Making AIB payments via my laptop - still need a card reader to approve.

[jim]

Why cant AIB implement a more efficiwnt and convenient way for customers to bank. Its so archaic and so inconvenient.

 

[presidenttttt]

Went into AIB recently as we could not complete joint account process online, I think we had waited too long to confirm. Banker said we needed an appointment for this, and proceeded to pull out a large paper notepad/diary with the appointment times available. The paper system for appointments was a limit too far for me - I told both the banker and my wife that there was no way I was coming in again for such a basic admin that should be resolvable online, either solve it now or forget about it. It got solved.

 

[ClubMan]

AIB customers no longer need a card reader for payments as bank introduces 'selfie check'

Finally!

www.thejournal.ie

The new selfie check, however, aims to make such processes easier and faster, while maintaining adequate levels of anti-fraud security.

It involves customers taking a photo of themselves that is safely stored by AIB.

When they wish to make a secure payment of up to €10,000, the app will request that they take a selfie on their mobile phone via the AIB mobile app which will then verify their identity.

The future selfies will be measured against the existing photo.

 

[MOB]

The world is with 2FA moving to authenticators on a second device usually a phone. Gonna be hard swimming upstream against that.

Unfortunately many people banking online have both their online banking and their authenticator on a single device, their phone, thus depriving themselves of 2FA. A physically separate device is better protection against the human tendency to cut corners.

 

[ClubMan]

thus depriving themselves of 2FA

But the second factor is usually something separate like a fingerprint, face scan, passkey, PIN/code etc. rather than the device per se.

 

[MOB]

But the second factor is usually something separate like a fingerprint, face scan, PIN/code etc. rather than the device per se.

I think we are about to have a philosophical difference. If I go to an ATM with a debit card, my PIN number is not a second factor. Card+PIN is a single mode of authentication.

If your banking and your authenticator are both on a single device ( your phone) and if that device is open to being compromised, I don't think that you can call that a proper 2FA setup. Two separate devices is the gold standard I think.

 

[ClubMan]

I disagree that it's a merely philosophical (or pedantic) issue.

Multi-factor authentication - Wikipedia

en.wikipedia.org

The authentication factors of a multi-factor authentication scheme may include:[4]

• Something the user has: Any physical object in the possession of the user, such as a security token (USB stick), a bank card, a key, a phone that can be reached at a certain number, etc.
• Something the user knows: Certain knowledge only known to the user, such as a password, PIN, PUK, etc.
• Something the user is: Some physical characteristic of the user (biometrics), such as a fingerprint, eye iris, voice, typing speed, pattern in key press intervals, etc.

 

[MOB]

I guess my gold standard is more like 3FA.

I admit to being a little more inclined to worry about this than the average person.

 

[Freelance]

A physically separate device is better protection against the human tendency to cut corners.

This is a very good point. The Card Reader definitely has a place in the armoury of security solutions. The problem is AIB's rather stupid utilisation of it for low risk transactions. For example, AIB blocked you from setting up SEPA Payees using a non-IE IBANs thus requiring the use of the Card Reader for every transaction involving a non-IE IBAN entered on the fly. A good security implementation might have required you to use the card reader to set-up the non-IE IBAN as a payee, but allowed re-use of that payee without the card reader subsequently. Ulster Bank's implementation involved the Card Reader this way. A further refinement could have allowed either risk-based use of the card reader taking into account a mix of predetermined limits, perceived risk and precedent, or even a configurable implementation where the customer determined which transactions and limits required the use of the card reader. Instead it was used inappropriately to cover for gaps in AIB's system security and integrity. Personally I would very much like to retain it for a narrow band of transactions/actions, but not for routine use. .