The curse of two-factor authentication
I am all for security protocols. If an account became compromised, I would be the first to throw my toys out of the pram. Over the last three weeks, I have experienced several ridiculous situations which have severely impacted on me. These incidents have led me to ask the question; at what point does a platform or business go beyond helping you, and end up working against you?
I would argue that the point of stepping beyond the line of help, starts with Two-Factor Authentication, and here is why:
What is two-factor authentication?
When you log into an account of any type, you enter your user name and password. Username and password is the first factor of authentication. It is becoming increasingly more common for platforms and financial services to use a second factor of authentication.
Two-factor authentication could be an email. In this instance, you will go to log in to the platform or service you wish to use, and an email is automatically generated. This email arrives into the email account you registered for that platform, and you click a link to say; “yes, I am trying to get into my account”. Email authentication is a moderate inconvenience, but it is bearable.
The other type is SMS text authentication. In the case of SMS authentication, the platform or service immediately send a text to you if you try to log in to your account. You then enter the code that they send you into the pop-up window. Again, this seems like a mild inconvenience. Unless of course, you are travelling.
Many Digital Nomads, backpackers and holidaymakers use a tourist SIM. This SIM has a temporary number and may be necessary due to limitations in service, or even better value phone and data deals. We now have a severe problem. The service provider who is restricting access to your account is sending an access code to a SIM you cant access — in many cases, not being able to enter the code results in an account restriction.
Is two-factor authentication an issue if you are not travelling?
Yes, it is. If you find yourself out of phone signal, or unable to access the internet to respond to an email, then two-factor authentication is going to be an issue wherever you are. You will experience fewer issues in your home country, but you are not entirely free from potential problems.
Why am I so frustrated with two-factor authentication?
I want to share with you the severity of the problem. I will keep details to a minimum, and concentrate on the bare facts. I hope that you will benefit from the lessons I have learned. Each of the organizations concerned has shown zero concern, offered unsatisfactory resolutions, or has yet to solve the issue. I am going to name them individually, and give you details on what went wrong in the worst case.
TSB Bank-Two Factor Authentication issues
TSB has been the worst offender. I have now had this issue three times. The latest situation they put me in is entirely ridiculous. What happened demonstrates a total lack of understanding of customer needs. Let me explain;
TSB has implemented a new system of two-factor authentication based on SMS text. According to their customer service, there is no option to opt-out. Cue the following absurd situation:
I am in Indonesia on a travel SIM and attempt to use a cash point as I am out of money.
TSB decline my card despite funds being present.
I transfer funds from my current account to my Revolut card. TSB decline my card despite funds being present.
I assume my account is compromised. I try to reach someone at the bank unsuccessfully. (It is 5 am on Sunday UK time).
I have to borrow some cash from a stranger to get water and some food as I am in need of both.
I put my UK SIM back into my phone, which has no credit. I attempt to top up the SIM. TSB decline the top-up from two separate cards despite funds being present. I am now very anxious.
I borrow the same traveller’s debit card to top up my phone, which is both embarrassing and highly inconvenient for us both. On topping up I discover that I have no signal and have to walk 2 miles in the blinding heat to reach a point where the phone works. My phone comes alive with a barrage of texts. All are from TSB asking if I have tried to use my cards in Indonesia. They instruct me to reply “yes” to unblock the cards.
Let’s just take a moment to see the absurdity of this situation.
TSB has seen me trying to use my cards, using the correct PIN and arbitrarily blocked the cards concerned. This block leaves me with no access to cash, no way to transfer funds out of my account to Revolut, and no third layer of protocol for me to respond to.
I am now stood in 36-degree heat trying to phone TSB customer service line. Why have my cards been shut down? I have used my cards for their intended purpose, while in a foreign country and the computer has said no because it perceives me (the account owner) as a risk.
What was the result of the conversation with TSB?
I am not going to go into detail. Suffice to say, after 40 minutes on the phone; I was unable to find anyone who could switch off the protocol. SMS texts will keep happening because that is how the software works. There is no option for me to switch it off. There is no option for the fraud department to note that I am abroad and make allowances. (Customer service response).
The whole situation became worse when transferred to complaints. The computer then threw up more challenges that I would have to pass before the girl at the end of the phone could do anything. There were three challenges in total. Could I tell her the 4th and 8th characters from my memorable information – Could I remember the exact amount of a deposit on a specific date last month, and could I tell her the exact amount of a withdrawal ten days previously.
The simple answer is no. I do not have a photographic memory.
The Verbatim response was;
“I am afraid you have failed to provide the correct information, and I am unable to continue the call. You can put a complaint in writing, or I can take your claim now, which will take around 20 minutes”.
- TSB has a security system which locks you out of your account when using your card, with the correct PIN.
- They then have further security protocols that demand that you memorize your entire bank statement for the previous month, both deposits and withdrawals before they can do anything about it.
- The complaints system then requires that you either write in with your issue, (which is not an option while stranded in a country without cash), or that you go through a further 20 minutes of pain and expense on the phone. Starting a complaint was pointless as I would not be able to switch off the two-factor authentication.
Is TSB the only culprit when applying unwanted security protocols?
Sadly not. And TSB customer service was not the worst. That medal belongs to MailChimp. I only featured TSB as I feel that the SMS protocol presents a significant threat to a vulnerable person.
In the last three weeks, Mailchimp, Google, Revolut, Paypal and Upwork have all caused the same issue. Some of those brands offered email recovery as the third line of authentication. I have since deleted my Mailchimp because they were unresponsive, and my Paypal, because they are completely arrogant in their position, making communication deliberately hard.
From where I am standing this signifies an issue. We no longer have control over how companies apply security protocols.
What have I learned from this?
Always carry a spare emergency cash fund.
Have an emergency virtual card, charged with credit.
If you are using a travellers SIM, you should really update every single account you have with the new number, even if it is just for a short period. (I think this demonstrates how unworkable SMS authentication is for Digital Nomads)
In our new age, we are extremely vulnerable, and at the mercy of a piece of software.
What can organizations learn from this?
Let your customers choose what security protocols they want.
Stop arbitrarily setting up SMS authentication. It is highly inconvenient and potentially dangerous. Thankfully I was just a pissed off and extremely sweaty customer trapped in Bali. Had I have been a more vulnerable person, without the balls to ask a stranger for cash (and succeed), things could have been a lot worse.
In every case, the fact that I was abroad seemed to have triggered a security protocol. Organizations are here to provide a service to us. As your customer, there is NO WAY we should be inconvenienced this much for simply trying to use a cash card, or log into a subscribed service! (I would understand if I had incorrectly entered my PIN, or even if I was spending a large amount of money).
DON’T LET A MACHINE SWITCH OUR ACCOUNTS OFF, and then provide no simple and clear route to get it switched back on. If you want to block an account, freeze a card or any take any other serious step, get a person to ring us first. If you can’t get through, then email as a backup. Do not take such a drastic step just because you don’t get a text back, or see a security pin entered.
I am not against security protocols. I appreciate that my situation was a little more unique than some, but I maintain that if you are in the UK and out of signal, you will have the same problem. Most of all, I am appalled at TSB’s attitude, the lack of foresight when it comes to SMS authentication in particular, and the lack of control I have over my own accounts. This is not the kind of article I relish writing, but I hope it helps you avoid a potentially awkward, or even dangerous situation when travelling.
Have fun out there.