"Bank customers should save themselves from scams"

jpd

Registered User
Messages
2,501
How did the scammers use the banks text number to send the messages. If they were able to get the banks details to do so that is a serious breach of BOI security.

Some posters suggest that it is a simple matter to send a text from one number that appears to come from another.



I don't find this convincing, if it were a simple matter that could be done without access to the banks details, surely it would happen more often.
I didn't say easy to access bank details - that was obviously something deeper. I merely said spoofing the number the text came from - a quick google search will show you how it is done
 

joer

Registered User
Messages
527
The bottom line is that the bank have agreed to refund all the money , all because of Liveline. End of story..
 
Last edited:

Sunny

Registered User
Messages
4,179
I agree it is offensive. I actually think the older generation / elderly are less trusting of technology which is confused with not understanding technology. The younger generations (myself included) are far more trusting and accepting of technology.

My view is that Bank customers should save themselves from scams and that Banks should support them in doing so. Banks can take care of the technical aspects of cyber security / fraud. However, many of these scams are just variations of social engineering / phishing and will always require a conscious decision which is heard to systematically protect.

I am also of the opinion that If I get a speeding ticket, I can't say that the car manufacturer is to blame for making a car that lets me speed.

I could also argue that the government should be running campaigns to educate people on cybersecurity.


Banks spend vast amounts of money every single year to ensure that their own employees are educated on IT security and especially around phishing scams and the dangers of social media. There is a regulatory requirement that every single bank employee at every single level of the organisation is told how to identify spoof URL's, dangers of opening links, password security and even putting personal information on social media. And they need to do it EVERY SINGLE YEAR. The banks do that not because they think that their employees are too stupid to understand basic security, it is because people get complacent around these things. They click and open things they shouldn't. They don't check internet site addresses properly. They don't check e-mail addresses properly.
So banks and other financial institutions are forced to spend time and money on making sure they have done all they can to ensure that their employees understand the risks. After that and an employee opens an e-mail from a porn site that infects his PC or acts on an instruction from a dodgy e-mail, then they can't say they weren't told. Every single employee is made to sign off that they have done the course and passed a basic test.

Meanwhile banks are closing physical branches and forcing all customers into other banking channels like online and phone banking. There is nothing wrong with this business model but it does introduce increased risk of fraud. The fact of the matter is that some people of all ages are better with technology than others. Banks have customers that have banked with them for 40-50 years and might barely own an old style nokia phone. They have younger customers who are uncomfortable with technology for a number of reasons. It is well established that banks have a duty of care to their customers. Online banking and other channels are great but they have a responsibility to ensure that the people who use them understand the risks and how they need to be used. Just like they would with any investment. Sending out text warnings or email warnings or putting warnings on twitter is useless as they don't reach the people that most need to hear the warnings or help on using the system.

Even BOI have admitted that they have work to do in this regard but people here seem to think it is offensive that a bank would admit that and that all the 'stupid' people should just run off to 'simpler' banking with their savings books and cash lodgements and withdrawals.

If this leads to BOI and the other banks taking a more proactive stance in warning people about these scams and helping them understand the risks, then I certainly don't know why anyone on a so called consumer website would have an issue with it.
 

Early Riser

Registered User
Messages
1,110
Online banking and other channels are great but they have a responsibility to ensure that the people who use them understand the risks and how they need to be used. Just like they would with any investment. Sending out text warnings or email warnings or putting warnings on twitter is useless as they don't reach the people that most need to hear the warnings or help on using the system.

But how ?
Do you think people read and absorb more from a generic warning sent to the post? I may be wrong but I believe these are sometimes included with normal correspondence from banks (eg, when getting a new card). I suspect lots of people don't read these and of those who do the details are forgotten after a month or so. People absorb the message "don't fall for scammers on the internet" and "don't give your details" but it does not protect them from very clever scammers who convince them they are legit. Confidence trickers and fraudsters have always existed but technology gives them a whole new reach. As you say, scammers target everyone they can reach and anyone can be scammed.
 

EmmDee

Registered User
Messages
716
How did the scammers use the banks text number to send the messages. If they were able to get the banks details to do so that is a serious breach of BOI security.

It's really quite easy. It's not a breach of BOI security at all. It's a "feature" of SMS and emails - virtually no security about them at all.

Some posters suggest that it is a simple matter to send a text from one number that appears to come from another.

I don't find this convincing, if it were a simple matter that could be done without access to the banks details, surely it would happen more often.

It happens a lot. And if you don't find it convincing, wait till you hear what else can be done with texts and text traffic - this is actually the most basic straightforward scam
 

Sunny

Registered User
Messages
4,179
But how ?
Do you think people read and absorb more from a generic warning sent to the post? I may be wrong but I believe these are sometimes included with normal correspondence from banks (eg, when getting a new card). I suspect lots of people don't read these and of those who do the details are forgotten after a month or so. People absorb the message "don't fall for scammers on the internet" and "don't give your details" but it does not protect them from very clever scammers who convince them they are legit. Confidence trickers and fraudsters have always existed but technology gives them a whole new reach. As you say, scammers target everyone they can reach and anyone can be scammed.

Post is a waste of time as well. You have Banks that still suffer from fraud every single year through employees not doing doing what they should. No system is foolproof. However, if go on to BOI and decide to join BOI online because the bank wants me to, they tell me I can be set up in 5 minutes which is great but they offer nothing else. They have this great section here in another great section around internet security. I had to go looking for it though which is fine for me. I know where to look. Is it that much trouble for banks to ensure that people are given this information when they sign up? That they given a security awareness course that they can do once a year if they like. Is it too much trouble to have people in branches to help show people how to use the system? Have a demo version that people can get used to? Especially people that don't feel as comfortable as other people. Banks do a good job in trying to protect people but I think there is always room for improvement.

 

cremeegg

Registered User
Messages
3,567
It's really quite easy. It's not a breach of BOI security at all. It's a "feature" of SMS and emails - virtually no security about them at all.

If sms and email is really so insecure, and I have no knowledge to the contrary, then it is a serious fault of the banks that they use them for what should be secure communication.

BOI send transaction verification codes via text message.
 

EO2020

Registered User
Messages
27
This idea that huge amounts of education is needed re cybersecurity is insane. It's the exact same advice it has always been, which is constantly repeated, that even my small children and aged relatives can tell you.....you never click on a link in a text, especially from a bank. Ever. It doesn't take a degree in IT, it doesn't need an advertising campaign.
If you don't know this basic thing by now then you will never know it. Some people can't be taught.
 

Sunny

Registered User
Messages
4,179
This idea that huge amounts of education is needed re cybersecurity is insane. It's the exact same advice it has always been, which is constantly repeated, that even my small children and aged relatives can tell you.....you never click on a link in a text, especially from a bank. Ever. It doesn't take a degree in IT, it doesn't need an advertising campaign.
If you don't know this basic thing by now then you will never know it. Some people can't be taught.

Tell that to the financial regulator then..... The banks will be delighted to reduce their compliance burden. They will be especially delighted to know that clicking on a link is the only scam out there.

In the meantime, don't let yourself or your super intelligent small children fall off that moral high ground you are currently occupying....
 

EmmDee

Registered User
Messages
716
If sms and email is really so insecure, and I have no knowledge to the contrary, then it is a serious fault of the banks that they use them for what should be secure communication.

BOI send transaction verification codes via text message.

Banks (and other services) have historically used SMS as a second factor security but it has long been seen as flawed. Banks are moving away from them and most other services are moving to alternatives - ideally you should remove texts as a second factor for everything and use an alternative second factor.

Banks don't use texts for secure communication (i.e. two way). They don't use them to initiate interaction (i.e. links). They use them for push notifications only. But they are flawed.
 

Dublinbay12

Registered User
Messages
529
Banks (and other services) have historically used SMS as a second factor security but it has long been seen as flawed. Banks are moving away from them and most other services are moving to alternatives - ideally you should remove texts as a second factor for everything and use an alternative second factor.

Banks don't use texts for secure communication (i.e. two way). They don't use them to initiate interaction (i.e. links). They use them for push notifications only. But they are flawed.

EmmDee,

Under SCA (Strong Customer Authentication) I have noticed that banks like KBC are using texts to verify transactions. This is a relatively new introduction to my knowledge is this just a case of them lacking a better infrastructure to have implemented something better under SCA?
 

Dublinbay12

Registered User
Messages
529
Banks spend vast amounts of money every single year to ensure that their own employees are educated on IT security and especially around phishing scams and the dangers of social media. There is a regulatory requirement that every single bank employee at every single level of the organisation is told how to identify spoof URL's, dangers of opening links, password security and even putting personal information on social media. And they need to do it EVERY SINGLE YEAR. The banks do that not because they think that their employees are too stupid to understand basic security, it is because people get complacent around these things. They click and open things they shouldn't. They don't check internet site addresses properly. They don't check e-mail addresses properly.
So banks and other financial institutions are forced to spend time and money on making sure they have done all they can to ensure that their employees understand the risks. After that and an employee opens an e-mail from a porn site that infects his PC or acts on an instruction from a dodgy e-mail, then they can't say they weren't told. Every single employee is made to sign off that they have done the course and passed a basic test.

Meanwhile banks are closing physical branches and forcing all customers into other banking channels like online and phone banking. There is nothing wrong with this business model but it does introduce increased risk of fraud. The fact of the matter is that some people of all ages are better with technology than others. Banks have customers that have banked with them for 40-50 years and might barely own an old style nokia phone. They have younger customers who are uncomfortable with technology for a number of reasons. It is well established that banks have a duty of care to their customers. Online banking and other channels are great but they have a responsibility to ensure that the people who use them understand the risks and how they need to be used. Just like they would with any investment. Sending out text warnings or email warnings or putting warnings on twitter is useless as they don't reach the people that most need to hear the warnings or help on using the system.

Even BOI have admitted that they have work to do in this regard but people here seem to think it is offensive that a bank would admit that and that all the 'stupid' people should just run off to 'simpler' banking with their savings books and cash lodgements and withdrawals.

If this leads to BOI and the other banks taking a more proactive stance in warning people about these scams and helping them understand the risks, then I certainly don't know why anyone on a so called consumer website would have an issue with it.

I think you need to understand the rapid evolution of these frauds, that comment on regarding opening a porn website. Many of those trojan virus like the one that impacted the NHS only started appearing in the 2010s.

In my exeprience 'phishing and email' fraud training only came in 2 years ago in my employer.
 

EmmDee

Registered User
Messages
716
EmmDee,

Under SCA (Strong Customer Authentication) I have noticed that banks like KBC are using texts to verify transactions. This is a relatively new introduction to my knowledge is this just a case of them lacking a better infrastructure to have implemented something better under SCA?

Sending a code by text that you have to input onto the screen is actually quite old - though KBC might have only introduced it recently. Either way, it will be phased out soon and the challenge will be sent a different way - probably using notifications from the app rather than a text message which makes it a lot more secure. App notifications can't be intercepted while text messages can. But there is also likely to be a lot of behind the scenes verification happening - location of purchase being the same as location of phone... that type of thing
 

Jim2007

Registered User
Messages
2,238
By the time a customer has reached their 80s, they have likely paid 6 decades of bank fees.

Companies move to these service models to save money and for no other reason; the least they can do is make their systems easier to use for customers who were children at a time when even TVs were unknown, never mind computers.

This is just total nonsense! Customers paid for a service that they used and just like the newsagents are not obligated to give you free newspapers after you bought your paper from every day for 20 years, neither are banks nor any other business required to give you stuff for free. Your sense of entitlement is just unbelievable.
 

Brendan Burgess

Founder
Messages
44,678
Your sense of entitlement is just unbelievable.

Jim it's totally believable. It's widespread in this country.

"I paid my taxes for years and now I want a very high pension whether or not we can afford it."

"30 years working for that company and I have nothing to show for it?" To which I always reply: "Were you not paid every week?"

So it's not unusual for someone to say I have paid bank charges for 30 years so they should keep their local branch open for me or compensate me if someone tricks me into parting with my money.

Brendan
 

Thirsty

Registered User
Messages
3,460
My sense of entitlement!?

I'm delighted to tell you that I'm not yet of retirement age, never mind being considered of an older age group, nor yet of a generation for whom, as children, TVs were unknown.

I trust that by the time ye find yourself hard of hearing, with limited mobility, poor eyesight, failing memory and possibly limited means, that you find more human decency from other people than is being shown here.

Or maybe we'll just put ye on a flight to Switzerland and not have the burden of ye any more.
 

roker

Registered User
Messages
1,798
I have heard many times about people who were "persuaded" to give their personal details and I always said "how stupid these people were to give their details" but this came from a recognised BOI number. When they clicked on the link all their details were presented before them . Everyone who I heard speak about this last week , even one person who was trained to watch out for this kind of behavior got caught by this scam. It was not stupid people at all.
can I add it is not just online banking, the scams come via the phone as well
So how much are you will to pay for this service? Because that is what it comes down to at the end of the day. Say a annual charge of €100 per account for all account holders under 65?
isn't the whole point of online banking to make the whole process cheaper, but now there is ever more charges
 
Last edited:
Top