Yes, that is a complete yikes and a complete oversight by Curve. Lose your phone and card, you’re basically screwed!
Thank you Marie for the monthly update.
Is 3DS also in the pipe? With DSP2 which takes effect in September, 3DS will be required on most of the EU websites. My curve card risks to be useless
It will leave us with a card we can use online
Hope not. The slogan will have to change from “The only card you need to carry” to “The only card you shouldn’t carry”. (Based on I do my online shopping at home and therefore have access to all my cards).
Hoping we’ve all got it wrong and the card will continue to work out and about without having to receive SMS messages left, right and centre to authorise the underlying card.
Edit: Ignore this post. Post below states that Septembers deadline for stronger verification has been delayed.
That’s been delayed (at least in the UK) for a further 18 months:
I would love to see 3DS in Curve though.
Thank you for the info.
I’ll double check if it is the same in France…
Wow quite surprised at that - all my various cards have been bombarding me to check/update mobile numbers so thought everything was on track!
I can’t really see any advantage to the user from having the phone number instead of email being used. The main issue is probably when someone loses their wallet/cards quite often the phone/SIM card is also lost/stolen
One would get a new SIM card and probably a new number and have to update that info with curve immediately before being able to use the service again
What’s the advantage for curve by going with this? Preventing people from creating multiple accounts? If so, the bad news is that anyone can go to a store and grab a new free SIM card with a new number. Most people, at least here in Portugal also have at least two SIM cards to begin with, so there’s also that
Ugh, always the same. There was enough time for all banks and payment providers to be PSD2 ready but of course they start last minute and then complain that they dont have enough time. Same exact thing happened with GDPR.
- Not quite yet, but we might be able to let you know in the next update.
- It would be great if it’s possible to bring your friends into the Beta to test it out. We’ll also create a thread here on the community where you could find someone to test it out with.
- We are hashing the phone numbers, not storing them. They will be recognised from your contact list.
- Haven’t planned on it, but it’s not impossible.
Yes, there will be a 2-factor authentication You’ll need both the SMS and your passcode. Android users can choose whether they would like to use SMS or Google authentication.
We will ensure that the solution is robust enough to access abroad.
There’s a 2-factor authentication in place
If your phone is stolen/lost you will have to download the app on a different device and go through a recovery procedure (as most other services). Nobody can access your Curve app because you need your passcode and SIM card. The recovery procedure will also require your email access.
Yes, that is a requirement for Curve as well and 3DS will be provided
During the recovery process, does Curve send a SMS with code to verify? If so, then my point still stands.
If they know your passcode that you set up ( which should be longer than 4 digits, please implement that ) then yeah they’ll be able to access it. Maybe don’t set your passcode to your birth year/1234/0000 as precautions?
I’m assuming you are not talking to me about this, but just to make sure…are you?
What about if you have set up a complex password. Would that be enough to get you back into your account?
There are some nice features coming it seems I do agree I think email addresses should be the main contact detail. And two factor authentication is a great idea security wise!
Are we going to be able to have curve on apple/android/gpay?
With the virtual card how would that work in terms of being able to use it in store?
Why can only new customers be able to choose their pins?
All the features sounds nice. And about login by phone number, it doesn’t matter for me tbh. BUT, there should be easy way to change phone number. Like using special question-answer, authentication token or whatever else is safe enough. That would be best compromise between Curve Team plans and people that aren’t happy about this change because of problems with transfering current phone number to other carrier in some countries.
One of the cases for using the recovery process is if you’ve forgotten your password. Having a complex password will not affect the process
Yes. You’ll find other topics on that within the community.
The card will show the details, but you can’t use it in the store.
It will be possible to set the PIN code, not change it. That’s why new customers will be able to choose, but current customers cannot change it.
As the article posted by @Pawel also mentions hashing could be a wrong choice (because of collision). Have you thought about that?
The first instinct is often just to hash the contact information before sending it to the server. If the server has the SHA256 hash of every registered user, it can just check to see if those match any of the SHA256 hashes of contacts transmitted by a client.
Unfortunately, this doesn’t work because the “preimage space” (the set of all possible hash inputs) is small enough to easily calculate a map of all possible hash inputs to hash outputs. There are only roughly 10^10 phone numbers, and while the set of all possible email addresses is less finite, it’s still not terribly great. Inverting these hashes is basically a straightforward dictionary attack. It’s not possible to “salt” the hashes, either (they always have to match), which makes building rainbow tables possible.