Leave a legacy.

Allow users to secure their accounts with 2-Factor Authentication (2FA)

By: minimike86 | 31-07-2018 01:33

Problem Statement

Currently you log into giffgaff via your username (member name or mobile number) and your password.

Attackers can very easily enumerate member names using giffgaff's own affiliate links. For example: When you browse to https://www.giffgaff.com/orders/affiliate/minimike86 you will see that I am offering a joining bonus. However when you browse to https://www.giffgaff.com/orders/affiliate/ijustmadethismembernameup which is an invalid member name you are redirected to https://www.giffgaff.com/orders/mgm and with a few lines of code you can find all of the possible member names on the site.

What is your idea?

"2-Factor Authentication (2FA)" is a security control whereby a physical device (something you have) in the possession of the user produces random one-time use codes that are supplied with or after the username/password (something you know) combination. Example: a mobile phone running the google authenticator application <- Most Secure

"two-step verification" is a security control whereby you would receive a text message or email with a code that you would then enter after a successful login using a username/password combination, which would then authenticate you. This security control is not currently activated. <- Somewhat Secure

How will this benefit giffgaff and it’s members? Why should giffgaff implement your idea?

Currently the ONLY thing protecting any giffgaff customer from account compromise is their password.
It should therefore be fairly obvious what the benefits of adding one or both of the above ideas are...

  • Customer data will be more secure from account compromise (guessing username/password)!
  • GiffGaff will boost its customer reputation!
  • GiffGaff will reduce its operating costs - when informing customers about suspicious activity on their user accounts!



by: nickyheywood
on: 10-10-2018 14:19

great idea

by: muddycalhoun
on: 09-10-2018 17:49

good idea as is any that will improve security, has this or something like it come up before? Still supported

by: jason1973tess
on: 30-09-2018 22:34

I agree with that if you sign up you sign up with so use your mobile phone or I don't know Samsung laptop if someone else has used to sign into your account the let you know that's a good idea

by: shakira8
on: 30-09-2018 12:10


by: jmccarthy2912_2
on: 22-09-2018 16:19

But PLEASE don't make it compulsory...... available for those that want, sure - but I stopped using whatever it was that last made 2fa compulsory, coz it was too much hassle for me.

by: tids44
on: 18-09-2018 13:22

security is always best at all times

by: chinsndips
on: 17-09-2018 10:54

That would make sense. Increased security always in demand.

by: kathleen414
on: 10-09-2018 17:05

Yes i agrre but i feel it should be an option and not forced on all the members

by: alex920
on: 10-09-2018 15:05

Security is always a good idea