SMS Login Verification - Argh

[Mr_Orange]

Seriously who came up with the idea of SMS verification for login?

• Nobody wants to pay for receiving SMS while outside of Australia
• What % of Qantas members travel overseas and pick-up local sim cards?
• SMS are not free - Qantas is paying for each MT SMS. Even higher costs to some non-AU destinations
• Australia is one of the last remaining countries in the world still hanging on to SMS.

I may never login to my Qantas on the web, ever again.

Does anyone else find SMS log-in super annoying?

Paypal uses SMS too which amazes me. Again, either Microsoft's or Google's MFA app would be better.

 

[moa999]

Assume I also had an awsrdwallet Iogin so just cleared it.
Personally think QF has gone a bit too far. Really only need the second step for transfers or detail changes

 

[Kremmen]

You don't need an app for each website. Just use one single authenticator app, like Google Authenticator or Authy (there are a bunch more and free). No network connection required on your phone.

I know. The comment I was replying to was talking about "build TOTP functionality into the Qantas app itself".

 

[davidj]

Since when does it cost money to receive sms? Pretty much all financial linked sites will sms a code when either logging on or pushing through a transaction. Not sure what the problem is.

Fake news? Trolling?

 

[Pushka]

So I just read AFF newsletter, and you can op out of SMS by switching to security questions instead. So all the boo ha ha here for nothing? Is the AFF article correct?

That’s the bit where we discussed dob and year of joining upthread . As there was no notification that dual log in was to be launched this week then legitimate others might not know these details.

 

[Pushka]

Since when does it cost money to receive sms? Pretty much all financial linked sites will sms a code when either logging on or pushing through a transaction. Not sure what the problem is.

Fake news? Trolling?

My experience over the last 2 years of this with Qantas is that sms are not always received when os and in Australia they aren’t always sent in a timely manner.

Trolling? Check the identity of people commenting.

 

[ayebee]

Haven't read every post, so sorry if this is a repeat... there are a couple of angles from our perspective.
First - Mobiles
Then - Qantas

In the past I have experimented with various techniques for managing international roaming costs, but these days we don't bother with local SIMs etc but use our mobiles as little as possible, and mostly use wifi.
For connectivity we just used (note past tense) PAYG charges as needed the occasional call for coordinating local accommodation, taxis etc and if someone from home called they would leave a voicemail, and I called them back via VOIP on wifi for next to nothing.

So in May we headed off to USA and Europe for 6 weeks thinking we had our usual phone service arrangements.
Arrived in US and wondered why phone was not roaming ... contacted Mynetfone support and informed, Oh yes we cancelled your PAYG roaming and if you want to connect you need to buy a "pack" and pay $10 for each day when you send 1 SMS, or make 1 call, or receive a call. And you get 200MB of data.
Reason ? too many of their customers were having "bill shock" from data roaming.
Apart from the annoyance of the commercial proposition, the fact they cancelled the roaming service without informing me I found shocking.

OK, fair reason to have the "pack" as a commercial offering, but why penalise customers like us who don't use mobile data roaming, and actually understand the system. I have been roaming on international trips ever since GSM made it possible and never had "bill shock".

Our previous trip over a month in Europe and our total roaming charges were around $15, so ....
No Thanks !

Anyway, we muddled through 6 weeks with just wifi / VOIP / emails etc. There were a couple of occasions where I really would have liked mobile voice connectivity and would probably have spent $10-20 quite happily. Never mind as I have switched phone providers to one where they still have PAYG at acceptable rates.

So, Qantas...
That Qantas money website ONLY works via SMS authentication is hopeless.
Due to the issue above we could not receive an SMS, and found it impossible to access my wife's account even though we had perfectly good wifi internet access.

I have recollection (but not sure) that it previously also worked with an email verification, but maybe I am confusing with the QFF site.

While in NYC we tried calling the QF money support line simply to find out how much was owing for the payment we knew would be due.
As a separate issue, we were continually disconnected when trying to get through the menu - I suspect there may have been an incompatibility between the phone tones from the phone we were using and the QF IVR receivers.

The only good thing ...
Using the Qantas Money app on your phone, you don't need the SMS as for some reason they accept the access from your phone with the passcode.
I had the app on my phone and could access my account, but we could not access my wife's credit card account as she did not have the app on a separate device.

The moral of story ...

Instal the app.

 

[odysseus]

Yes, I just had to do it right now. Email access is much easier than sms when overseas.

And I would add locally.

 

[odysseus]

As you appear to be against SMS security, I’m curious to know what in your view is the most secure method to proceed with online transactions for Banking or Qantas Frequent Flyer ?

Actually, I'm not against SMS security, per se.

I'm against enforcement of only one type of security, without allowing for other circumstances.

 

[downgraded]

That’s the bit where we discussed dob and year of joining upthread . As there was no notification that dual log in was to be launched this week then legitimate others might not know these details.

I know you have to get in first, potentially with SMS, but then you can change your alternative security questions yourself to a number of choices you hopefully know the answer to (or as pointed out earlier, provide random words for the questions so you're not giving away those personal details.

 

[Daver6]

Actually, I'm not against SMS security, per se.

I'm against enforcement of only one type of security, without allowing for other circumstances.

Except they ARE allowing other options. You (and others) seem to just be ignoring that fact.



Click I need to verify in another way and you get...

 

[moa999]

Not a big fan of the alternate questions - even more of your info released into the public domain when the next hack occurs - also a report above that even when they were set, still wasn't allowing awardwallet to login.

Got no issues with SMS per se (but just use it for transactions or detail changes only)

 

[Steamrollersam]

Not a big fan of the alternate questions - even more of your info released into the public domain when the next hack occurs - also a report above that even when they were set, still wasn't allowing awardwallet to login.

Got no issues with SMS per se (but just use it for transactions or detail changes only)

I don’t know what most other people do, but you can give “false” answers to these security questions that mean something to you. Mother’s maiden name? Starfish. Favourite subject in school? Cool bananas. You don’t have to put the real answers to the security questions as long as you’re consistent?!?

 

[moa999]

You don’t have to put the real answers to the security questions as long as you’re consistent?!?

But that's the problem. Whether or not they are real answers, the fact that they are consistent is a security risk on other sites if there is a breach.

 

[mattm199]

I've had several SMS with verification codes when I haven't accessed the website of been using the app. No points activity when I've checked the site.
I wonder if AwardWallet is triggering this if trying to background update the points balance?
Anyone else had these mystery SMS codes?

 

[AustraliaPoochie]

I've had several SMS with verification codes when I haven't accessed the website of been using the app. No points activity when I've checked the site.
I wonder if AwardWallet is triggering this if trying to background update the points balance?
Anyone else had these mystery SMS codes?

Maybe someone knows your QFF number, surname and 4 digit number?
Only speculating/guessing.

 

[Chicken]

But that's the problem. Whether or not they are real answers, the fact that they are consistent is a security risk on other sites if there is a breach.

So you use a different random password, changed regularly, for each different site, with a password manager?

 

[pauly7]

But that's the problem. Whether or not they are real answers, the fact that they are consistent is a security risk on other sites if there is a breach.

They just have to be consistent with whatever you have logged with QF, not other sites.

—

Yes it’s not perfect. What is in life? But honestly it seems like everyone has lost all their brain cells over this one! (Not directed at you @moa999)

 

[Mrmaxwell]

Apple iCloud gives you three options for verification; SMS, code via email and code via phone call.

Much easier does not take a rocket scientist to implement.

Giving people the option to hand over all their personal info for 'secret' questions is insulting.

 

[Steamrollersam]

Do people really record 100% truthful personal info when answering these personal security questions?

Mind blown.