AIB - 48 hour restriction after SIM card change

AndrewJRenko · 26-01-2021 12:37pm #1

I changed my mobile phone contract last month.

When I tried to login to my AIB online account this month, at the point where they normally send out the access code by text message, I got this error message instead.

Some questions arise:

1) How the hell do they know that I changed my phone provider?
2) What security benefit arises from this 48 delay? Are they checking something in the meantime?

All ideas welcome.

smuggler.ie · 26-01-2021 1:14pm

Don't know specifics how they operate so wild guess, and yeah...it shows they know more than you think and than they tell you.
1. you have app installed - they can see same device(trusted, by MAC, IMEI, app ID, etc), but different number/provider/IP range(unknown, not verified)
2. monitoring for unexpected/suspicious behavior - you block phone by IMEI, multiple/big fund transfers to unknown accounts, expensive purchases, etc

While ago was abroad and had to purchase item for €XXX - transaction was suspended until i called bank to confirm to release funds - roaming=suspicious network ID .They said: "you should notify us to your plans to go abroad and spend money".
Joke isn't it, on other side - more secure...

AndrewJRenko · 26-01-2021 11:05pm

Thanks, but definitely know app installed, so they didn't get that information locally. They must have got that information from the mobile phone network in some way. Interestingly, I can't see how they would know that I changed SIM unless they were storing details of my old SIM, though there is no mention of storing SIM or network details in their Privacy Statement.

So do phone networks provide details of SIM or network to large organisations like this?

smuggler.ie · 26-01-2021 11:13pm

AndrewJRenko wrote: »

Thanks, but definitely know app installed, so they didn't get that information locally. They must have got that information from the mobile phone network in some way. Interestingly, I can't see how they would know that I changed SIM unless they were storing details of my old SIM, though there is no mention of storing SIM or network details in their Privacy Statement.

So do phone networks provide details of SIM or network to large organisations like this?

OK, different approach - code have to be sent to same number , but its showing under different provider now.

smuggler.ie · 26-01-2021 11:17pm

Here you go
https://telnyx.com/number-lookup

Paranoid Bob · 27-01-2021 12:11pm

This is a defence against 'SIM swap' fraud.
The bank is using your phone number as a part of multi-factor authentication on the assumption that the phone number identifies your phone and your phone is in your possession. As long as that assumption holds then a message to your phone number can count as a possession check in a 2-factor login.

The problem is that this is not really true. The phone number is associated with your SIM, not your phone; and even that association is not very strong. The phone company can change the SIM associated with the number at any time.
There is a very successful 'hack' where a bad guy goes into a shop saying they have not been able to receive calls. The give your number and charm the shop assistant into issuing a new SIM associated with that number. They leave the shop with a phone that receives all texts and calls sent to your number. They then use that to log in to any system that uses SMS passwords for authentication. (banks, twitter, facebook, etc.)

To protect against that AIB (and other banks) use a SIM swap detection service. A company regularly asks the mobile networks for the SIM card identifier associated with all the mobile numbers. If the mobile number is associated with a new SIM card then the bank will take steps to reduce the risk that change is a SIM swap attack by a bad guy looking to take over your account.

The relationship between SIM and mobile number is readily available on the mobile network as part of the technical operation of the network. It is basically not possible to keep it secret and still be able to connect phone calls or deliver text messages.

This is A Good Thing! The bank is doing work to protect your money from bad guys who can charm shop assistants.

AndrewJRenko · 28-01-2021 10:37pm

smuggler.ie wrote: »

Here you go
https://telnyx.com/number-lookup

Thanks, never knew that kind of information was available to all.

Paranoid Bob wrote: »

This is a defence against 'SIM swap' fraud.
The bank is using your phone number as a part of multi-factor authentication on the assumption that the phone number identifies your phone and your phone is in your possession. As long as that assumption holds then a message to your phone number can count as a possession check in a 2-factor login.

The problem is that this is not really true. The phone number is associated with your SIM, not your phone; and even that association is not very strong. The phone company can change the SIM associated with the number at any time.
There is a very successful 'hack' where a bad guy goes into a shop saying they have not been able to receive calls. The give your number and charm the shop assistant into issuing a new SIM associated with that number. They leave the shop with a phone that receives all texts and calls sent to your number. They then use that to log in to any system that uses SMS passwords for authentication. (banks, twitter, facebook, etc.)

To protect against that AIB (and other banks) use a SIM swap detection service. A company regularly asks the mobile networks for the SIM card identifier associated with all the mobile numbers. If the mobile number is associated with a new SIM card then the bank will take steps to reduce the risk that change is a SIM swap attack by a bad guy looking to take over your account.

The relationship between SIM and mobile number is readily available on the mobile network as part of the technical operation of the network. It is basically not possible to keep it secret and still be able to connect phone calls or deliver text messages.

This is A Good Thing! The bank is doing work to protect your money from bad guys who can charm shop assistants.

Great explanation, and that's probably it.

Except - what benefit comes from the 48 hour restriction? If I was a bad guy on Tuesday, I'm still a bad guy on Thursday. What's the point - unless they're going to reach out and confirm identity by other means, which they haven't done?

Also, if they are recording details of my SIM card/phone network, they should be showing this in their privacy policy, which they're not.

Paranoid Bob · 29-01-2021 10:31am

AndrewJRenko wrote: »

Great explanation, and that's probably it.

Except - what benefit comes from the 48 hour restriction? If I was a bad guy on Tuesday, I'm still a bad guy on Thursday. What's the point - unless they're going to reach out and confirm identity by other means, which they haven't done?

Also, if they are recording details of my SIM card/phone network, they should be showing this in their privacy policy, which they're not.

The idea is that you are very likely to notice if your phone stops working for 48 hours and contact the phone company to fix it.

If the bad guy gets a SIM with your number on Monday, you will probably notice it and get it fixed before Wednesday. If you do not try to use the banking app in that time then this check by the bank has no effect on you. It prevents the fraud without any downside to you.

Even better; this check reduces SIM swap fraud just by existing. The bad guys know they need to wait two days before getting any value from the fraud, and they are likely to be detected during those two days, so they don't bother to even try.

In terms of data protection / disclosure. I don't know what phone company you are with but there are disclosures deep in the details of policies.
For example from Vodafone (https://n.vodafone.ie/privacy/privacy-and-you.html):
We may share information about you with ... Companies who are engaged to perform services for, or on behalf of, Vodafone Limited, or Vodafone Group;
Credit reference, fraud-prevention or business-scoring agencies, or other credit scoring agencies; ...

Like I said; it is basically impossible to keep the relationship between SIM and mobile number a secret if you want a functioning mobile phone network, so they are permitted to process that data as it is essential to provide the contract with you.

AndrewJRenko · 30-01-2021 11:03am

Paranoid Bob wrote: »

The idea is that you are very likely to notice if your phone stops working for 48 hours and contact the phone company to fix it.

If the bad guy gets a SIM with your number on Monday, you will probably notice it and get it fixed before Wednesday. If you do not try to use the banking app in that time then this check by the bank has no effect on you. It prevents the fraud without any downside to you.

Even better; this check reduces SIM swap fraud just by existing. The bad guys know they need to wait two days before getting any value from the fraud, and they are likely to be detected during those two days, so they don't bother to even try.

In terms of data protection / disclosure. I don't know what phone company you are with but there are disclosures deep in the details of policies.
For example from Vodafone (https://n.vodafone.ie/privacy/privacy-and-you.html):
We may share information about you with ... Companies who are engaged to perform services for, or on behalf of, Vodafone Limited, or Vodafone Group;
Credit reference, fraud-prevention or business-scoring agencies, or other credit scoring agencies; ...

Like I said; it is basically impossible to keep the relationship between SIM and mobile number a secret if you want a functioning mobile phone network, so they are permitted to process that data as it is essential to provide the contract with you.

Thanks, but this isn't about the phone company, it's about AIB, my bank. It is the bank that is checking for a change in phone provider, and the bank that is implementing a 48 hour restriction on my online access.

Which just seems pointless in this scenario - I don't get what is achieved by the 48 hour restriction in online access to my bank account after detecting the 48 hour online access?

And AIB's Privacy Statement makes no mention of collecting details of mobile phone network.

markpb · 30-01-2021 11:31am

AndrewJRenko wrote: »

Thanks, but this isn't about the phone company, it's about AIB, my bank. It is the bank that is checking for a change in phone provider, and the bank that is implementing a 48 hour restriction on my online access.

Which just seems pointless in this scenario - I don't get what is achieved by the 48 hour restriction in online access to my bank account after detecting the 48 hour online access?

They answered that question already. If your SIM is swapped out, you are likely to notice quite quickly and report it to your mobile operator. During that time, your attacker won’t have access to your bank account online.

AndrewJRenko · 30-01-2021 11:50am

markpb wrote: »

They answered that question already. If your SIM is swapped out, you are likely to notice quite quickly and report it to your mobile operator. During that time, your attacker won’t have access to your bank account online.

OK, I see that now, thanks - the 48 hour thing just seems a bit random, if they don't reach out and notify the account holder in the meantime.

markpb · 30-01-2021 12:23pm

AndrewJRenko wrote: »

OK, I see that now, thanks - the 48 hour thing just seems a bit random, if they don't reach out and notify the account holder in the meantime.

I guess most of the time, the SIM change will be legitimate so notifying account holders would be unnecessary and would just draw attention to this security measure.

smuggler.ie · 30-01-2021 12:30pm

AndrewJRenko wrote: »

OK, I see that now, thanks - the 48 hour thing just seems a bit random, if they don't reach out and notify the account holder in the meantime.

I'd say its targeted that you reach out and notify them

cython · 30-01-2021 12:34pm

smuggler.ie wrote: »

Here you go
https://telnyx.com/number-lookup

I really hope they don't use that, I checked 3 numbers I know (my own included), and all were wrong!

TK Lemon · 30-01-2021 12:36pm

Out of curiosity, I opened the app and I went to the part where you add a travel note and they don’t accept them anymore.

The pop up message said ‘we’ll send you a text for suspicious purchases instead.’

That’s useless for people who purchase a temporary foreign SIM, as we did in NY and Kiev.

smuggler.ie · 30-01-2021 12:40pm

cython wrote: »

I really hope they don't use that, I checked 3 numbers I know (my own included), and all were wrong!

Did not claimed it is accurate and their database all up to date.

Course they dont use this, just the fact that such data could be available

observanto · 13-02-2021 11:15am

I have found a company (phonovation.com/fraud-prevention/sim-take-over-protection/?cn-reloaded=1) which offers product, which helps banks to minimize risk of sim swap.

4. How to combat it?
Phonovation’s anti SIM swap attack software prevents this kind of attack using data only available to Phonovation. Phonovation’s service (PhonoSecure STOP) checks if the current SIM card of the customer’s mobile phone can be trusted. If the number has been ported within a certain time period, our service will flag the interaction as a possible fraud and direct the user to the banks care lines to confirm certain details that only the customer and bank should know i.e previous transactions etc.

BENEFITS OF SIM SWAP PROTECTION (STOP)
- Will maintain a record of all customers’ SIM information
- Initial baselining of customer’s SIM information & continuous refresh of SIM information at regular periods
- SIM Swaps that are older than 12 to 24 hours can be assumed genuine and messages can be released to them on request
- When a password reset or account payee is added shortly after a SIM has been changed, the system assumes that the SIM has been compromised and refers the password reset to the call centre agent to verify the customer identity before the passwords are released
phonovation.com/fraud-prevention/sim-take-over-protection/?cn-reloaded=1

AndrewJRenko · 20-02-2021 12:23pm

observanto wrote: »

I have found a company (phonovation.com/fraud-prevention/sim-take-over-protection/?cn-reloaded=1) which offers product, which helps banks to minimize risk of sim swap.

4. How to combat it?
Phonovation’s anti SIM swap attack software prevents this kind of attack using data only available to Phonovation. Phonovation’s service (PhonoSecure STOP) checks if the current SIM card of the customer’s mobile phone can be trusted. If the number has been ported within a certain time period, our service will flag the interaction as a possible fraud and direct the user to the banks care lines to confirm certain details that only the customer and bank should know i.e previous transactions etc.

BENEFITS OF SIM SWAP PROTECTION (STOP)
- Will maintain a record of all customers’ SIM information
- Initial baselining of customer’s SIM information & continuous refresh of SIM information at regular periods
- SIM Swaps that are older than 12 to 24 hours can be assumed genuine and messages can be released to them on request
- When a password reset or account payee is added shortly after a SIM has been changed, the system assumes that the SIM has been compromised and refers the password reset to the call centre agent to verify the customer identity before the passwords are released
phonovation.com/fraud-prevention/sim-take-over-protection/?cn-reloaded=1

Interesting, so if that's what is going on here with AIB, they are contracting a company to track details of my SIM - but no mention of that in AIB's privacy statement.

KildareP · 20-02-2021 12:57pm

AndrewJRenko wrote: »

Interesting, so if that's what is going on here with AIB, they are contracting a company to track details of my SIM - but no mention of that in AIB's privacy statement.

What are you looking to get out of this as a resolution?

At the end of the day this is to protect you - the alternative is that when your account is compromised there's no 100% guarantee you'll get all or any of any money lost back.

You then need to have your online banking completely reset, which typically takes a week or more since your details will now have to be sent by post as they can't SMS them to you (and they usually send your username first followed by your PIN several days later so they do not arrive together).

You may also have to cancel all of your cards if they ordered replacement or additional cards while they had access to your online bank. Your current cards cancel down immediately and it will be several days before new ones arrive. Then you need to remember everywhere you've set up those cards as recurring payments - Netflix, Amazon, Sky, Vodafone, Eir, 3, car insurance, etc.

Frankly, the inconvenience of losing access to online for 48 hours because you swapped SIMs pales in significance to the potential hassle of having your accounts compromised.

But if you want to argue the legal/data protection side of it...

Their data protection policy is quite comprehensive in this regard, for example:
https://aib.ie/dataprotection#false
"What information do we collect about you?"
Phone number is listed there

"Lawful basis for processing"
[...]
"Prevent financial crime and cyber attacks
We continually monitor and analyse transactions, financial behaviour and electronic devices to detect and prevent financial crime and cyber-attacks. This enables us to protect and secure our customers information, our networks and our financial interests.

We share information with third parties to prevent financial crime, report fraud, manage our risks and protect both our interests."
[...]
"Sharing information to protect you

In some instances where we are concerned about your health and safety, we may share information to protect you and others. This may include where we suspect that you, or others, may become a victim of financial crime. In these cases, we may share information with third parties to help ensure your safety and the safety of others. "

smuggler.ie · 20-02-2021 1:03pm

AndrewJRenko wrote: »

but no mention of that in AIB's privacy statement.

Ah c'mon here, as any T&C's with any company/service, they wont list EVERY single means of info they collect or share. It's always in broad terms for end user, and can be interpret as needed when needed.

observanto · 20-02-2021 1:13pm

For me it is very surprising that AIB blocks access to account because client has changed sim card. I can understand that banks, which use sms codes as two factor authentication would do this, but not AIB which uses mobile app and card readers.

What do you think?

AndrewJRenko · 20-02-2021 1:43pm

smuggler.ie wrote: »

Ah c'mon here, as any T&C's with any company/service, they wont list EVERY single means of info they collect or share. It's always in broad terms for end user, and can be interpret as needed when needed.

I don't think that's necessarily true, but there aren't really 'broad terms' on te AIB Privacy Statement.

"Information (e.g. phone location) from your mobile to verify you are a resident in the Republic of Ireland when opening a new current account remotely;"

In this case, they've gone beyond phone location to track phone provider, and not for the reason stated (when opening a new account remotely).

So they're definitely not covered here.

KildareP wrote: »

What are you looking to get out of this as a resolution?

At the end of the day this is to protect you - the alternative is that when your account is compromised there's no 100% guarantee you'll get all or any of any money lost back.

You then need to have your online banking completely reset, which typically takes a week or more since your details will now have to be sent by post as they can't SMS them to you (and they usually send your username first followed by your PIN several days later so they do not arrive together).

You may also have to cancel all of your cards if they ordered replacement or additional cards while they had access to your online bank. Your current cards cancel down immediately and it will be several days before new ones arrive. Then you need to remember everywhere you've set up those cards as recurring payments - Netflix, Amazon, Sky, Vodafone, Eir, 3, car insurance, etc.

Frankly, the inconvenience of losing access to online for 48 hours because you swapped SIMs pales in significance to the potential hassle of having your accounts compromised.

Fair question.

The first thing I want to get out of it is to fully understand what's going on and how it improves security - professional curiosity from an IT head with an interest in security. The 48 hour delay seemed fairly arbitrary, and not something I had seen elsewhere.

I get the logic about protecting from SIM swap attacks, but I'm not 100% convinced that the 48 hour delay is the appropriate response - some kind of offline validation step to confirm that the new SIM is valid would make more sense to me. Not everyone would notice if their phone went offline for calls/texts for two days, especially in the WFH environment where we are generally connected to home wifi permanently.

The second thing I want to get out of it is to keep AIB honest in terms of their privacy statement and processes - more below.

KildareP wrote: »

But if you want to argue the legal/data protection side of it...

Their data protection policy is quite comprehensive in this regard, for example:
https://aib.ie/dataprotection#false
"What information do we collect about you?"
Phone number is listed there

"Lawful basis for processing"
[...]
"Prevent financial crime and cyber attacks
We continually monitor and analyse transactions, financial behaviour and electronic devices to detect and prevent financial crime and cyber-attacks. This enables us to protect and secure our customers information, our networks and our financial interests.

We share information with third parties to prevent financial crime, report fraud, manage our risks and protect both our interests."
[...]
"Sharing information to protect you

In some instances where we are concerned about your health and safety, we may share information to protect you and others. This may include where we suspect that you, or others, may become a victim of financial crime. In these cases, we may share information with third parties to help ensure your safety and the safety of others. "

Phone number is indeed listed there, but this isn't about phone number. They're not just tracking phone number, they are tracking my phone service provider, which is a fairly different thing, and is definitely additional to phone number.

And there is a good chance they are doing it through an external provider, such as Phonovation - so they are presumably giving my phone number to the external provider, who are getting details of my phone service provider, and either holding these details themselves or passing them back to AIB who are retaining them.

They would probably claim that this is covered under; "We share information with third parties to prevent financial crime, report fraud, manage our risks and protect both our interests." but there is no reason why their privacy statement shouldn't be as clear about their gathering and retention of phone service provider as they are about remote location of phone.

The Phonovation privacy policy isn't great either, in terms of detail and specificity.

smuggler.ie · 21-02-2021 12:31pm

AndrewJRenko wrote: »

I don't think that's necessarily true, but there aren't really 'broad terms' on te AIB Privacy Statement.

Isn't there?

"Broad term" in sense that they wont list point-by-point, like "Lawful basis" - unless end user know(and understand) law down to detail its broad term. Don't be expecting that they will reprint every related paragraph from legislation. Your "SIM issue" might or might not fall under any paragraph there.

AndrewJRenko wrote: »

"Information (e.g. phone location) from your mobile to verify you are a resident in the Republic of Ireland when opening a new current account remotely;"
In this case, they've gone beyond phone location to track phone provider, and not for the reason stated (when opening a new account remotely).

It clearly states e.g. = for example, but nowhere does it state limited to.

Information - isn't it another broad term, not strictly defined what it should or should not include? "might, could, some" most of the time

0lddog · 21-02-2021 4:34pm

Question 1 : Who owns the phone number that is associated with my mobile ?

Question 2 : Would Phonovation ( or a similar service provider ) need to know the name that is associated with a particular SIM ?

huskerdu · 21-02-2021 4:59pm

0lddog wrote: »

Question 1 : Who owns the phone number that is associated with my mobile ?

Question 2 : Would Phonovation ( or a similar service provider ) need to know the name that is associated with a particular SIM ?

Phonovation do not have your name just the number

Impetus · 16-03-2021 9:25pm

Mobile phones are not very secure for banking. For one there is no firewall and the average phone has dozens of apps, many of which probably contain malware of some form or another.

The only 'secure device for online banking is a dedicated bank only computer that it not used for email or general surfing. Especially for business or high net worth accounts. Using multi-factor authentication (MFA) that does not involve text messages etc. The MFA device should take into account the last n digits of the payee IBAN, together with the amount of the payment. In that way you can lock down the transmission of a specific sum of money to a specific bank account at time x, on a one time basis.

The UE/EU has stupidly allowed the use of mobile phone devices as a factor in multi-factor authentication. The mobile phone platforms are not secure. Text messages are sent in cleartext. Apps and malware abound. Belgium, for one, only accepts multi factor calculators for online shopping credentials. Listen to TechMeme Ridehome today (last item) on how they can forward SMS messages to another number, which can be used to run rings around the victim.

https://art19.com/shows/techmeme-ridehome/episodes/4c6e784b-b5c4-4ecd-9a08-92e3c2c6bccf

observanto · 16-03-2021 11:42pm

Impetus wrote: »

Mobile phones are not very secure for banking.

1) I agree with you that it is good to have a dedicated computer for online banking. In my opinion a device (even an old computer) with Chrome OS may be a good choice.

2) I also agree that hardware challenge-response tokens (like AIB card readers) where you have to input the last digits of beneficiary account and the transfer amount to get one time password are the safest method of 2FA.

Btw have you heard about any case where AIB card reader (or other hardware challenge-response token) was bypassed and bank account was hacked?

3) Thank you for the below information:
"Listen to TechMeme Ridehome today (last item) on how they can forward SMS messages to another number, which can be used to run rings around the victim."
I have read the below article which very well explains how you can forward messages to another number.
A Hacker Got All My Texts for $16
https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber
A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.

I wonder if rerouting text messages is possible in Europe?

AIB - 48 hour restriction after SIM card change

Comments