Verified by Visa (AIB) - mandatory mobile phone

[odyssey06]

How exactly would being able to spoof a text message help you break the validation? The original request that sends the text does not originate from a mobile device???

AIB are sending passcodes by SMS ... verify easy to insert a fake re-authenticate passcode and a new URL to capture your verified by visa details. I don't think major finanacial institutions should be relying on an unauthenticated protocol.
When you get an SMS you have absolutely no way to know for sure that it is authentic, and you are now reliant on the bank sending you a passcode via such means.

 

[trasneoir]

I don't think major finanacial institutions should be relying on an unauthenticated protocol.

Neither email, sms, or post provides any assurance that the sender is who they say they are. Unfortunately, these are the only practical ways for companies to send us 2 factor authentication keys.
Given that people are whinging about the inconvenience of a text message, how do you think the public would react if verified by visa required a dedicated android/ios app?

AIB are sending passcodes by SMS ... verify easy to insert a fake re-authenticate passcode and a new URL to capture your verified by visa details.

This falls back to the advice that everybody has been hearing about email phishing forever - never trust a url that's been sent to you.

For a legitimate transaction, it will never be necessary to send a url by sms:
1. I enter my card details on my laptop at (say) tesco.ie
2. I am redirected to the verified by visa gateway, I enter my password, and then i'm prompted to enter an auth code.
3. I receive a text message "Your verified by visa auth code is 1234. If you didn't authorize a transaction please call your cc provider."
4. I transcribe the code from the sms to the laptop.

 

[Jim2007]

AIB are sending passcodes by SMS ... verify easy to insert a fake re-authenticate passcode and a new URL to capture your verified by visa details. I don't think major finanacial institutions should be relying on an unauthenticated protocol.
When you get an SMS you have absolutely no way to know for sure that it is authentic, and you are now reliant on the bank sending you a passcode via such means.

In order for your 'theory' to work your hacker would have to have access to the primary device requesting the authentication which is situated within the credit card company, a merchant account to which he can divert the funds and the ability to generate dual transactions on both the original merchant account and their account. In addition to having the ability to intercept the original message from the bank. In other words it is not going to happen any time soon and even if it did the credit card company would be responsible as they would have allowed access to the primary device.

On top of this the card company's normal fraud checks would cause both merchant accounts to be frozen once a dual transaction is detected, it is a standard check. So even after all this the hacker has to figure out how to get their hands on the cash.

 

[Jim2007]

I might add that the newer version of this technology, I'm a trial user on involves the phone company issuing you with a new chip that encrypts the messages. While this is even more secure the down side is that you have to back to the phone company for a new chip when you change phone etc. even taking the chip out and putting it back in causes it to throw a wobble as I have discovered this week!

 

[mathepac]

Disabling a phone (by the manufacturer or by the network provider) can be achieved by two methods primarily:

1. Remove / disable services from the SIM card
2. Remove / disable services from the device using the IMEI number

In scenarion 1, inserting a new SIM card MAY get the phone working again, in scenario 2 a new SIM with not re-enable the device.

Contrary to urban myth, removing the SIM card or powering the device off before the manufacturer/ network operator takes action to deny access to services will not prevent either 1 or 2 working.

I just had an interesting interaction with AIB's servers in relation to my debit card.

I initiated two transaction with the same merchant using the same card within a few minutes of each other today. This seems to have been recognised as "unusual activity" and I got a txt asking me to transmit "Y" to authorise the transaction or "N" to cancel it. Card details were exchanged with the merchant over the phone. AIB Named the merchant, the amount, date & time, last 4 digits of card in the initial txt. I sent "Y" as a message response and got back confirmation of the transaction with the merchant and a message saying it was OK to continue using the card.

My first time experiencing this. I reckon it was a good spot and a nice simple, sensible and secure way to handle it. This is one of the reasons you need a mobile phone for a card account. I know ApplePay and loyalty card use are the other reasons, getting rid of plastic card entirely.

 

[amtc]

I just got this from boi. Two m and s transactions within minutes, both online, and got text message to say reply y or n, and then once replied an OK.

 

[mathepac]

Neither of my transactions would bail out a kid's piggy-bank, 18 & 41 euro, but re-assuring nonetheless.

 

[ScottSF]

I hadn't heard this from AIB so thanks very much for letting us know. They are not good about informing customers from my experience.

What concerns me greatly is that AIB (correct me if I'm wrong) only accepts an Irish mobile number. So if you travel a lot and use local SIM cards and phone numbers in other countries, there is no way to receive the text message to complete an online purchase. Any advice for that? There really needs to be a secondary way to confirm an online purchase either by email or allowing international numbers as well. It's interesting how in Europe the banks are making it harder to shop online (for good reasons of course) and in the USA they are fighting to keep it as easy as possible.

Now my biggest problem with AIB and the need to prevent fraud is their lack of transactional email alerts. Every US credit card company offers instant email alerts for every purchase. That would let me be notified about potential fraudulent transactions as quickly as possible. Does AIB really expect me to login every few days to make sure all my purchases are valid since they can't catch everything. Several months ago I luckily caught a fraud purchase but it could have taken me weeks longer to notice and report it.

 

[mathepac]

I don't understand the scenario. Are there other people who would be using the card while you are out of the country? Why would you shop in Ireland when you are else where. What about a dual SIM phone that covers all the wave-bands - insert local SIM in foreign country, keep Irish SIM active on roaming for text messages to confirm purchases?

 

[newirishman]

I hadn't heard this from AIB so thanks very much for letting us know. They are not good about informing customers from my experience.

What concerns me greatly is that AIB (correct me if I'm wrong) only accepts an Irish mobile number. So if you travel a lot and use local SIM cards and phone numbers in other countries, there is no way to receive the text message to complete an online purchase. Any advice for that? There really needs to be a secondary way to confirm an online purchase either by email or allowing international numbers as well. It's interesting how in Europe the banks are making it harder to shop online (for good reasons of course) and in the USA they are fighting to keep it as easy as possible.

Now my biggest problem with AIB and the need to prevent fraud is their lack of transactional email alerts. Every US credit card company offers instant email alerts for every purchase. That would let me be notified about potential fraudulent transactions as quickly as possible. Does AIB really expect me to login every few days to make sure all my purchases are valid since they can't catch everything. Several months ago I luckily caught a fraud purchase but it could have taken me weeks longer to notice and report it.

It isn't offered, simple as. I make it a habit to very regularly check my account online - there's no real excuse for not checking "every few days" given it is quick and easy with things like the mobile app. As you might be aware, email is not a reliable (or secure) way of communicating. Don't think it is too onerous to keep an eye on one's account especially when travelling and using your card abroad. Pushing all the responsibility to the bank is a bit harsh I think.
And was always, if you don't like what AIB offers: it is very easy to switch banks these days.