Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SCA to be effective as of September 14th - CC/PP to require 2FA - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SCA to be effective as of September 14th - CC/PP to require 2FA

2»

Comments

  • MichaelCeeMichaelCee Barred
    edited August 2019

    Ympker said: Maybe some Blesta module needs an update?

    For reference from blesta forums:

    https://dev.blesta.com/browse/CORE-3068


    Thanked by 1Ympker
  • SpryServers_TabSpryServers_Tab Member, Host Rep

    We've offered 2fa for years, but with this law do we need to REQUIRE 2fa? Like is offering it enough, or do we have to enforce it?

  • HxxxHxxx Member

    Answered those below for you. Dev perspective.

    @raindog308 said:

    Hxxx said: Apps easier for the majority of users. Less work on their part.

    How so?

    • have to download app

    Like Facebook, Intagram , Whatsapp, etc. Is natural to use the app market.

    • have to hope it integrates with your password manager

    A proper done app would integrate with your fingerprint / phone lock ability.

    • have to keep it up to date

    It auto update. Is normal for these to be kept up to date automatically. Unless you have disable it.

    • have to learn any quirks because the interface is different than the web

    Actually app development follow UX & UI best practices. It usually end up being familiar. For example Hybrid Frameworks like Ionic automatically apply a different behaviour to the UI depending on which platform is the user running. Good developers follow standards.

    • have to reload the app if you move to a different device

    That is done automatically by your device if you haven't disable it.

    Etc.

    :)

  • jsgjsg Member, Resident Benchmarker

    @raindog308 said:
    There are other forms of 2FA though - my employer requires it for most logins and we use an authenticator. Previous employer used RSA fobs. I'm not sure why a Google Authenticator, et al is hard to use, though SMS codes are more popular, probably due to familiarity.

    Trust me, you don't want to go down that rabbithole because there is a lot of noise but no rabbits in it.
    Hint: "RSA fobs" as in "products that use a payed for 'random' (prng) algo from the NSA".
    One problem is evident: NSA, GCHQ, etc. A less evident problem is tha almost all major players (e.g. Google) have (a) a selective view because their interest isn't security but "security for our needs/use cases" and (b) usually a context that is very much different from yours (e.g. thousands and thousands of servers and billions of $).
    Other problems that are rarely seen and understood include poor random choices (which looks unimpressive but actually is by far the most important element in most IT security), cruft (the OpenBSD guys ripped out lots of cruft from OpenSSL for good reasons), and more.

    I don't know if I'd call AV pure snake oil...it can be helpful, though it's purely reactive and of course, provides the illusion of complete protection when at best it's piecemeal.

    I came from another angle, the fact that pretty much all AVs have become security risks themselves. There are quite a few attack vectors out there due to considerable vulnerabilities in AVs.

    Absolutely...democracy is the demented idea that idiots can identify and select good leaders. But then, I've always assumed Sturgeon's Law applies to human intelligence.

    If that ever came into public view the 90% would be united in voting for controlling (or locking away) the "dangerous intelligent ones". So, psshhh

  • jsgjsg Member, Resident Benchmarker

    @Hxxx said:
    Like Facebook, Intagram , Whatsapp, etc. Is natural to use the app market.

    Which - thank God for that! - are not part of the OS and must be "downloaded"

    A proper done app would integrate with your fingerprint / phone lock ability.

    Definitely not. A properly done app would always let the user have some choice and the last word. Anything that boils down to a black box for the user is not a good solution.

    • have to keep it up to date

    It auto update. Is normal for these to be kept up to date automatically. Unless you have disable it.

    Auto-updating solved some problems ... and created others and sometimes worse ones.

    Actually app development follow UX & UI best practices ...

    Please kindly call yourself "web dev" and not "dev". The latter are usually engineers (or tick like engineers) while the former often are [self-redacted] and have next to nothing in common with engineers.

    Thanked by 2Hxxx AlwaysSkint
  • MikePTMikePT Moderator, Patron Provider, Veteran

    @SpartanHost said:

    @MikeA said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Have no fear, WHMCS charges $1.50/month for account 2FA acccess! I am sure payment 2FA will cost $3.00/month!

    They don't charge anymore for two factor auth (time-based tokens) in WHMCS 7.8 :smile:

    Source: https://preview.whmcs.com (Free Two-Factor Authentication)

    That's nice actually!

  • ClouviderClouvider Member, Patron Provider

    @MikePT said:

    @Clouvider said:

    @MikePT said:

    @Clouvider said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Guess again. Especially if you are auto-charging cards on file.

    What do you mean?

    You need to indicate through API that you intend to use card for recurring payments and that needs to go through 3DS2, otherwise when it's rolled in - your recurring transactions will decline automagically.

    And won't WHMCS be able to do that?

    I don’t know - ask them - surely not retrospectively though, so cards on file will need to be re-entered with Customer on site again through 3DS(2) before you’ll be able to continue using them.

    We add this API call for the past month already to all payments on site. We aren’t quite sure if all banks are registering it yet - cuz no one seems to be prepared for this. It’s a joke.

    Thanked by 1MikePT
  • HxxxHxxx Member
    edited August 2019

    You are right, I should have said Software Engineer :) . I dont know who you are minimizing here lol. Just saying... All I can gather from your responses is:

    -You assume without experience.

    *UX & UI is not limited to web so... i feel sad already for your response.

    *You forgot we are talking about normal users and not engineers. For engineers apps are useless. But for normal users that like to one touch things and be done with it, apps is the way. Actually if I'm wrong, why do app stores exists ... and why are they so alive with new apps joining everyday?

    I'll give you a 6/10 for effort.

    Remember that not all apps run on web tech. There are advantages for apps that run native code in terms of performance, API access, integration...etc.

    @jsg said:

    @Hxxx said:
    Like Facebook, Intagram , Whatsapp, etc. Is natural to use the app market.

    Which - thank God for that! - are not part of the OS and must be "downloaded"

    A proper done app would integrate with your fingerprint / phone lock ability.

    Definitely not. A properly done app would always let the user have some choice and the last word. Anything that boils down to a black box for the user is not a good solution.

    • have to keep it up to date

    It auto update. Is normal for these to be kept up to date automatically. Unless you have disable it.

    Auto-updating solved some problems ... and created others and sometimes worse ones.

    Actually app development follow UX & UI best practices ...

    Please kindly call yourself "web dev" and not "dev". The latter are usually engineers (or tick like engineers) while the former often are [self-redacted] and have next to nothing in common with engineers.

  • jsgjsg Member, Resident Benchmarker

    @Hxxx

    Well that's roughly what was to be expected from a "UX" and "UI" focussed "developer".

    But hey, satisfy my curiosity: what libraries or frameworks are you using when developing, say for Linux, xBSD, Windows, Apple (the desktop OS), Android, and IOS?

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @Clouvider said:

    @MikePT said:

    @Clouvider said:

    @MikePT said:

    @Clouvider said:

    @MikePT said:
    I guess WHMCS will handle this for us, we're using PayPal, Stripe and GoCardLess, all officially supported by WHMCS.

    Guess again. Especially if you are auto-charging cards on file.

    What do you mean?

    You need to indicate through API that you intend to use card for recurring payments and that needs to go through 3DS2, otherwise when it's rolled in - your recurring transactions will decline automagically.

    And won't WHMCS be able to do that?

    I don’t know - ask them - surely not retrospectively though, so cards on file will need to be re-entered with Customer on site again through 3DS(2) before you’ll be able to continue using them.

    We add this API call for the past month already to all payments on site. We aren’t quite sure if all banks are registering it yet - cuz no one seems to be prepared for this. It’s a joke.

    Well let's see what will happen I guess!!! :)

  • @Clouvider said:
    I don’t know - ask them - surely not retrospectively though, so cards on file will need to be re-entered with Customer on site again through 3DS(2) before you’ll be able to continue using them.

    If you already had 3D-Secure enabled for all payments, you won't have to re-enter on the site, because you've already done the SCA - at least that's how it works with Braintree and quite some other Payment Providers.

    @SpryServers_Tab said:
    We've offered 2fa for years, but with this law do we need to REQUIRE 2fa? Like is offering it enough, or do we have to enforce it?

    No, SCA has to happen on the payment itself - if using an external hosted payment window, you'll likely not have to do anything (But confirm with your payment provider), if you're using Drop-In UI's or Hosted Fields from Braintree, Stripe or similar, you'll have to update the code to do 3D-Secure 2.0 (Relatively easy for drop-in UI in Braintree at least).

  • ClouviderClouvider Member, Patron Provider
    edited August 2019

    Zerpy said:
    If you already had 3D-Secure enabled for all payments, you won't have to re-enter on the site, because you've already done the SCA - at least that's how it works with Braintree and quite some other Payment Providers.

    Not really. In case you intend to re-use Customer details offline, so for example, for the purpose of automated billing, you need to pass an additional parameter when creating the charge, informing the bank that you intend to do so. The bank can then apply different authentication to the Customer to comply with their own risk assessment under SCA.

    Thanked by 1Ympker
  • @Clouvider said:
    Not really. In case you intend to re-use Customer details offline, so for example, for the purpose of automated billing, you need to pass an additional parameter when creating the charge, informing the bank that you intend to do so. The bank can then apply different authentication to the Customer to comply with their own risk assessment under SCA.

    Better inform Braintree about that then ;)

    And I can see you have to inform Adyen as well then - since they'll only require SCA if the first transaction was made on or after 14 September 2019: https://docs.adyen.com/payments-essentials/psd2-sca-compliance-and-implementation-guide/

    So two major gateways are then doing it illegally or?

  • ClouviderClouvider Member, Patron Provider
    edited August 2019

    Zerpy said: So two major gateways are then doing it illegally or?

    It's not about legally - I agree that 3DS suffices legally, but it's about the issuing bank will say yes, or no during the authorisation in this case and I guess we'll find out in September or later, how this works out in practice.

  • SpryServers_TabSpryServers_Tab Member, Host Rep

    @Zerpy said:

    @Clouvider said:
    I don’t know - ask them - surely not retrospectively though, so cards on file will need to be re-entered with Customer on site again through 3DS(2) before you’ll be able to continue using them.

    If you already had 3D-Secure enabled for all payments, you won't have to re-enter on the site, because you've already done the SCA - at least that's how it works with Braintree and quite some other Payment Providers.

    @SpryServers_Tab said:
    We've offered 2fa for years, but with this law do we need to REQUIRE 2fa? Like is offering it enough, or do we have to enforce it?

    No, SCA has to happen on the payment itself - if using an external hosted payment window, you'll likely not have to do anything (But confirm with your payment provider), if you're using Drop-In UI's or Hosted Fields from Braintree, Stripe or similar, you'll have to update the code to do 3D-Secure 2.0 (Relatively easy for drop-in UI in Braintree at least).

    Ahh good to know. We transmit the data directly. (non tokenized authorize.net) With the exception of PayPal payments of course.

  • @jsg said:
    @Hxxx

    Well that's roughly what was to be expected from a "UX" and "UI" focussed "developer".

    But hey, satisfy my curiosity: what libraries or frameworks are you using when developing, say for Linux, xBSD, Windows, Apple (the desktop OS), Android, and IOS?

    React <3

    /s

    Thanked by 1Hxxx
  • HxxxHxxx Member

    Angular <3

    @doghouch said:

    @jsg said:
    @Hxxx

    Well that's roughly what was to be expected from a "UX" and "UI" focussed "developer".

    But hey, satisfy my curiosity: what libraries or frameworks are you using when developing, say for Linux, xBSD, Windows, Apple (the desktop OS), Android, and IOS?

    React <3

    /s

  • @Hxxx

    I was being sarcastic — real men write iOS apps in Objective-C as opposed to Swift :I

  • HxxxHxxx Member

    I differ ... real men write apps with pure C , not even ++. ObjectiveC is for pussies.

    @doghouch said:
    @Hxxx

    I was being sarcastic — real men write iOS apps in Objective-C as opposed to Swift :I

Sign In or Register to comment.