Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

AIB - 48 hour restriction after SIM card change

  • 26-01-2021 11:37am
    #1
    Registered Users, Registered Users 2 Posts: 30,293 ✭✭✭✭


    I changed my mobile phone contract last month.

    When I tried to login to my AIB online account this month, at the point where they normally send out the access code by text message, I got this error message instead.

    540997.jpg

    Some questions arise:

    1) How the hell do they know that I changed my phone provider?
    2) What security benefit arises from this 48 delay? Are they checking something in the meantime?

    All ideas welcome.


Comments

  • Registered Users, Registered Users 2 Posts: 4,257 ✭✭✭smuggler.ie


    Don't know specifics how they operate so wild guess, and yeah...it shows they know more than you think and than they tell you.
    1. you have app installed - they can see same device(trusted, by MAC, IMEI, app ID, etc), but different number/provider/IP range(unknown, not verified)
    2. monitoring for unexpected/suspicious behavior - you block phone by IMEI, multiple/big fund transfers to unknown accounts, expensive purchases, etc


    While ago was abroad and had to purchase item for €XXX - transaction was suspended until i called bank to confirm to release funds - roaming=suspicious network ID .They said: "you should notify us to your plans to go abroad and spend money".
    Joke isn't it, on other side - more secure...


  • Registered Users, Registered Users 2 Posts: 30,293 ✭✭✭✭AndrewJRenko


    Thanks, but definitely know app installed, so they didn't get that information locally. They must have got that information from the mobile phone network in some way. Interestingly, I can't see how they would know that I changed SIM unless they were storing details of my old SIM, though there is no mention of storing SIM or network details in their Privacy Statement.

    So do phone networks provide details of SIM or network to large organisations like this?


  • Registered Users, Registered Users 2 Posts: 4,257 ✭✭✭smuggler.ie


    Thanks, but definitely know app installed, so they didn't get that information locally. They must have got that information from the mobile phone network in some way. Interestingly, I can't see how they would know that I changed SIM unless they were storing details of my old SIM, though there is no mention of storing SIM or network details in their Privacy Statement.

    So do phone networks provide details of SIM or network to large organisations like this?
    OK, different approach - code have to be sent to same number , but its showing under different provider now.


  • Registered Users, Registered Users 2 Posts: 4,257 ✭✭✭smuggler.ie




  • Registered Users, Registered Users 2 Posts: 121 ✭✭Paranoid Bob


    This is a defence against 'SIM swap' fraud.
    The bank is using your phone number as a part of multi-factor authentication on the assumption that the phone number identifies your phone and your phone is in your possession. As long as that assumption holds then a message to your phone number can count as a possession check in a 2-factor login.

    The problem is that this is not really true. The phone number is associated with your SIM, not your phone; and even that association is not very strong. The phone company can change the SIM associated with the number at any time.
    There is a very successful 'hack' where a bad guy goes into a shop saying they have not been able to receive calls. The give your number and charm the shop assistant into issuing a new SIM associated with that number. They leave the shop with a phone that receives all texts and calls sent to your number. They then use that to log in to any system that uses SMS passwords for authentication. (banks, twitter, facebook, etc.)

    To protect against that AIB (and other banks) use a SIM swap detection service. A company regularly asks the mobile networks for the SIM card identifier associated with all the mobile numbers. If the mobile number is associated with a new SIM card then the bank will take steps to reduce the risk that change is a SIM swap attack by a bad guy looking to take over your account.

    The relationship between SIM and mobile number is readily available on the mobile network as part of the technical operation of the network. It is basically not possible to keep it secret and still be able to connect phone calls or deliver text messages.

    This is A Good Thing! The bank is doing work to protect your money from bad guys who can charm shop assistants.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 30,293 ✭✭✭✭AndrewJRenko



    Thanks, never knew that kind of information was available to all.
    This is a defence against 'SIM swap' fraud.
    The bank is using your phone number as a part of multi-factor authentication on the assumption that the phone number identifies your phone and your phone is in your possession. As long as that assumption holds then a message to your phone number can count as a possession check in a 2-factor login.

    The problem is that this is not really true. The phone number is associated with your SIM, not your phone; and even that association is not very strong. The phone company can change the SIM associated with the number at any time.
    There is a very successful 'hack' where a bad guy goes into a shop saying they have not been able to receive calls. The give your number and charm the shop assistant into issuing a new SIM associated with that number. They leave the shop with a phone that receives all texts and calls sent to your number. They then use that to log in to any system that uses SMS passwords for authentication. (banks, twitter, facebook, etc.)

    To protect against that AIB (and other banks) use a SIM swap detection service. A company regularly asks the mobile networks for the SIM card identifier associated with all the mobile numbers. If the mobile number is associated with a new SIM card then the bank will take steps to reduce the risk that change is a SIM swap attack by a bad guy looking to take over your account.

    The relationship between SIM and mobile number is readily available on the mobile network as part of the technical operation of the network. It is basically not possible to keep it secret and still be able to connect phone calls or deliver text messages.

    This is A Good Thing! The bank is doing work to protect your money from bad guys who can charm shop assistants.

    Great explanation, and that's probably it.

    Except - what benefit comes from the 48 hour restriction? If I was a bad guy on Tuesday, I'm still a bad guy on Thursday. What's the point - unless they're going to reach out and confirm identity by other means, which they haven't done?

    Also, if they are recording details of my SIM card/phone network, they should be showing this in their privacy policy, which they're not.


  • Registered Users, Registered Users 2 Posts: 121 ✭✭Paranoid Bob


    Great explanation, and that's probably it.

    Except - what benefit comes from the 48 hour restriction? If I was a bad guy on Tuesday, I'm still a bad guy on Thursday. What's the point - unless they're going to reach out and confirm identity by other means, which they haven't done?

    Also, if they are recording details of my SIM card/phone network, they should be showing this in their privacy policy, which they're not.

    The idea is that you are very likely to notice if your phone stops working for 48 hours and contact the phone company to fix it.

    If the bad guy gets a SIM with your number on Monday, you will probably notice it and get it fixed before Wednesday. If you do not try to use the banking app in that time then this check by the bank has no effect on you. It prevents the fraud without any downside to you.

    Even better; this check reduces SIM swap fraud just by existing. The bad guys know they need to wait two days before getting any value from the fraud, and they are likely to be detected during those two days, so they don't bother to even try.


    In terms of data protection / disclosure. I don't know what phone company you are with but there are disclosures deep in the details of policies.
    For example from Vodafone (https://n.vodafone.ie/privacy/privacy-and-you.html):
    We may share information about you with ... Companies who are engaged to perform services for, or on behalf of, Vodafone Limited, or Vodafone Group;
    Credit reference, fraud-prevention or business-scoring agencies, or other credit scoring agencies; ...

    Like I said; it is basically impossible to keep the relationship between SIM and mobile number a secret if you want a functioning mobile phone network, so they are permitted to process that data as it is essential to provide the contract with you.


  • Registered Users, Registered Users 2 Posts: 30,293 ✭✭✭✭AndrewJRenko


    The idea is that you are very likely to notice if your phone stops working for 48 hours and contact the phone company to fix it.

    If the bad guy gets a SIM with your number on Monday, you will probably notice it and get it fixed before Wednesday. If you do not try to use the banking app in that time then this check by the bank has no effect on you. It prevents the fraud without any downside to you.

    Even better; this check reduces SIM swap fraud just by existing. The bad guys know they need to wait two days before getting any value from the fraud, and they are likely to be detected during those two days, so they don't bother to even try.


    In terms of data protection / disclosure. I don't know what phone company you are with but there are disclosures deep in the details of policies.
    For example from Vodafone (https://n.vodafone.ie/privacy/privacy-and-you.html):
    We may share information about you with ... Companies who are engaged to perform services for, or on behalf of, Vodafone Limited, or Vodafone Group;
    Credit reference, fraud-prevention or business-scoring agencies, or other credit scoring agencies; ...

    Like I said; it is basically impossible to keep the relationship between SIM and mobile number a secret if you want a functioning mobile phone network, so they are permitted to process that data as it is essential to provide the contract with you.

    Thanks, but this isn't about the phone company, it's about AIB, my bank. It is the bank that is checking for a change in phone provider, and the bank that is implementing a 48 hour restriction on my online access.

    Which just seems pointless in this scenario - I don't get what is achieved by the 48 hour restriction in online access to my bank account after detecting the 48 hour online access?

    And AIB's Privacy Statement makes no mention of collecting details of mobile phone network.


  • Registered Users, Registered Users 2 Posts: 9,391 ✭✭✭markpb


    Thanks, but this isn't about the phone company, it's about AIB, my bank. It is the bank that is checking for a change in phone provider, and the bank that is implementing a 48 hour restriction on my online access.

    Which just seems pointless in this scenario - I don't get what is achieved by the 48 hour restriction in online access to my bank account after detecting the 48 hour online access?

    They answered that question already. If your SIM is swapped out, you are likely to notice quite quickly and report it to your mobile operator. During that time, your attacker won’t have access to your bank account online.


  • Registered Users, Registered Users 2 Posts: 30,293 ✭✭✭✭AndrewJRenko


    markpb wrote: »
    They answered that question already. If your SIM is swapped out, you are likely to notice quite quickly and report it to your mobile operator. During that time, your attacker won’t have access to your bank account online.

    OK, I see that now, thanks - the 48 hour thing just seems a bit random, if they don't reach out and notify the account holder in the meantime.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 9,391 ✭✭✭markpb


    OK, I see that now, thanks - the 48 hour thing just seems a bit random, if they don't reach out and notify the account holder in the meantime.

    I guess most of the time, the SIM change will be legitimate so notifying account holders would be unnecessary and would just draw attention to this security measure.


  • Registered Users, Registered Users 2 Posts: 4,257 ✭✭✭smuggler.ie


    OK, I see that now, thanks - the 48 hour thing just seems a bit random, if they don't reach out and notify the account holder in the meantime.
    I'd say its targeted that you reach out and notify them


  • Registered Users, Registered Users 2 Posts: 4,792 ✭✭✭cython



    I really hope they don't use that, I checked 3 numbers I know (my own included), and all were wrong!


  • Registered Users, Registered Users 2 Posts: 333 ✭✭TK Lemon


    Out of curiosity, I opened the app and I went to the part where you add a travel note and they don’t accept them anymore.

    The pop up message said ‘we’ll send you a text for suspicious purchases instead.’

    That’s useless for people who purchase a temporary foreign SIM, as we did in NY and Kiev.


  • Registered Users, Registered Users 2 Posts: 4,257 ✭✭✭smuggler.ie


    cython wrote: »
    I really hope they don't use that, I checked 3 numbers I know (my own included), and all were wrong!
    Did not claimed it is accurate and their database all up to date.

    Course they dont use this, just the fact that such data could be available


  • Closed Accounts Posts: 15 observanto


    I have found a company (phonovation.com/fraud-prevention/sim-take-over-protection/?cn-reloaded=1) which offers product, which helps banks to minimize risk of sim swap.

    4. How to combat it?
    Phonovation’s anti SIM swap attack software prevents this kind of attack using data only available to Phonovation. Phonovation’s service (PhonoSecure STOP) checks if the current SIM card of the customer’s mobile phone can be trusted. If the number has been ported within a certain time period, our service will flag the interaction as a possible fraud and direct the user to the banks care lines to confirm certain details that only the customer and bank should know i.e previous transactions etc.

    BENEFITS OF SIM SWAP PROTECTION (STOP)
    - Will maintain a record of all customers’ SIM information
    - Initial baselining of customer’s SIM information & continuous refresh of SIM information at regular periods
    - SIM Swaps that are older than 12 to 24 hours can be assumed genuine and messages can be released to them on request
    - When a password reset or account payee is added shortly after a SIM has been changed, the system assumes that the SIM has been compromised and refers the password reset to the call centre agent to verify the customer identity before the passwords are released
    phonovation.com/fraud-prevention/sim-take-over-protection/?cn-reloaded=1


  • Registered Users, Registered Users 2 Posts: 30,293 ✭✭✭✭AndrewJRenko


    observanto wrote: »
    I have found a company (phonovation.com/fraud-prevention/sim-take-over-protection/?cn-reloaded=1) which offers product, which helps banks to minimize risk of sim swap.

    4. How to combat it?
    Phonovation’s anti SIM swap attack software prevents this kind of attack using data only available to Phonovation. Phonovation’s service (PhonoSecure STOP) checks if the current SIM card of the customer’s mobile phone can be trusted. If the number has been ported within a certain time period, our service will flag the interaction as a possible fraud and direct the user to the banks care lines to confirm certain details that only the customer and bank should know i.e previous transactions etc.

    BENEFITS OF SIM SWAP PROTECTION (STOP)
    - Will maintain a record of all customers’ SIM information
    - Initial baselining of customer’s SIM information & continuous refresh of SIM information at regular periods
    - SIM Swaps that are older than 12 to 24 hours can be assumed genuine and messages can be released to them on request
    - When a password reset or account payee is added shortly after a SIM has been changed, the system assumes that the SIM has been compromised and refers the password reset to the call centre agent to verify the customer identity before the passwords are released
    phonovation.com/fraud-prevention/sim-take-over-protection/?cn-reloaded=1

    Interesting, so if that's what is going on here with AIB, they are contracting a company to track details of my SIM - but no mention of that in AIB's privacy statement.


  • Registered Users, Registered Users 2 Posts: 1,548 ✭✭✭KildareP


    Interesting, so if that's what is going on here with AIB, they are contracting a company to track details of my SIM - but no mention of that in AIB's privacy statement.

    What are you looking to get out of this as a resolution?

    At the end of the day this is to protect you - the alternative is that when your account is compromised there's no 100% guarantee you'll get all or any of any money lost back.

    You then need to have your online banking completely reset, which typically takes a week or more since your details will now have to be sent by post as they can't SMS them to you (and they usually send your username first followed by your PIN several days later so they do not arrive together).

    You may also have to cancel all of your cards if they ordered replacement or additional cards while they had access to your online bank. Your current cards cancel down immediately and it will be several days before new ones arrive. Then you need to remember everywhere you've set up those cards as recurring payments - Netflix, Amazon, Sky, Vodafone, Eir, 3, car insurance, etc.

    Frankly, the inconvenience of losing access to online for 48 hours because you swapped SIMs pales in significance to the potential hassle of having your accounts compromised.

    But if you want to argue the legal/data protection side of it...

    Their data protection policy is quite comprehensive in this regard, for example:
    https://aib.ie/dataprotection#false
    "What information do we collect about you?"
    Phone number is listed there

    "Lawful basis for processing"
    [...]
    "Prevent financial crime and cyber attacks
    We continually monitor and analyse transactions, financial behaviour and electronic devices to detect and prevent financial crime and cyber-attacks. This enables us to protect and secure our customers information, our networks and our financial interests.

    We share information with third parties to prevent financial crime, report fraud, manage our risks and protect both our interests."
    [...]
    "Sharing information to protect you

    In some instances where we are concerned about your health and safety, we may share information to protect you and others. This may include where we suspect that you, or others, may become a victim of financial crime. In these cases, we may share information with third parties to help ensure your safety and the safety of others. "


  • Registered Users, Registered Users 2 Posts: 4,257 ✭✭✭smuggler.ie


    but no mention of that in AIB's privacy statement.
    Ah c'mon here, as any T&C's with any company/service, they wont list EVERY single means of info they collect or share. It's always in broad terms for end user, and can be interpret as needed when needed.


  • Closed Accounts Posts: 15 observanto


    For me it is very surprising that AIB blocks access to account because client has changed sim card. I can understand that banks, which use sms codes as two factor authentication would do this, but not AIB which uses mobile app and card readers. 

    What do you think?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 30,293 ✭✭✭✭AndrewJRenko


    Ah c'mon here, as any T&C's with any company/service, they wont list EVERY single means of info they collect or share. It's always in broad terms for end user, and can be interpret as needed when needed.

    I don't think that's necessarily true, but there aren't really 'broad terms' on te AIB Privacy Statement.

    "Information (e.g. phone location) from your mobile to verify you are a resident in the Republic of Ireland when opening a new current account remotely;"

    In this case, they've gone beyond phone location to track phone provider, and not for the reason stated (when opening a new account remotely).

    So they're definitely not covered here.
    KildareP wrote: »
    What are you looking to get out of this as a resolution?

    At the end of the day this is to protect you - the alternative is that when your account is compromised there's no 100% guarantee you'll get all or any of any money lost back.

    You then need to have your online banking completely reset, which typically takes a week or more since your details will now have to be sent by post as they can't SMS them to you (and they usually send your username first followed by your PIN several days later so they do not arrive together).

    You may also have to cancel all of your cards if they ordered replacement or additional cards while they had access to your online bank. Your current cards cancel down immediately and it will be several days before new ones arrive. Then you need to remember everywhere you've set up those cards as recurring payments - Netflix, Amazon, Sky, Vodafone, Eir, 3, car insurance, etc.

    Frankly, the inconvenience of losing access to online for 48 hours because you swapped SIMs pales in significance to the potential hassle of having your accounts compromised.
    Fair question.

    The first thing I want to get out of it is to fully understand what's going on and how it improves security - professional curiosity from an IT head with an interest in security. The 48 hour delay seemed fairly arbitrary, and not something I had seen elsewhere.

    I get the logic about protecting from SIM swap attacks, but I'm not 100% convinced that the 48 hour delay is the appropriate response - some kind of offline validation step to confirm that the new SIM is valid would make more sense to me. Not everyone would notice if their phone went offline for calls/texts for two days, especially in the WFH environment where we are generally connected to home wifi permanently.

    The second thing I want to get out of it is to keep AIB honest in terms of their privacy statement and processes - more below.
    KildareP wrote: »
    But if you want to argue the legal/data protection side of it...

    Their data protection policy is quite comprehensive in this regard, for example:
    https://aib.ie/dataprotection#false
    "What information do we collect about you?"
    Phone number is listed there

    "Lawful basis for processing"
    [...]
    "Prevent financial crime and cyber attacks
    We continually monitor and analyse transactions, financial behaviour and electronic devices to detect and prevent financial crime and cyber-attacks. This enables us to protect and secure our customers information, our networks and our financial interests.

    We share information with third parties to prevent financial crime, report fraud, manage our risks and protect both our interests."
    [...]
    "Sharing information to protect you

    In some instances where we are concerned about your health and safety, we may share information to protect you and others. This may include where we suspect that you, or others, may become a victim of financial crime. In these cases, we may share information with third parties to help ensure your safety and the safety of others. "
    Phone number is indeed listed there, but this isn't about phone number. They're not just tracking phone number, they are tracking my phone service provider, which is a fairly different thing, and is definitely additional to phone number.

    And there is a good chance they are doing it through an external provider, such as Phonovation - so they are presumably giving my phone number to the external provider, who are getting details of my phone service provider, and either holding these details themselves or passing them back to AIB who are retaining them.

    They would probably claim that this is covered under; "We share information with third parties to prevent financial crime, report fraud, manage our risks and protect both our interests." but there is no reason why their privacy statement shouldn't be as clear about their gathering and retention of phone service provider as they are about remote location of phone.

    The Phonovation privacy policy isn't great either, in terms of detail and specificity.


  • Registered Users, Registered Users 2 Posts: 4,257 ✭✭✭smuggler.ie


    I don't think that's necessarily true, but there aren't really 'broad terms' on te AIB Privacy Statement.
    Isn't there?

    "Broad term" in sense that they wont list point-by-point, like "Lawful basis" - unless end user know(and understand) law down to detail its broad term. Don't be expecting that they will reprint every related paragraph from legislation. Your "SIM issue" might or might not fall under any paragraph there.
    "Information (e.g. phone location) from your mobile to verify you are a resident in the Republic of Ireland when opening a new current account remotely;"
    In this case, they've gone beyond phone location to track phone provider, and not for the reason stated (when opening a new account remotely).
    It clearly states e.g. = for example, but nowhere does it state limited to.

    Information - isn't it another broad term, not strictly defined what it should or should not include? "might, could, some" most of the time


  • Registered Users, Registered Users 2 Posts: 3,292 ✭✭✭0lddog


    Question 1 : Who owns the phone number that is associated with my mobile ?

    Question 2 : Would Phonovation ( or a similar service provider ) need to know the name that is associated with a particular SIM ?


  • Registered Users, Registered Users 2 Posts: 1,932 ✭✭✭huskerdu


    0lddog wrote: »
    Question 1 : Who owns the phone number that is associated with my mobile ?

    Question 2 : Would Phonovation ( or a similar service provider ) need to know the name that is associated with a particular SIM ?

    Phonovation do not have your name just the number


  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Mobile phones are not very secure for banking. For one there is no firewall and the average phone has dozens of apps, many of which probably contain malware of some form or another.

    The only 'secure device for online banking is a dedicated bank only computer that it not used for email or general surfing. Especially for business or high net worth accounts. Using multi-factor authentication (MFA) that does not involve text messages etc. The MFA device should take into account the last n digits of the payee IBAN, together with the amount of the payment. In that way you can lock down the transmission of a specific sum of money to a specific bank account at time x, on a one time basis.

    The UE/EU has stupidly allowed the use of mobile phone devices as a factor in multi-factor authentication. The mobile phone platforms are not secure. Text messages are sent in cleartext. Apps and malware abound. Belgium, for one, only accepts multi factor calculators for online shopping credentials. Listen to TechMeme Ridehome today (last item) on how they can forward SMS messages to another number, which can be used to run rings around the victim.

    https://art19.com/shows/techmeme-ridehome/episodes/4c6e784b-b5c4-4ecd-9a08-92e3c2c6bccf


  • Closed Accounts Posts: 15 observanto


    Impetus wrote: »
    Mobile phones are not very secure for banking.

    1) I agree with you that it is good to have a dedicated computer for online banking. In my opinion a device (even an old computer) with Chrome OS may be a good choice.


    2) I also agree that hardware challenge-response tokens (like AIB card readers) where you have to input the last digits of beneficiary account and the transfer amount to get one time password are the safest method of 2FA.

    Btw have you heard about any case where  AIB card reader (or other hardware challenge-response token) was bypassed and bank account was hacked?


    3) Thank you for the below information:
    "Listen to TechMeme Ridehome today (last item) on how they can forward SMS messages to another number, which can be used to run rings around the victim."
    I have read the below article which very well explains how you can forward messages to another number.
    A Hacker Got All My Texts for $16
    https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber
    A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.

    I wonder if rerouting text messages is possible in Europe?


Advertisement