SMS Login Verification - Argh

[jenib]

Ok, so I'm trying to work out what all the fuss here is. Out of curiosity, I clicked the button that said 'verify another way' (or similar) and was presented with the following:

View attachment 177219

Now if you can't answer:
- the DOB of the person
- the postcode per the users details
- date of joining (it's found on your FF card)
- the security question (which can be updated in your profile: My Account > Personal Information > Security Questions)

Then I daresay that you shouldn't be accessing said person's account. Don't get me wrong, it's certainly not user friendly, but there is an alternative way to access without needing to receive an SMS.

I am a fan of 2 factor authentication.
However, my mother is in Alaska on a cruise and sent me a rather cryptic email about missing points and asking me to check her QFF account. Yes - I am her travel "EA". Tried the 'verify another way' option, answered the questions and the system told me that her account was missing information. Annoying. Not earth shattering but inconvenient. When she gets back we will have to change the phone numbers or add some more info into her account for future access.

 

[Chicken]

The Fake news is that was not what he said. You need to pay to enable roaming in many cases, which is needed to get the SMS. I don't activate roaming when I'm travelling

Are you sure?

Even Boost mobile doesn't, and they only charge like $12.5 per month for 6.6 GB download and it is operated by Telstra with full Telstra coverage in the middle of whoop whoop (different from Aldi / TeleChoice / Woolworths etc). Free roaming.

Though they're unfortunately another bank which has recently introduced onerous token restrictions on transactions as well.

Aren't they using the Suncorp app as keygen? (I have been using Suncorp for nearly 20 years, so I have some astronomical external bank transfer daily limit, without the need for using token)

HSBC, Citi both use app keygen.

Telstra most definitely do charge you for unanswered calls (that divert to messagebank) once they know you are roaming.

People always misunderstood this bit. You get charged if the call needed to exit Australia.

If you answer the call, the call goes A party > your service > overseas phone network > your phone, so you need to pay for this calls, in order to cover the cost of overseas network bit.

If you decide not to take the call, and divert it. it becomes A party > your service > overseas phone network > your phone > divert back to Australia > your voicemail / any AU phone number. This is even more expensive, because you are paying for 2 connections.

If you enable Call Foward All Calls (Telstra instructions) , then the call goes A party > your voicemail, never left Australia, so no charge.

Hence, the 100% safe way to manage this, is just to enable call forward all calls. Takes 10 seconds to key a code into your phone.

 

[Daver6]

Telstra most definitely do charge you for unanswered calls (that divert to messagebank) once they know you are roaming.

You really need to change providors then. That's ridiculous.

 

[NM]

So has anyone figured out how to get AwardWallet to get past the 2 factor authentication? Can it be done?

 

[Pushka]

Telstra most definitely do charge you for unanswered calls (that divert to messagebank) once they know you are roaming.

As does Optus. Well, it used to but we changed plans and added overseas calls a couple of months ago. Definitely were charged as soon as someone calls your number if you are overseas.

I don’t use iMessage.

 

[PineappleSkip]

Useful discussion. I work about 1/3 of the year in Somalia, and there now. This is where no Aus provider roams, and no Som provider roams to Au. But then not many Aussies roam around here anyway.

This setup gives SMS authentication #epicfail status and I avoid SMS 2FA like the plague. But thanks for the workaround upthread, opusman, I might give that a try.

I seem to have opted in to QFF’s 2FA without asking as I’d been getting these messages periodically for a few months. Horror when I first got a login response that they had sent me an SMS (i.e. flushed it down the toilet), but relief when I read the fine print ‘I need to verify another way’. Email authentication no problem. With the questions, the ‘what’s your postcode’ always a challenge when you have different residential and mailing postcodes and they don’t specify which one they want. Thanks for the sage advice about where to find the date of joining,.

Different story with Qantas Money, I am completely locked out here, as they offer no alternative to SMS 2FA , unlike NAB and AMEX which both have mobile apps with fingerprint verification. For this reason alone I’m looking to ditch Qantas Money.

There is an upside though, here I am freed of telemarketers who don’t have international calling; sooo annoying when you get a 3 am call that disconnects when you answer it.

Cheers skip

 

[Mrmaxwell]

Qantas are not alone in this caper.

Many companies are only as good as their IT budget and security advisors.

SMS 2FA is basic and has been around for years. The better setups give you options to receive a text or an email....very easy for QF to setup they are being lazy. Those work experience IT kids are becoming annoying again.

 

[Kremmen]

IMO it would also make sense to build TOTP functionality into the Qantas app itself, like Facebook, Steam and others have done. No network required and most active FFs would have the app already installed.

That's a wild assumption. I have logins on over 500 web sites. I have no desire to download hundreds of apps in order to be able to use them. You get issues with updates, whether they work on your particular phone, whether they drain the battery by being badly behaved, the tracking done by Facebook via most apps, etc. SMS is universal. If you have a phone, SMS works. Even on a non-smartphone, SMS works.

Both my Hong Kong and Malaysian accounts are charged to receive SMS while outside the country.

Qantas has more than just Australian mobile numbers.

Given that the Qantas scheme is one of the worst value ones in the world, I would never have thought of that and I guess Qantas didn't either.

Which is why SQ asks if you want your messages via SMS or WhatsApp.

This, however, would make sense. There are banks in America which use SMS or email. A really smart move might be to allow SMS or WhatsApp or email!

Really? I'm surprised anyone who travels OS would be on a plan that requires you to pay to enable roaming. Even the most basic Vodafone plans don't cost a cent extra to enable OS roaming.

I doubt it's a cost issue. Some people just disable roaming altogether instead of bothering to just disable data. (Also, some dodgy prepaid systems didn't/don't allow roaming at all. That was actually the main reason I went with Amaysim years ago, when Lebara, etc, had no international roaming at all. It was purely to be able to receive 2FA SMS from banks and such!)

 

[nlagalle]

Telstra most definitely do charge you for unanswered calls (that divert to messagebank) once they know you are roaming.

Telstra most definitely don’t charge.. I’ve travelled for years with roaming on and was never charged for not answering an incoming call

 

[Deleted member]

I no like !

 

[Cool Cat Phil]

Though they're unfortunately another bank which has recently introduced onerous token restrictions on transactions as well.

As you appear to be against SMS security, I’m curious to know what in your view is the most secure method to proceed with online transactions for Banking or Qantas Frequent Flyer ?

 

[Pushka]

As you appear to be against SMS security, I’m curious to know what in your view is the most secure method to proceed with online transactions for Banking or Qantas Frequent Flyer ?

Email works for me. MYOB accounting software does this.

 

[Cool Cat Phil]

Email works for me. MYOB accounting software does this.

Do you mean an email with secret code?

 

[Pushka]

Do you mean an email with secret code?

Yes, I just had to do it right now. Email access is much easier than sms when overseas.

 

[Chicken]

So I just read AFF newsletter, and you can op out of SMS by switching to security questions instead. So all the boo ha ha here for nothing? Is the AFF article correct?

 

[Daver6]

That's a wild assumption. I have logins on over 500 web sites. I have no desire to download hundreds of apps in order to be able to use them. You get issues with updates, whether they work on your particular phone, whether they drain the battery by being badly behaved, the tracking done by Facebook via most apps, etc. SMS is universal. If you have a phone, SMS works. Even on a non-smartphone, SMS works.

I doubt it's a cost issue. Some people just disable roaming altogether instead of bothering to just disable data. (Also, some dodgy prepaid systems didn't/don't allow roaming at all. That was actually the main reason I went with Amaysim years ago, when Lebara, etc, had no international roaming at all. It was purely to be able to receive 2FA SMS from banks and such!)

You don't need an app for each website. Just use one single authenticator app, like Google Authenticator or Authy (there are a bunch more and free). No network connection required on your phone.

As for disabling data. Again, at least the last three version of Android and iOS for iPhone you can set your phone to allow roaming but disable roaming data (in fact, I believe it's the default setting). So nothing needs to be done when heading OS to have data disabled yet be able to receive SMS or calls.

As you appear to be against SMS security, I’m curious to know what in your view is the most secure method to proceed with online transactions for Banking or Qantas Frequent Flyer ?

TOTP, ie authenticator codes is more secure and less hassle as no requirement to be connected to any network.

While, I'm very much in the camp that SMS as the second factor is a poor choice, I'm all for more security. It really sounds like some people are just against it for the sake of it. People need to take more responsbility for their online security. The QF option of SMS is super easy if you can't receive a SMS. Just select the option to fill out a few more details. It isn't a big deal.

 

[serfty]

So has anyone figured out how to get AwardWallet to get past the 2 factor authentication? Can it be done?

Qantas sent out emails last year notifiying members about the pending introduction of 2FA.

At that time I set up the challenge words on all the accounts I have attached to my award wallet and their 'phone numbers to mine and then set up award wallet with information.

I now receive 2 to 3 SMS's a day from QFF giving me a PIN to use.

 

[Himeno]

What sort of "security questions" does this nonsense have?

When ANZ started using security questions for their online banking, I became unable to access my account and ended up cancelling the card. They only had preset security questions to pick from. Not a single one of those questions had an answer that could be provided. An answer either did not exist or the question was better off not even thought about for mental health reasons.

 

[Berlin]

Different story with Qantas Money, I am completely locked out here, as they offer no alternative to SMS 2FA , unlike NAB and AMEX which both have mobile apps with fingerprint verification. For this reason alone I’m looking to ditch Qantas Money.

Just ditched my Qantasmoney card last week and it has given me a great feeling of relief

 

[Chicken]

What sort of "security questions" does this nonsense have?

When ANZ started using security questions for their online banking, I became unable to access my account and ended up cancelling the card. They only had preset security questions to pick from. Not a single one of those questions had an answer that could be provided. An answer either did not exist or the question was better off not even thought about for mental health reasons.

You don't have to strictly follow the questions.

If the question is mother's maiden name, no one says you can't use the person in the office you hate most.

This thread is really now a thread of complaining just for the sake of complaining