Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Security Vulnerability Bank of Ireland

  • 25-02-2022 7:48am
    #1
    Posts: 0


    When using bank of ireland payment cards online sometimes you will be asked to enter a one time passcode in addition to your payment card details.

    This is what is known as two factor authentication or 2FA.

    2FA is widely used online nowadays for various online services.

    The purpose behind 2FA is to add an additional layer of security in validating that it is actually you using the bank of ireland payment card online.

    Even if someone criminally obtains your bank of ireland payment card details, they should not be able to use the card online for making large payments unless they physically have your 2FA device i.e. mobile phone.

    The criminal will enter your bank of ireland payment card details online and then they will be asked to enter a one time passcode which bank of ireland will text message to your mobile phone number. As the criminal does not have your physical mobile phone they can not complete payment online.

    The issue I have is with the way bank of ireland have implemented two factor authentication.

    The only method of two factor authentication that bank of ireland offer is by sending SMS text messages to your mobile phone number.

    This method of two factor authentication is inferior in comparison with two factor authentication applications that you install such as Google Authenticator, Bitwarden, andOTP, etc.

    Two factor authentication applications generate the one time passcode without the need for any SMS text messages.

    The reason SMS text messages are not secure is because they are not encrypted. When bank of ireland sends the two factor authentication one time passcode by SMS text message to your mobile phone, it is sent in plain text, anyone that intercepts the text message can read and use your one time passcode and use it to make payments with your bank of ireland account.

    However this is not the biggest issue.

    The biggest vulnerability with the the bank of ireland system is that it is vulnerable to SIM swap attacks.

    A SIM swap attack is where someone who knows your mobile phone number transfers it to another SIM card that they are in control of.

    Think about all the people and companies and websites that know your mobile phone number.

    All it takes is for one of those people to telephone your mobile phone carrier, speak to some inexperienced or careless employee working for your mobile phone company and convince them they they lost their phone, bought a new SIM card and need to transfer their old mobile phone number to their new SIM card.

    SIM swap attacks happen frequently and you have no way to prevent them. You are completely reliant on the employee of your mobile phone company.

    So the criminal has your bank of ireland payment card details and now they have also taken over your SIM card. Bank of ireland are SMS text messaging your one time passcodes to the criminal and the criminal is spending your money.

    The solution is for bank of ireland to offer the option to use two factor authentication applications such as Google Authenticator, Bitwarden, andOTP, etc.

    Two factor authentication applications are considered far more secure than SMS text messages.

    Bank of ireland should also be using 2FA for login on bank356. The current login system justs asks you for 3 digits to login to bank365. That means a criminal just has to guess a number between 0-9 three times correctly which means they would only have to enter 1000 different combinations before they would guess correctly and access your bank365 account.

    Considering bank of ireland is responsible for protecting your money they should have higher security standards.

    Post edited by [Deleted User] on


Comments

  • Registered Users, Registered Users 2 Posts: 18,989 ✭✭✭✭kippy


    Cost benefit analysis required.



  • Closed Accounts Posts: 2,346 ✭✭✭Bank of Ireland: Tara


    Hi there,

    Thanks for your post and welcome to Boards.ie.

    We're unsure of your post as Strong Customer Authentication is in place since last year. When customers are making a payment online using a debit or credit card they do not receive a one time passcode by text. Card payments are approved using a registered security device. This is also in place for when customers are logging on to their account or transferring funds. You can find more information on this at www.bankofireland.com/sca

    Thanks

    Tara



  • Registered Users, Registered Users 2 Posts: 278 ✭✭newirishman


    SIM swap attacks are literally a non issue in Ireland. They do not happen frequently. (Where do you get that idea from? Any data to support this?), and they are easily discovered (given your original SIM stops working)

    Your scenario of an “inexperienced mobile phone company employee” is pretty ludicrous as well.

    There are good reasons to use authenticator apps over TxT messages, absolutely, but compared to other attack vectors your scenario is a non-issue.

    Also, BOI has in fact a mobile phone app that handles 2FA.



  • Posts: 0 [Deleted User]


    Hi Tara,


    Thank you for responding, it was about 5 months ago when I made a payment online and received a one time passcode by SMS text message.

    Do you think bank of ireland will be implementing two factor authentication for bank365 login instead of the current system which asked for three digits between 0-9 ?



  • Closed Accounts Posts: 2,346 ✭✭✭Bank of Ireland: Tara


    Thanks for getting back to us. Strong Customer Authentication is already in place for logging on to 365 and you can find more information on this on the link provided in my previous reply.

    Thanks

    Tara



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,446 ✭✭✭dublin49


    a very plausible text just received in my Bank of Ireland text thread.It is from a scammer.Until the banks can guarantee the text thread is secure all texts are worthless.Whats the point when you cannot trust them.



  • Closed Accounts Posts: 490 ✭✭Bank of Ireland: Jennifer


    Hi there,

    Thanks for getting in touch with us here. Please be advised that Bank of Ireland will never send any email or text asking customers to click on a link to log into their account or disclose personal or account password information. We always recommend that you keep this safe and secure and do not disclose this to a third party.

    We understand your concern with the text appearing beside a genuine Bank of Ireland text but unfortunately it is quite easy for the fraudsters to do this. If they use a sender ID as BOI your phone assumes that the text is coming from the same place that the ID was used before. The fraudsters do this obviously to make their message appear genuine.

    We hope this helps.

    Thanks Jen



  • Registered Users, Registered Users 2 Posts: 911 ✭✭✭steve-o


    And once again, Bank of Ireland can stop the BOI sender id from being spoofed, yet you do not. Why not?



  • Registered Users, Registered Users 2 Posts: 9,226 ✭✭✭Tow


    It is up to the phone company to stop the ID being spoofed. But what BOI can do is move the back to using .ie domains. This would help Customers identify spoof sites. It is harder to register a fake .ie domain. BOI changed from .ie to .com back in the boom days, when they had visions of being a world player!

    When is the money (including lost growth) Michael Noonan took in the Pension Levy going to be paid back?



Advertisement