Allow users to secure their accounts with 2-Factor Authentication (2FA)
By: minimike86 | 31-07-2018 01:33
Problem Statement
Currently you log into giffgaff via your username (member name or mobile number) and your password.
Attackers can very easily enumerate member names using giffgaff's own affiliate links. For example: When you browse to https://www.giffgaff.com/orders/affiliate/minimike86 you will see that I am offering a joining bonus. However when you browse to https://www.giffgaff.com/orders/affiliate/ijustmadethismembernameup which is an invalid member name you are redirected to https://www.giffgaff.com/orders/mgm and with a few lines of code you can find all of the possible member names on the site.
What is your idea?
"2-Factor Authentication (2FA)" is a security control whereby a physical device (something you have) in the possession of the user produces random one-time use codes that are supplied with or after the username/password (something you know) combination. Example: a mobile phone running the google authenticator application <- Most Secure
"two-step verification" is a security control whereby you would receive a text message or email with a code that you would then enter after a successful login using a username/password combination, which would then authenticate you. This security control is not currently activated. <- Somewhat Secure
How will this benefit giffgaff and it’s members? Why should giffgaff implement your idea?
Currently the ONLY thing protecting any giffgaff customer from account compromise is their password.
It should therefore be fairly obvious what the benefits of adding one or both of the above ideas are...
- Customer data will be more secure from account compromise (guessing username/password)!
- GiffGaff will boost its customer reputation!
- GiffGaff will reduce its operating costs - when informing customers about suspicious activity on their user accounts!
-
on: 15-08-2018 10:56
any security is brilliant so happy to back any of these ideas
on: 15-08-2018 09:47
Well thourght of gets my vote.
on: 14-08-2018 20:47
Good idea
on: 14-08-2018 18:22
seen this one before.might be better to vote for an existing idea
on: 10-08-2019 22:48
if you lose your phone, or your phone is nicked and in the hands of someone else, a text to it would not be very helpful! It might even authenticate the theif! If you had to choose an email or text authentication it might work, but that is an extra step and extra complication.
How big a problem is fraud anyway?
on: 30-07-2019 08:12
Another vote in favour, with a strong preference for TOTP OATH as one of the supported protocols (and don't forget the option to pre-generate recovery codes). I agree it should be something users can turn on if they want it, at least initially, rather than something introduced across the board for all users.
on: 07-07-2019 18:03
looking forward to this.
on: 20-06-2019 16:32
I searched 10 minutes in all the Account options to find how to activate 2-factor authentication on my GiffGaff account!
I support this idea!
Bonus point if the 2 factor authentication supports cryptographic keys (like the Yubiko ones)
on: 10-09-2018 13:52
If giffgaff thought this was required it would have happened a while back
on: 20-08-2018 15:30
sounds like overkill