Leave a legacy.

Allow users to secure their accounts with 2-Factor Authentication (2FA)

By: minimike86 | 31-07-2018 01:33

Problem Statement

Currently you log into giffgaff via your username (member name or mobile number) and your password.

Attackers can very easily enumerate member names using giffgaff's own affiliate links. For example: When you browse to https://www.giffgaff.com/orders/affiliate/minimike86 you will see that I am offering a joining bonus. However when you browse to https://www.giffgaff.com/orders/affiliate/ijustmadethismembernameup which is an invalid member name you are redirected to https://www.giffgaff.com/orders/mgm and with a few lines of code you can find all of the possible member names on the site.

What is your idea?

"2-Factor Authentication (2FA)" is a security control whereby a physical device (something you have) in the possession of the user produces random one-time use codes that are supplied with or after the username/password (something you know) combination. Example: a mobile phone running the google authenticator application <- Most Secure

"two-step verification" is a security control whereby you would receive a text message or email with a code that you would then enter after a successful login using a username/password combination, which would then authenticate you. This security control is not currently activated. <- Somewhat Secure

How will this benefit giffgaff and it’s members? Why should giffgaff implement your idea?

Currently the ONLY thing protecting any giffgaff customer from account compromise is their password.
It should therefore be fairly obvious what the benefits of adding one or both of the above ideas are...

  • Customer data will be more secure from account compromise (guessing username/password)!
  • GiffGaff will boost its customer reputation!
  • GiffGaff will reduce its operating costs - when informing customers about suspicious activity on their user accounts!

-

Comments

by: erisds
on: 10-04-2019 13:21

I keep being told by Giffgaff support that I have to comment here if I want to be heard, so here I am.

It is absolutely imperative that Giffgaff adds second or multi-factor authentication on their online accounts immediately. There are now at least 7 ideas that cover this:

https://labs.giffgaff.com/idea/16713916/2-factor-authentication

https://labs.giffgaff.com/idea/16712158/allow-users-to-secure-their-accounts-with-2-factor-authentication-2fa

https://labs.giffgaff.com/idea/16701487/u2f-to-protect-personal-data-on-my-giffgaff-with-2-step-2-factor-authentication-option-for-my-giffgaff-logins

https://labs.giffgaff.com/idea/16712363/require-2-factor-authentication-to-sign-up-for-payforit-texts

https://labs.giffgaff.com/idea/16707920

https://labs.giffgaff.com/idea/16703325

Many of these are over 4 years old. It's very clear that no one reads or moderates this board.

That's fine - it's up to you to choose whether to moderate the board, but if you're not going then your agents need to stop telling people to raise ideas for things that have been open for 4 years already and be honest about the fact that no one cares what's written here.

by: roise05
on: 23-03-2019 20:50

Great idea.

by: helen_starkey
on: 18-03-2019 17:05

great idea

by: iamnew787
on: 12-03-2019 14:18

Good idea

by: emmalouisep93
on: 19-01-2019 20:03

Good idea

by: brkdn16
on: 13-01-2019 17:27

We need this because of scams :/

by: adamtheant
on: 17-02-2019 13:37

Too right

by: onthelash
on: 05-01-2019 19:53

Great idea ??

by: starkey93
on: 07-12-2018 19:54

This idea is not for me but best of luck mate

by: diamond222
on: 28-11-2018 12:26

i like this idea

by: rozina
on: 27-11-2018 12:03

good