AIB online banking code card

robinph

Maybe I'm missing something obvious but how exactly does the AIB code card that they give you provide any increase to the security of your online banking transactions?

In order to access your online or telephone banking you need several numbers already, some of these are supposed to be known only to yourself, others are freely available to anyone that knows you and other bits are just slightly more tricky to guess as they are based on personal information that people could easily find and then guess the random numbers part of it. Some of those codes are admitedly a bit insecure but how then does having a card with a set of numbers printed on it and provided by the bank add an extra level of security. If I loose my wallet then all but the online banking pin number has then been lost to whoever took it if I also have their code card on me. All that their code card then provides is a totally false sense that someone is me if they then happen to access my telephone banking.

The only thing I can see this card with the numbers on providing is an annoyance to me as I keep throwing the thing out after they send me a new one becasue I need to perform one of the actions that they deem these codes needed for so I have to keep waiting for them to send me a new one.

You are told never to write down your atm pin numbers, but then the bank goes and effectively gives out a list of pin type numbers for you to carry around on you for accesing the online banking.

Thomas_S_Hunterson

If you lose your wallet, what ever information is in it should be useless.

The code card is useless on its own. To log in you need an online login number, a PIN and the piece of personal data. All of these should not be in your wallet. And if you do lose your wallet, report it to the bank, and theywillsend you a new keycard, renderin the old one useless.

The purpose of the key card is to reduce any damage that may be caused by a compromised machine (eg by keylogger). The key card has ~100 codes on it I think, so the chances of a keylogger being of any use is minimal, as the bank will ask for a different one each time, and will generally lock out in the event of repeated incorrect entries. Therefore, someone who manages to geet your login ID and piece together your PIN with a keylogger will still be unable to access your account.

All in all, it's a lot more secure, as verification takes numerous forms

ircoha

robinph: The code card is NOT part of what is required in accessing the account, it is an extra layer provided when you want to do certain transactions, most notably send money to another account, once you are logged on.
You seem to understand that from the body of the post, and then you write

You are told never to write down your atm pin numbers, but then the bank goes and effectively gives out a list of pin type numbers for you to carry around on you for accessing the online banking.

I think you are being a bit disengenious/narcissistic.
For example

In order to access your online or telephone banking you need several numbers already, some of these are supposed to be known only to yourself, others are freely available to anyone that knows you and other bits are just slightly more tricky to guess as they are based on personal information that people could easily find and then guess the random numbers part of it.

There are 3 parts to the login procedure.
1 the 8 digit account code
next 3 out of 5 digits, chosen randomly in random order.
next 4 digits out of one of 3 or four numbers.

Which is which as per your paragraph above?



The codes on the card only work once so even if the rest of the transaction is key logged the keycode is nfg as the next trans will require a new one and as S_K says, if you try an invalid one or 2 the account locks.

robinph

I hadn't considered the possibility of key logging so I think I might just let them off in this case. But if the standard log in procedure for the on line banking is considered secure then why do they then ask for an additional check only on some rare occasions. My problem with it though being that by the time those rare occasions come round I've lost the code card so then have to wait several days for them to send me a new one each time. Yes I should keep the codes in a safe place etc, but I do keep all of the other codes for accessing my account in a safe place, that being my memory, and don't write any of them down so keeping the code card about just seems wrong in this case.

As for the general login the account code is based on relatively easily obtainable personal information, with a couple of "random" numbers stuck on the end for good measure, and the last sequence of four numbers is also from one of several easily discovered bits of personal information. Only the middle three digits that they ask for are actually secret in any way.

I do actually think that their login system is very good though and don't have a problem with it, I do remember seeing their website get recognised several years ago as being one of the best and most secure online banking sites anywhere. It's just the awkwardness of needing the code card for one set of tasks that you rarely do and the waiting around for the numbers so I can do what really needed to be done immediately.

ircoha wrote:

I think you are being a bit disengenious/narcissistic.

OK then, just a little bit. But I'm getting annoyed waiting on the postman.

fletch

The code card is an excellent idea. Even if someone does manage to obtain your login details through whatever means, they still can't transfer money to their account unless they guess the code correctly which I think is a 1 in 10,000 possibility.
Only problem I have with mine is that the numbers keep rubbing off it.