Surface Ripples

Phones, Phone Numbers and Security

Many websites, particularly bank websites, now require what is known as “Two Factor Authentication” (TFA) to complete transactions access the website or to authorise activities.

This idea behind this is sound: with the increase in fraudulent online activity by felons who have managed to acquire innocent victims’ details, banks, merchants and other service providers need to take action.

The problem can be that, when users set up TFA, they are asked to give a phone number. On the face of it, this is a good idea.  The problem is that the system then relies on that phone number for authorisation. This is great when users are accessible on that phone number. I have encountered situations, though, when I’ve been travelling and have replaced my (we’ll call it “local SIM card“ from the country in which I’m based) with a SIM card registered in the country I’m visiting.

This turns the TFA system upside down. If I need to access sites which rely on a telephone number to authenticate the transaction, my only choice is to replace one SIM with another for the duration of that transaction.

On the face of it, this is not a major effort. It is though, if the SIM card of the country in which I am based is from a provider who has no arrangement with a local mobile service operator in the country which I’m visiting.  It’s also likely to cost me more to receive that call. 

A better system which more suppliers and providers have identified is to have TFA based on a randomly generate security number which is done online via the internet, or to send an authentication code via email. In this case, it doesn’t matter where I am or which provider’s SIM card I have in my phone. As long as I can access the internet, I can obtain my random security number.

As more providers realise the benefits of TFA, through random security number generation online, dependence on a phone call will hopefully become a thing of the past.

There are, surprisingly, a number of large institutions, which have the time and resources (both financial and in terms of personnel and expertise) to implement such systems but haven’t. The only way to get them to get them to change will be through pressure from their customers.

Luckily, things are looking good on this front, and I believe that, in time, randomly generated security codes will become a norm as opposed to the return phone call for TFA.

I’ve spent more than half my life delivering change in different world markets from the most developed to “emerging” economies. With a wealth of international experience in international financial services around the world running different operations and lending businesses, I started my own Consultancy to provide solutions for improving performance, productivity and risk management.  I work with individuals, small businesses, charities, quoted companies and academic institutions across the world. An international speaker, trainer, author and fund-raiser, I can be contacted by email. My website provides a full picture of my portfolio of services.    

Labels: Customer Care, Risk

posted by William Martin @ 08:55