Cashrewards without Mobile?

Related Stores

Cashrewards

Third-Party

• 

  Hithere on 12/09/2020 - 11:38

  +1

  Use your current mobile number.

  You could change it at CashRewards for a fictitious number later if you wanted to.

  • 

    Yumi on 12/09/2020 - 13:50

    Thanks for the suggestion!

    From the sounds of that, a disposable/temporary number should work, though this does go against the typical nature of 2FA.

    If you put a phone number down, do you need it to log in? When does Cashrewards actually use the number?

• 

  jimbobaus on 12/09/2020 - 12:12

  +5

  Is there any way to get around this security pedantry?

  Would you rather they did not have this and simply allowed anyone who got your password to withdraw your funds?

  • 

    Yumi on 12/09/2020 - 13:44

    +2

    Call me crazy, but yes, I would indeed rather that.
    People who don't agree can set up 2FA and be happy with it. The problem is being forced to use it against one's will.

    That's the basic gist of it, but read on if you're interested in my breakdown.

    anyone who got your password

    Firstly, if I leave my house with the door open, and it gets robbed, it's entirely my fault for being foolish enough to do this. Similarly, if I allow someone else to get my password, it's entirely my fault for not being able to keep it secret.

    Of course, I trust my ability to keep my password safe (if I didn't, perhaps 2FA would be more appealing). My passwords are all unique with the equivalent of 160 bits of random entropy, and should be considered quite secure by any standard - I wish anyone luck with trying to break through. Perhaps you might argue that most people aren't so sophisticated, which is fine - they can use 2FA, but I don't need it nor want it.

    And does SMS really help with security? Unfortunately, there have been mutiple examples demonstrating that security offered via SMS is questionable at best. Personally, I wouldn't rely on it - I have much more control over the security of a password than I have over a public phone network.

    But more importantly:

    anyone who got your password to withdraw your funds?

    The core problem is that, despite this supposed security-improving feature, this is still possible. If we assume someone did get my password, they could just simply log in, set up 2FA using their number and withdraw all the funds, just as easily.
    Also take note that you can close an account without any 2FA, which effectively forfeits all funds. Perhaps they won't earn much out of it, but to me, I lose the balance either way.

    In other words, this is just security pedantry which does not actually improve security.

    Agree? Disagree? Feel free to leave your thoughts below. I'm quite confident with my ability in regards to maintaining digital security, but perhaps others may just see me as being full of myself.

    • 

      Gunther on 12/09/2020 - 13:53

      +3

      The most annoying thing is to get an SMS when you are traveling overseas - I dont want to pay for roaming just to do my banking!

      • 

        plmko on 12/09/2020 - 15:58

        Receipt of SMS is free even if you're roaming.

      • 

        Yumi on 12/09/2020 - 19:17

        I get particularly annoyed with services which completely block you because you're 'accessing from an unusual location'. I've actually gone to the effort of configuring my own proxy server to access these pedantic services, so that it always appears to them that I'm accessing from the same location, regardless of where I'm actually at.

    • 

      plmko on 12/09/2020 - 16:03

      +1

      You're not even thinking about 2FA correctly. Use some imagination, you're just trying to convince yourself .

      • 

        Yumi on 12/09/2020 - 19:11

        Please do enlighten me! How should I be thinking about it correctly, and what imagination should I be applying?

• 

  workhappens on 12/09/2020 - 16:02

  +1

  I set it up just then just because of this thread and 2FA does not bother me. It does not ask me to enter in SMS to login. It did ask me to enter SMS to submit the withdrawal.

  When you set it up there is a dot point that says: "Enabling 2FA ensures that only you can update your email address, password, bank details and withdraw your rewards."

  So I imagine it is only for updating details and withdrawing. Additionally it seems that you cannot change the number by yourself and must contact customer service to do so.

  Setting up this 2FA feels like it required extra steps compared to others:
  1. Enter in mobile and get SMS verification code.
  2. It also sends an email to your current registered email address for verification.
  3. Then another SMS again for some reason, probably to test or make sure it is linked correctly?

  Because of these annoying extra steps I imagine that if someone were to get your CR password they would also have to have access to your email account to successfully execute the scenario in your other comment: "If we assume someone did get my password, they could just simply log in, set up 2FA using their number and withdraw all the funds, just as easily."

  • 

    Yumi on 12/09/2020 - 19:09

    Thanks a lot for the info - that's very helpful!

    From the sounds of it, I should be fine with putting in a disposable number (until they change their policies and require you use it for logging in). Once the number vanishes, I'll bug their customer support.

    I imagine that if someone were to get your CR password they would also have to have access to your email account to successfully execute the scenario in your other comment

    Yeah, that makes sense, but then, if they trust your email, why the need for a mobile number? The verification code/link could just be sent via email, and it'd be just as useful for 2FA purposes, no mobile necessary. They've already gone to the effort of implementing an email verification system as well, so it's not like it would've required much extra effort.

    • 

      workhappens on 13/09/2020 - 10:59

      +1

      No worries, happy to help.

      Just a note, part of 2FA is about splitting up the "something you know" which is your password/access to emails and "something you have" which generally is a physical token or in this case, your mobile that can receive SMS.

      Having two things of "something you know" isn't really multi factor authentication hence sending an email verification link on login doesn't really protect you.

      Personally I also find things like this jarring, but I also work in IT and have seen when things go bad in a corporate environment so can appreciate the need for it.

      • 

        Yumi on 13/09/2020 - 12:58

        Thanks for the explanation!

        Yeah, it really depends on how one logs into email - if it's just a password (possibly even the same one), then yes, but if the user uses MFA on the email, then no. Regardless, they're still relying on it, and a system is only as secure as its weakest link, so it's still just as bad.

        Fortunately, I don't work in IT, however, I have seen the security (or lack thereof) implemented on many corporate systems. As such, I generally try to minimize the amount of personal information I enter into them. I have never had an account breach due to a password being stolen, but I've had multiple instances of info breach due to websites being hacked and databases exposed to the public. Having to trust third party systems is unfortunate, but one can at least minimize the risk by limiting information entered into them.

        Like you, I do appreciate having a 2FA system. I do not, however, appreciate their attempts to force users into using it.
        Oh well, I hope they'll reconsider - it's not like any of us can do anything otherwise.

        Thanks again for your help!

    • 

      avoidfullprice on 13/09/2020 - 11:03

      Hope @tightarse is not keeping a blacklist hahaha

• 

  [Deactivated] on 20/03/2021 - 18:28

  I thought about signing up to Cashrewards today but the MANDATORY MOBILE NUMBER requirement (which only pops up after they ask for your e-mail address) is a deal breaker. It's also a massive red flag.

  Why does any company NEED a MOBILE number? It's not for security purposes. For a start they can verify your security by sending you a code to your e-mail. And they can always let you do two factor authentication using a Google Authy (or alternative open-source TOTP) app. There is just no reason for any company to REQUIRE a MOBILE number.

  • 

    777 on 21/03/2021 - 00:16

    -2

    In short, higher level of security
    See what happened to shopback

    Afaik, they dealing with money. And they have access to sensitive customer including financial information. Moreover the new legislation (not sure if that hàs been passed yet) pushes the onus to the corporate by having set minimum standards.

    Not sure if you have heard about OTP in other countries, we are far behind here Downunder. They have banking, social security and indentification,etc all linked to mobile numbers.

    Pretty standard going forward.

    • 

      [Deactivated] on 21/03/2021 - 08:00

      Banks did 2FA for years without requiring a mobile number. It is ignorant and completely unprofessional to think that's the only way or even a good way to do it.

    • 

      Yumi on 21/03/2021 - 12:36

      -1

      See what happened to shopback

      Getting hacked = more reason to not trust them with identifying info.
      It's a perfect example of why I refuse to just give out my mobile to anyone who asks (unlike most of society these days, it seems).