Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Prevent fraudulent enrolment in 3DSecure

  • 02-06-2014 2:57pm
    #1
    Registered Users, Registered Users 2 Posts: 491 ✭✭


    Hi,

    I'm not going to be enrolling my credit card in the 3DSecure scheme, the authentication techniques chosen by Bank of Ireland are far too weak for me to accept the additional legal liabilities that enrolling requires me to accept.

    If and when the Bank of Ireland enables out-of-band enrolment and two-factor authentication I will be happy to enrol, until that time, it's not going to happen.

    However, this leaves a serious vulnerability open. Nothing prevents a criminal from fraudulently enrolling my card in 3DSecure and forcing those legal liabilities onto me. At which point I will be entirely liable for any fraudulent payments since they will have authenticated properly with 3DSecure.

    Before you say this isn't plausible bear in mind that the only piece of information required for enrollment, beyond my credit card details, is my mother's maiden name, which is hardly a secret. We have to assume that my credit card details are known to criminals since that's exactly the problem that 3DSecure attempts to address.

    So, how can you guys prevent my card from being enrolled in 3DSecure against my will? Will you ever be switching to a strong form of authentication that actually protects consumers?

    Thanks


Comments

  • Closed Accounts Posts: 2,346 ✭✭✭Bank of Ireland: Tara


    Hi Silent Bob,

    Thanks for getting in touch and apologies for the delay with responding to you.

    We've referred your post to our Security Team and we will post a reply as soon as possible.

    Thanks
    Tara


  • Closed Accounts Posts: 2,346 ✭✭✭Bank of Ireland: Tara


    Hi Silent Bob,
     
    Thanks for your patience.


    Verified by Visa and MasterCard SecureCode are services offered by Bank of Ireland in partnership with Visa and MasterCard to bring you 3D Secure. 
       
    Bank of Ireland will investigate all reports of card fraud and deal with them on a case by case basis. We will always try to get the best outcome for our customers with all factors taken into account.
     
    We understand this is not the precise answer you were looking for however, please be assured we have passed on your comments and feedback regarding this facility.
     

    Thanks again,
    Tara


  • Registered Users, Registered Users 2 Posts: 491 ✭✭Silent Bob


    Hi Tara,

    thanks for the update


  • Registered Users, Registered Users 2 Posts: 121 ✭✭birchtree


    Silent Bob wrote: »
    Hi,

    I'm not going to be enrolling my credit card in the 3DSecure scheme, the authentication techniques chosen by Bank of Ireland are far too weak for me to accept the additional legal liabilities that enrolling requires me to accept.

    If and when the Bank of Ireland enables out-of-band enrolment and two-factor authentication I will be happy to enrol, until that time, it's not going to happen.

    However, this leaves a serious vulnerability open. Nothing prevents a criminal from fraudulently enrolling my card in 3DSecure and forcing those legal liabilities onto me. At which point I will be entirely liable for any fraudulent payments since they will have authenticated properly with 3DSecure.

    Before you say this isn't plausible bear in mind that the only piece of information required for enrollment, beyond my credit card details, is my mother's maiden name, which is hardly a secret. We have to assume that my credit card details are known to criminals since that's exactly the problem that 3DSecure attempts to address.

    So, how can you guys prevent my card from being enrolled in 3DSecure against my will? Will you ever be switching to a strong form of authentication that actually protects consumers?

    Thanks
    Brilliant post, I haven't thought of this aspect!
    As someone said, it is not about security, it is about passing liability.
    I wrote this to BOI today:

    While MasterCard SecureCode and Verified by Visa add a layer of protection for sellers, it is reducing protection for buyers. By forcing customers to provide such personal data as date of birth and mother's maiden name leaves me completely exposed if such details were stolen during the transaction. Nobody can raise a hand and say - my computer and network are 100% secure. The last bit of data that only you and the bank knows are now available for trojans, keyloggers and wifi scanners. Not to mention the inconvenience of remembering yet another password and 'personal greeting'. Speaking of password - I can't even use special characters in the password for added protection. Not very securecode, is it?
    What steps can we take to change this?


Advertisement