Citibank phasing out security questions in favour of One Time Passwords

retiredfeline on 02/12/2012 - 09:10

This is sort of a follow up to: http://www.ozbargain.com.au/node/74594#comment-943324 but on a different tack so I thought I'd start a new post.

Just got notified by Citibank that they will be phasing out the security questions for the second factor in online login, the what's your first pet's name kind, and instead sending one time passwords to your mobile.

This shouldn't affect withdrawals at ATMs, but if you were hoping to do online queries or transactions overseas, then you'd need your mobile with you and roaming (but won't cost you as it's incoming SMS). Alternatively their smartphone app and Internet access.

Financial

Related Stores

Citibank Australia
Citibank Australia

Comments

  • jo2055 on 02/12/2012 - 13:42

    I am going overseas and called Citibank re change to OTP. You could mark you account going overseas and it will be no OTP till u overseas.

  • mrhorseham on 02/12/2012 - 14:11

    Every time I log in I'm too lazy to check my phone, I click the bottom that says "I didn't get my OTP" and then it resorts to the security questions, so if that's still available then all should be fine.

  • jo2055 on 02/12/2012 - 14:49

    In latest statement from Citibank I received letter stating security questions will nbe removed soon - so
    this is not solution to the problem.

  • plmko on 02/12/2012 - 15:23

    From memory, having logged on a few days ago, it gives you a choice of ignoring the OTP and just using secret questions.

    • retiredfeline on 02/12/2012 - 16:09

      Yes so did I but that will go away in future.

      • [Deactivated] on 02/12/2012 - 19:30

        so when it does, so will my citibank account.

        • retiredfeline on 02/12/2012 - 19:40

          I can probably live with it on a per holiday basis since roaming is not hard to get now. It's not often that I need to login to check the account.

          I note that sometimes when I've logged into banking websites from overseas, they've sent me queries about it to double check. Sometimes I use a VPN to prevent that.

  • scotty on 04/12/2012 - 22:37

    Rather than implementing their own OTP using SMS, they should probably use something like Google Authenticator, which use time-based OTP algorithm so you can use it without network or mobile connection on your phone.

    • retiredfeline on 04/12/2012 - 22:43

      But not everybody is comfortable with using mobile Internet, and especially more so in a foreign country, whereas SMS is obtainable everywhere at no cost to the recipient as long as they have roaming. Also Citibank is providing a means of providing/obtaining a second factor through their mobile app for those who prefer mobile Internet to SMS.

      We technophiles sometimes forget how uncomfortable some people are with technology. I imagine that even enabling roaming might cause some users anguish, will I get hit by big bills, what if I lose my phone, etc, etc.

      • scotty on 05/12/2012 - 08:43

        Actually, with time based authentication, the secret token is exchanged only ONCE when the account is setup. Password generation does not need network at all.

        Google Authenticator is also a single app available on multiple platforms works on sites that implement the protocol. We can have a 2 phase authentication here at OzBargain using Google authenticator if there's enough demand :)

        The only requirement is that your device has to have correct time, down to the second for example.

        • retiredfeline on 06/12/2012 - 09:19

          Yes, but technophobes still have to carry a smartphone around. They are already scared of carrying a mobile phone as it is.

          Actually I'm for more widespread use of 2-factor authentication, but it will take a while for it to spread in the real world.

        • _Bruce_ on 06/12/2012 - 09:24

          We can have a 2 phase authentication here at OzBargain using Google authenticator if there's enough demand :)

          I'd be up for it. I doubt it will see much use though.

          More generally, this sort of system is much better than the security questions, which are pretty pointless as a security measure.

        • scotty on 06/12/2012 - 12:58

          much better than the security questions

          Indeed, especially in the old days hackers can social engineer the victim to obtain those information. These days they are widely available on Facebook profiles with low privacy settings :(

  • c64 on 11/12/2012 - 11:55

    i never really thought about complications with sms security & going overseas before. most of the banks i'm with do it. it does make things complicated

  • retiredfeline on 29/03/2013 - 13:31
    +1

    There is another option, if you download their smartphone app, it can generate an offline OTP. Then you don't need to be able to receive SMSes.

    http://www.citibank.com.au/otp/

    They might indeed be using the Google Authenticator algorithm.

  • quackquack33 on 02/05/2014 - 09:21

    Citibank OTP works. You just need to set it back to the old time zone.

Login or Join to leave a comment
Login Join