Leave a legacy.

Allow users to secure their accounts with 2-Factor Authentication (2FA)

By: minimike86 | 31-07-2018 01:33

Problem Statement

Currently you log into giffgaff via your username (member name or mobile number) and your password.

Attackers can very easily enumerate member names using giffgaff's own affiliate links. For example: When you browse to https://www.giffgaff.com/orders/affiliate/minimike86 you will see that I am offering a joining bonus. However when you browse to https://www.giffgaff.com/orders/affiliate/ijustmadethismembernameup which is an invalid member name you are redirected to https://www.giffgaff.com/orders/mgm and with a few lines of code you can find all of the possible member names on the site.

What is your idea?

"2-Factor Authentication (2FA)" is a security control whereby a physical device (something you have) in the possession of the user produces random one-time use codes that are supplied with or after the username/password (something you know) combination. Example: a mobile phone running the google authenticator application <- Most Secure

"two-step verification" is a security control whereby you would receive a text message or email with a code that you would then enter after a successful login using a username/password combination, which would then authenticate you. This security control is not currently activated. <- Somewhat Secure

How will this benefit giffgaff and it’s members? Why should giffgaff implement your idea?

Currently the ONLY thing protecting any giffgaff customer from account compromise is their password.
It should therefore be fairly obvious what the benefits of adding one or both of the above ideas are...

  • Customer data will be more secure from account compromise (guessing username/password)!
  • GiffGaff will boost its customer reputation!
  • GiffGaff will reduce its operating costs - when informing customers about suspicious activity on their user accounts!

-

Comments

by: blue1212
on: 08-09-2018 10:04

sound good to me

by: frommoon
on: 07-01-2019 11:43

Yes I like it.

by: ijustcantdoit
on: 27-08-2018 15:57

Yes as long as its an opt in or out for those whom prefer the existing log in

by: adventure17
on: 25-08-2018 15:55

I agree, security does seem a little lax here, but not sure if this is the best way to improve it.

by: johnsmith140289
on: 21-08-2018 23:57

No thanks I'd like to make the log in as easy as possible, and bear in mind when you keep on getting logged out every 5 minutes

by: stellamobile
on: 21-08-2018 21:03

the safer the better

by: timwilliams25
on: 19-08-2018 00:35

Two factor id would be good, but really needs to be another memorable word, phrase or number.code and you need to input certain characters from it (like most online banks).

I once had one of the machines you refer to, for the Nationwide, it was very frustrating and not user friendly at all..... couldn't see people being happy trying to log onto their account with their phone in one hand and another machine to generate a unique code in their other hands. Times have moved on to better things. Like the idea of another level of security though

by: starkey93
on: 19-08-2018 00:02

more safer the better id say

by: koshka
on: 18-08-2018 12:59

I don't mind the idea to 2 step verification but don't agree with it being by physical device. They cause too many problems. Still, supported.

by: o7sagittarius
on: 17-08-2018 19:42

if it makes it safer then why not

by: sana_j19
on: 17-08-2018 16:04

good idea