Speaking of N26, I’ve just reinstalled the app and tried to make a transfer. It’s asking me to confirm it (why? I made it on the same device to begin with, and it did ask for a confirmation PIN when making the transfer) and errors out with a “device not paired” and asks me to pair it… why is “pairing” even separate from login to begin with?
The pairing process first involves unpairing any old device, which sends a link via email to the web app which asks for the confirmation PIN (or was it just the card PIN? I don’t know but my card PIN worked), the card token (which is used as a reference on the UPS envelopes, so not really secret), and an OTP by text.
After that, pairing a new device only involves logging in and receiving an OTP by text; not even the card PIN.
This is convoluted and completely backwards. Seems like all the security is in unpairing an old device and not pairing a new one (which only requires account login & text OTP). You’re screwed if your device is compromised and you need to revoke its access quickly.
It should be the opposite, revoking trust should be easy, gaining trust should be hard (although even in this case this amount of “security” is overkill and looks more like security theatre than real security, since all the items they ask for are relatively low-security, especially the card token - not the card number which is commonly understood that it needs to be kept secret, but an opaque number on the card’s corner that also happens to be used as the shipping reference).
Seems like someone in the dev team was just like “we need more security”, but without actually thinking about the threat model and UX.
Also if you make a transfer and don’t specify a reference, they silently set one by default as “Sent from N26”. Meh.