Stop spreading fake news. No phone company here charges for receiving SMS while overseas.

If you want to preserve mobile data and stop apps pinging you when not in use, it’s easier to turn off mobile data.

Yes, this is what should be done to the phone before having Australian SIM inserted into the phone while overseas, to prevent data usage.

So it’s a pain to remember to turn on data just to receive these texts

Incorrect. You do not need mobile data for SMS service (that is send and receive). SMS are not transmitted over data network.

Most people I know buy an overseas SIM card.

So you swap SIM when you need SMS verification. Yes, it is a pain, but you don't do this just for Qantas, you need this for other things, including when paying with your credit card on the internet and the transaction is to be challenged by Verified by Visa or MasterCard SecureCode.

The issue with this release this week is that there was no warning.

I agree with your comment, there should have been comm about this. This is poor form.

but now it’s been added to everyone’s accounts, this is the biggest PITA. I manage a dozen family accounts, both from my office PC and my laptop & Apps while travelling. A number of accounts that I manage are for family now living overseas

This is exact what this SMS is trying to prevent, you going into your relo's accounts without their authority. On top of breaking whatever T&C on log in / security, it is to ensure that, the account owner is aware what you are doing to their account, whenever you log in. This is a big problem with divorced, and also a big problem with kids doing fraud to their older parents.

How enduring power of attorney documents enable children to rip off the elderly (16DEC2018 ABC)

 

[Chicken]

IT people are a world unto themselves, and they do not care how much they inconvenience users

Yes, then when someone's ex goes into their account and empty their money, frequent flyer miles, port the mobile phone number to another company in order to commit more fraud, then the victim points their finger straight to IT.

And no, I'm not even in IT field.

They will have achieved their goal of perfect security when nobody can actually log in at all.

I have said in my last post, that there are other options, like password manager or keygen (hardware or software), which I consider easier to use, and they are a lot more secure than SMS; but just look at the whinging here for a little SMS, then imagine WW3 breaking out if people were actually made to use password managers

 

[nlagalle]

hey may or may not charge for the sms but I’ve found it’s hit or miss as to whether or receive them. If you want to preserve mobile data and stop apps pinging you when not in use, it’s easier to turn off mobile data. And use wifi where available. So it’s a pain to remember to turn on data just to receive these texts, assuming they are sent in a timely fashion and over the last 2 years that’s hit and miss.

SMS doesn't use the Mobile data on your phone.. services like iMessage do, but SMS doesn't.

 

[nlagalle]

The problem is that whilst the people who run the frequent flyer side of things would be well aware that the the system is poor and unpopular, the IT people are a world unto themselves, and they do not care how much they inconvenience users, be they the public or employees. They will have achieved their goal of perfect security when nobody can actually log in at all.

Whilst the Security boffins within IT can often go well over the top with security (I often have disagreements with them). something like MFA I think sohuld be on any account that contains data/value like you have in your FF accounts. Heck even securing GMAIL is a must. whereever I can run MFA (using something like Google Authenticator) I turn it on. Means even if they do hack my password they won't get any further.

 

[Chicken]

See, this is why I personally avoid things like Facebook or Google log in. As if they don't know enough about us just by looking at your internet habit.

And no, you don't need to click on that ad. If you want an easier way to manage your security, use something like KeePass and keepass2android , free and open source, and you have just made yourself very difficult to hack and lower in the pecking order.

 

[Berlin]

The security questions are just uber stupid, most of those I don't even know or remember. Why not just let me select my own question and answer as some other companies do?

As a whole, this is just another nuisance in the name of "security" and will be a particular pain in backside for anyone looking after the account of their better half, family members etc. Annoying, annoying.

 

[JohnPhelan]

This is exact what this SMS is trying to prevent, you going into your relo's accounts without their authority. On top of breaking whatever T&C on log in / security, it is to ensure that, the account owner is aware what you are doing to their account, whenever you log in. This is a big problem with divorced, and also a big problem with kids doing fraud to their older parents.

The vast majority of us who manage other people's FF accounts do so with their full authority. Often it's for elderly parents, brothers/sisters/partners who don't want to be bothered with it themselves, young adult children who outsource the responsibility to their "mum/dad travel agent", etc. The solution, under the new system, is that I will just list my phone number as the primary contact for the person - just as I already list my email address as their email contact.

 

[Chicken]

The vast majority of us who manage other people's FF accounts do so with their full authority.

If I were working in Qantas, how would I know that you won't steal points from your kids / parents for your own benefit? Every thief tells the police that they took the item with the owner's permission.

1: Majority of us here on AFF are freaks. 99% of Qantas FF members are not. They just redeem gift cards, let alone 'manage' their accounts.
2: Did you read the ABC article I posted, on fraud by kids to elderly parents?

We need to remember that, we are just 0.5% of the Qantas FF membership, we are living in a bubble. If I work at Qantas, I would not have a job if I were to design process and controls at my work based on 0.5% of the users, because QFF member JohnPhelan told me he won't steal points from his parents, so it's all good!

 

[Flying mermaid]

The vast majority of us who manage other people's FF accounts do so with their full authority. Often it's for elderly parents, brothers/sisters/partners who don't want to be bothered with it themselves, young adult children who outsource the responsibility to their "mum/dad travel agent", etc. The solution, under the new system, is that I will just list my phone number as the primary contact for the person - just as I already list my email address as their email contact.

It’s a solution and one I will suggest to Ms FM and Dr FM, but I can see that there will be a lot of swapping of phone numbers as there will be times when they want their own in there