Had to cancel a credit card that got hacked and entered the wondrous world of Westpac Security, the good and bad.
The good is short and should have been sweet… The hacked card was cancelled, the fraudulent charges flagged (all at Apple, transactions at 01:30 when the card holder is probably sleeping) and within minutes a new ‘card’ was issued that could be downloaded to the Westpac App, used online, and used in google pay. New physical cards will come when Auspost is willing. End of the good news.
The rest of the story.
Hours later I tried an online charge and the Westpac system declined it because ‘[we] do not have enough information on the account to send an OTP’ even though Westpac was sending me OTPs as I attempted to do certain actions on my account. A call to Westpac supposedly fixed it with advice to wait at least 2 hours before trying again; still have not tried it again but hopefully they fixed it.
While waiting I used my partner’s Westpac card (I am an authorised user with my own card on her account). Westpac sent her an OTP to validate the charge! Since we were sitting side by side it was not a worry, but the mentality is pretty special. Some systems, including Westpac, do not differentiate the card holders on an account so OTPs all go to the account holder. If the account holder is otherwise occupied, driving, not near, or just wondering if that card was hacked too? There are a few ways to ID different card users on one account so an OTP could be sent to the one making a charge.
My partner’s 4 year old phone is stuck at Android 6 and incompatible with Westpac’s App requiring at least 8. In contrast ING, Rabo, and Maquarie are happy to serve customers with apps that work on older Android. Westpac seems to serve their security experts rather than their customers.
A browser proved to be a significantly inferior substitute - myriad security warnings and messages - and far fewer ‘services’ being available.
The object of the post is an introduction into the brave new world of security with intended as well as unintended consequences for customers. This experience also has ramifications for a cashless society where planned obsolescence becomes accepted as the norm.
Nice post. I have learnt from experience that if you use a mobile phone number as a method of receiving one time passwords for two factor authentication, NEVER EVER lose access to that number.
New phone? Get that number ported over. And keep the old one until the porting process has been completed.
Apps that do not run on older versions of OS is a big bugbear of mine.
It is just lazy application development and testing. No other reason.
At the moment I find checkin staff at places I go are puzzled when I say I cannot checkin using my smart phone because the app doesn’t work, but I can easily display my fully vaxed certificate. Well done Vic Gov IT. Not.
It can be because it is dependent on an API that only became available with a certain version of the OS.
If the manufacturer itself has dropped support for a certain older version then the organisation’s security policy, and other reasons, may prevent the continued use of that operating system version on a phone. (I believe that Apple is better about this than Google.)
Suggested alternative: Use a TOTP security device.
Such a device, not being connected to the internet, realistically can’t be remotely exploited - and by reason of obscurity is probably less likely to be exploited at all.
By contrast, there are numerous successful exploits against mobile phones so, while using a mobile phone for 2FA is better than no 2FA at all, a mobile phone is hardly the paragon of security.
In addition, any organisation relying on their own app for 2FA runs the risk of “home-brew security”. Good security practice says “don’t invent your own security algorithms etc.”. Leave it to the experts.
Of course you have no way of knowing what the app is doing. It may be completely broken, or not. It is unlikely that you can lay your hands on an independent security audit.
Our credit cards are just about to expire, and we have been receiving notifications from direct debit accounts that our card details need updating.
Luckily we just received new cards two weeks before expiry, with the new expiry date and new three digit code on the back. Relief. There was a sticker on the cards to say that they did not need to be activated, but we needed to do a PIN transaction before we could swipe the card. That sounded fine.
I updated my card details immediately online to all the accounts I could think of off-hand. I even made on-line purchases and with my phone at various food stores. I completely forgot to do a transaction with my PIN because I don’t carry the credit card. Never mind. All good so far.
Then I went to pay my electricity bill at the retailer’s website, and the new card details were rejected. I put in the old card details (expiry and 3 digit code) and it went through.
Now I am perplexed. Is the new card working or not? If it is, why couldn’t I use it to pay for my electricity. If it’s not, why did all the other systems accept it?
For a period of time, you have an old card that is still valid until it expires, and a new card that is good until it expires in a few years time.
I had just your issue a few months ago. A telco would not accept the new card as it had stored details from the old card, like expiry date. I had to delete ALL the details of the old card and enter the new card details before the new card could be used.
Thanks for the response. In my case, there were no stored details. Same as always, I had to enter everything from scratch into the electricity provider’s website payment system. Perhaps when the old card expires, they may accept the new one?