Card verification risks due to sloppy system design by Irish banks

BlinkingLights wrote: »

The verification starts as you get a message saying it's connecting to your bank much like the usual verified by Visa stuff, then you're just approved without entering anything.

It's like the verified by Visa is just setup to pass you through without checking anything.

I have an AmEx platinum and it does the same thing - sort of goes through a verification process, then moves on and approves the transaction without entry of extra authentication codes. I suspect AmEx have far a far better software algo to analyze patterns of usage and detect fruad than your typical Visa or MC bank. AmEx limit your liability to EUR 50 in the event of fraud. And they answer within 1 second if you need to call them.

Unlike Visa or MasterCard, if you are in a hotel or other predicament and have a problem or your card has been stolen, you can speak to AmEx directly (not like with some bank using the Visa brand), and once you have answered ID questions, they will give the hotel authorization to charge your AmEx card - even if you don't have the card to showdue to theft etc. It also gives travel insurance, and points for expenditure which can be used for goodies or to pay the annual fee.

Large Irish retailers like Dunnes Stores and similar take Amex - but smaller ones don't and when you complain, they claim AmEx charge them more. Which is untrue, because these charges are limited by EU regulation and they charge the same as Visa and MC in most countries. When AmEx see you are a good payer (I have given them a SEPA DD on a bank account in another European country), they do not limit your spending. The chip on the AmEx card uses DDA (unlike Irish Visa and MasterCards) which is copying British low standards, use SDA. DDA chips randomly vary the card's electronic signature every time. DDA cards cost about 50c more to buy. Most banks in Europe use DDA for all cards.

AmEx have to work with dumb Americans many of whom one suspects couldn't remember a PIN, not to mention a verified by visa code. As a result they have had to adapt to the issue by making their transaction validation process extremely intelligent.

Alun wrote: »

AIB at least supposedly replaced the old Verified by Visa functionality (for debit cards only at the moment) a good while ago by a system that sends you a text message with a code. It's apparently not done for every transaction (why not?), but just "occasionally" although I've yet to see one on a site/app I use regularly (justeat) that uses it. Until then it always asked me for 3 random letters from my password. Whether it just doesn't work, or if their definition of "occasionally" is a bit broader than mine. I don't know.

Why not every time? There are a few reasons - if you are an established Amazon customer, and just order something for the usual address why bother? In my case, my Visa Debit card was getting grubby, and I went into the bank website on Thursday and ordered a new card. It arrived on Saturday (we, like 98% of the rest of Europe have post on Saturday), and I used the card to pay my mobile phone bill and fiber optic bill online on two different websites within five minutes. Their computer algo said to itself (my guess) we sent him a new card - did he really get it? Two charges in quick succession. My first charge did not require the SMS, only the second. So it was 'suspicion driven' in my view. There is no difference in risk between me and my mobile phone co and fiber optic service - I pay them with the card every month. Which highlights the repeat nature of the risk assessment for the second payment.

In this country at least it is cheap for companies to send large volumes of text messages. You just need contracts with all mobile phone networks and to send textos via the direct connections to each these networks. if I was in Ireland they might have to pay 3c or so to send the text message - which is far cheaper than eating a fraudulent card charge.

It is dumb in my view to use selected characters from a password. These could potentially be turned into the full password by a patient keystroke logger that monitored multiple transactions. Most British banks do not use multi-factor authentication calculators - except for corporate/big customers. Instead asking for the 3rd, 4th and 6th characters of some secret word. This involves the same patient keystroke logger risk.

With the big continental banks you can transfer any sum of money, or even say 20kg of gold (if you had it in your account) (eg to pay for a house) online with multi factor authentication, (which involves login authentication and transfer authentication separately - the second code being based on part of the IBAN of the recipient and the amount - both of which have to be entered into the multi-factor authenticator - which uses a smart card which you probably keep separately and securely). 1kg of gold is worth EUR 37'820 at the moment.Your bank account can also hold shares and investment funds (unlike Irish bank accounts). As well as foreign currencies - all in one account. The absence of this facility from Irish banks has been a big contributor of the property crash. In Ireland, the banks are focused on lending for property and little else.

Irish investment is limited to property and anglo-saxon/Irish shares - for the majority. Asia is growing rapidly. This is a huge financial risk for the country by focusing on a single asset type. We are in the Eurozone. There are zillions of funds and shares denominated in EUR involving world class companies - better than anything America or Asia has to offer for Irish people to invest in. The absence of them on a typical Irish online bank account menu is perhaps not an IT security risk, but is a massive savings / pension risk for the country. Online bank accounts should also provide lots of investment research guidance to their customers and allow them to view/download funds into a spreadsheet to assess performance. You can only offer these services with serious multi-factor authentication security. Reducing/eliminating the need for a time wasting call-back etc. Ireland's government seems to me to want to keep people as dumb as possible in the education system. The plot seems to be 'let's breed ejits'. The banking system needs to create a bullet proof customer relationship that educates customers on how to invest in a wide range of soundly engineered financial products - mainly theme and other funds. And to enable them to transfer money and other assets in specie to other IBANS of entities and people who customers want to do business with. Securely.