Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Prevent fraudulent enrolment in 3DSecure

Options
  • 02-06-2014 3:57pm
    #1
    Silent Bob
    Registered Users Posts: 491 ✭✭


    Hi,

    I'm not going to be enrolling my credit card in the 3DSecure scheme, the authentication techniques chosen by Bank of Ireland are far too weak for me to accept the additional legal liabilities that enrolling requires me to accept.

    If and when the Bank of Ireland enables out-of-band enrolment and two-factor authentication I will be happy to enrol, until that time, it's not going to happen.

    However, this leaves a serious vulnerability open. Nothing prevents a criminal from fraudulently enrolling my card in 3DSecure and forcing those legal liabilities onto me. At which point I will be entirely liable for any fraudulent payments since they will have authenticated properly with 3DSecure.

    Before you say this isn't plausible bear in mind that the only piece of information required for enrollment, beyond my credit card details, is my mother's maiden name, which is hardly a secret. We have to assume that my credit card details are known to criminals since that's exactly the problem that 3DSecure attempts to address.

    So, how can you guys prevent my card from being enrolled in 3DSecure against my will? Will you ever be switching to a strong form of authentication that actually protects consumers?

    Thanks


Comments

  • Options
    #2
    Bank of Ireland: Tara
    Closed Accounts Posts: 2,346 ✭✭✭Bank of Ireland: Tara


    Hi Silent Bob,

    Thanks for getting in touch and apologies for the delay with responding to you.

    We've referred your post to our Security Team and we will post a reply as soon as possible.

    Thanks
    Tara


  • Options
    #3
    Bank of Ireland: Tara
    Closed Accounts Posts: 2,346 ✭✭✭Bank of Ireland: Tara


    Hi Silent Bob,
     
    Thanks for your patience.


    Verified by Visa and MasterCard SecureCode are services offered by Bank of Ireland in partnership with Visa and MasterCard to bring you 3D Secure. 
       
    Bank of Ireland will investigate all reports of card fraud and deal with them on a case by case basis. We will always try to get the best outcome for our customers with all factors taken into account.
     
    We understand this is not the precise answer you were looking for however, please be assured we have passed on your comments and feedback regarding this facility.
     

    Thanks again,
    Tara


  • Options
    #4
    Silent Bob
    Registered Users Posts: 491 ✭✭Silent Bob


    Hi Tara,

    thanks for the update


  • Options
    #5
    birchtree
    Registered Users Posts: 121 ✭✭birchtree


    Silent Bob wrote: »
    Hi,

    I'm not going to be enrolling my credit card in the 3DSecure scheme, the authentication techniques chosen by Bank of Ireland are far too weak for me to accept the additional legal liabilities that enrolling requires me to accept.

    If and when the Bank of Ireland enables out-of-band enrolment and two-factor authentication I will be happy to enrol, until that time, it's not going to happen.

    However, this leaves a serious vulnerability open. Nothing prevents a criminal from fraudulently enrolling my card in 3DSecure and forcing those legal liabilities onto me. At which point I will be entirely liable for any fraudulent payments since they will have authenticated properly with 3DSecure.

    Before you say this isn't plausible bear in mind that the only piece of information required for enrollment, beyond my credit card details, is my mother's maiden name, which is hardly a secret. We have to assume that my credit card details are known to criminals since that's exactly the problem that 3DSecure attempts to address.

    So, how can you guys prevent my card from being enrolled in 3DSecure against my will? Will you ever be switching to a strong form of authentication that actually protects consumers?

    Thanks
    Brilliant post, I haven't thought of this aspect!
    As someone said, it is not about security, it is about passing liability.
    I wrote this to BOI today:

    While MasterCard SecureCode and Verified by Visa add a layer of protection for sellers, it is reducing protection for buyers. By forcing customers to provide such personal data as date of birth and mother's maiden name leaves me completely exposed if such details were stolen during the transaction. Nobody can raise a hand and say - my computer and network are 100% secure. The last bit of data that only you and the bank knows are now available for trojans, keyloggers and wifi scanners. Not to mention the inconvenience of remembering yet another password and 'personal greeting'. Speaking of password - I can't even use special characters in the password for added protection. Not very securecode, is it?
    What steps can we take to change this?


Advertisement