The written list of one-time passwords (not a "pad" the One Time Pad is a specific crypto design that largely exists to compare things to rather than as a practical gizmo) fails the requirement in 2018/389 because it doesn't end up verifying the specific transaction.
Suppose you have password '47BF-38AP-3M99' on the list. You get a plausible email from your friend Barry saying he needs €40 urgently. You send €40 using that password and instructions Barry gave about some web site for transferring money.
Oops. That wasn't Barry, crooks used Barry's email account to send the message and the €40 transfer turns out to have been a transaction to empty your account of €5830.26 but '47BF-38AP-3M99' was correct so the bank OK'd it.
The regulation aims to arrange that the second factor involves the transaction value 5830.26 which is weird for you because you are trying to send Barry €40. You would probably realise something is wrong when typing 5830.26 into an authenticator, or else, the crooks only get €40 which is a bad pay-off for such a sophisticated attack.
My good bank gave me a weird chiclet keypad device years ago that I have to type stuff into while doing online transactions. So I'd have to type the amount into that device. It whitelists certain actions, so if I keep sending Barry money, I think I don't have to type the amount in every time or something.
The EU rules definitely don't forbid your bank doing something better here, but I can see that the way that bank chose to implement them hasn't helped you which sucks.
Thanks for the in-depth explanation. My reaction has maybe been a bit knee-jerk, it's not like this is a major annoyance. The attack scenario is quite convoluted with needing both access to the account and a phishing attack for the one-time key, but I suppose it is plausible. At the same time this does open users to new attack vectors though, especially with SMS.
Any idea what the keypad device is called? Are you expected to carry it with you at all times? Is that feasible? Is there some sort of threshold for its use? For example, transactions under $X, even if fraudulent, might not be worth the inconvenience to the customer of having to go through the extra steps.
If you don’t mind my asking, is your banking institution geared towards HNW clients? The amount verification sounds very similar to what most banks in the US do for inter-bank transactions but I’ve never heard of something like that implemented on a bank account from the consumer’s side.
The device claims to be a "Vasco DigiPass". It has lots of other identifying marks but those might be secret (even if they weren't supposed to be, disclosing them might inadvertently reveal a secret)
I am not required to carry it, but my understanding is that most features of my online banking don't work if I tell the system I don't have it with me. I store it with other valuable identity items like my birth certificate in my home, I do not take it with me when I travel.
This bank offers excellent 24/7 phone service, if I was away from home I would call them if I needed anything. All conceivable transactions can be concluded by phone, indeed I've mentioned to HN before that it turns out very high value financial transactions (literally buying a home in my case) can't be done online at all. The web site just tells me to call them instead to complete the transaction.
The institution is not especially geared to High Net Worth individuals, but it doesn't offer any products geared to people focused on being thrifty/ economical. It doesn't offer zero fee current account banking, it doesn't pay great interest on savings, it doesn't have "cash back" features on credit cards, it's just a very well run bank. If I needed £10 more than I need a bank I can rely on, I would leave.
Suppose you have password '47BF-38AP-3M99' on the list. You get a plausible email from your friend Barry saying he needs €40 urgently. You send €40 using that password and instructions Barry gave about some web site for transferring money.
Oops. That wasn't Barry, crooks used Barry's email account to send the message and the €40 transfer turns out to have been a transaction to empty your account of €5830.26 but '47BF-38AP-3M99' was correct so the bank OK'd it.
The regulation aims to arrange that the second factor involves the transaction value 5830.26 which is weird for you because you are trying to send Barry €40. You would probably realise something is wrong when typing 5830.26 into an authenticator, or else, the crooks only get €40 which is a bad pay-off for such a sophisticated attack.
My good bank gave me a weird chiclet keypad device years ago that I have to type stuff into while doing online transactions. So I'd have to type the amount into that device. It whitelists certain actions, so if I keep sending Barry money, I think I don't have to type the amount in every time or something.
The EU rules definitely don't forbid your bank doing something better here, but I can see that the way that bank chose to implement them hasn't helped you which sucks.