VIP (Validation ID Protection)

 View Only

  • 1.  Able to change my credential before providing the code

    Posted Jul 18, 2017 03:06 PM

    Hello

    I am a customer of a broker/bank, which uses Symantec VIP on their website for 2FA. The problem I've been reporting to them since a long time is, that after login, I can click a link to "change my credential ID", register a new credential, and then use it to authenticate myself. I tried this with my second smartphone and it worked. I think this completely defies thy purpose of 2FA, as there is an easy bypass.

    Am I missing something? How can I lock my credential to my account, so that it is not so easy to change it? In my opinion, changing the credential should only be possible after further verification, that it's me and not somebody that stole my password. Could you let me know if I'm right? I really cannot get this message through to the support of my bank.



  • 2.  RE: Able to change my credential before providing the code

    Posted Aug 07, 2017 02:45 PM

    Hi Mike,

    This is a self-service feature so that you can update your credential in the event you lose or replace your current one. It sounds like when you login to the bank, you have to supply your 2FA credentials. So effectively, an attacker would still need your password and 2FA in order to change your credential ID.

    If you are concerned about how many credentials can be added to your account, that is a Symantec back end feature where the admin can decide how many devices are allowed.

    Since you are required to use 2FA on the initial login before you can change your credential ID, I would not consider this a "bypass".

    Hope that helps.

    Thanks,

    Jon



  • 3.  RE: Able to change my credential before providing the code

    Posted Aug 07, 2017 04:09 PM

    Hi Jon, thanks for your reply!

    The thing is, I can change the credential before providing the VIP code. I just provide login and password and on the second screen comes the prompt for the VIP code. On the same screen I can change the credential. So I only need the password to login, this is a bypass then, right?

    Also, the self service that you describe, I don't believe it works in case of my bank. After I change the credential, the old one does not work. Also I do not have any screen where I can manage and deactivate my credentials. The bank app itself has no menus controlling the VIP service, it only appears during the login.

    Mike