AIB Internet banking authentication change

Chelon

Has anyone noticed they seem to have removed the second level of authentication, ie all they want now is your registration number then selected digits from your passcode. That's it- you're then in.

Before you needed to also input parts of your password.

I rang them and was told this is to bring it into line with their phone banking method.

Anyone else find it very strange and worrying that they seem to be slackening off on security?

Atlantic Dawn

You can change the code you are using.

28064212

Chelon wrote: »

Before you needed to also input parts of your password.

Password? It was parts of your phone number, no?

And if someone already has your Registration No and your PAC, how much difficulty do you think they'll have retrieving the last 4 digits of your phone number? Requiring that to log in wasn't any more secure, so removing it doesn't lessen security

Chelon

28064212 wrote: »

Password? It was parts of your phone number, no?

And if someone already has your Registration No and your PAC, how much difficulty do you think they'll have retrieving the last 4 digits of your phone number? Requiring that to log in wasn't any more secure, so removing it doesn't lessen security

Yes you're correct, it was the phone number or digits from your credit card.

But still not a bit concerning to be removing a level of security? Other internet banking I use has 2 levels to pass after you've entered your reg number.

Plus with AIB, if you have the reg number, all that's left is a 5 digit passcode - digits only, no alpha or special characters etc.

I'm no hacker but surely that has to be less secure than a full password?

28064212

Chelon wrote: »

But still not a bit concerning to be removing a level of security?

But that's missing the point: it's not a level of security. It's an entirely useless step. It's like having a locked door, with a curtain hanging inside it. No-one who gets through the door will be stopped by the curtain. No-one who would be stopped by the curtain would get through the door in the first place. Removing the curtain isn't taking away a level of security, all of the security is provided by the door

Chelon wrote: »

Plus with AIB, if you have the reg number, all that's left is a 5 digit passcode - digits only, no alpha or special characters etc.

The fact that they ask for 3 random digits increases the strength quite a bit. A simple 5-digit passcode is quite easy to crack, you just have 100,000 combinations to try, one after the other. When the digits that are asked for constantly change, it's more difficult.

Also, it's pretty easy to spot suspicious behaviour. If someone puts the wrong passcode in a couple of times in a row, locking them out for a period of time is simple. You can also lock them out permanently, until they verify their identity to a phone operator.

Chelon

28064212 wrote: »

But that's missing the point: it's not a level of security. It's an entirely useless step. It's like having a locked door, with a curtain hanging inside it. No-one who gets through the door will be stopped by the curtain. No-one who would be stopped by the curtain would get through the door in the first place. Removing the curtain isn't taking away a level of security, all of the security is provided by the door


The fact that they ask for 3 random digits increases the strength quite a bit. A simple 5-digit passcode is quite easy to crack, you just have 100,000 combinations to try, one after the other. When the digits that are asked for constantly change, it's more difficult.

Also, it's pretty easy to spot suspicious behaviour. If someone puts the wrong passcode in a couple of times in a row, locking them out for a period of time is simple. You can also lock them out permanently, until they verify their identity to a phone operator.

But before they'd have to know either your phone number or credit card number - ok maybe not as secure as a full password but surely a tiny bit better than what they've replaced this step with (answer- nothing).

Just thinking it's very strange when just about every other system you see is adding more security, asking for complex passwords, etc. AIB seem to be going the other way.

Chelon

28064212 wrote: »

Password? It was parts of your phone number, no?

And if someone already has your Registration No and your PAC, how much difficulty do you think they'll have retrieving the last 4 digits of your phone number? Requiring that to log in wasn't any more secure, so removing it doesn't lessen security

I'm just curious here - imagine you are on holiday and someone breaks into your house and steals your pc, on which you have very foolishly left a note of both your Reg number and passcode.

How would they then be able to discover your mobile phone number?

28064212

Chelon wrote: »

I'm just curious here - imagine you are on holiday and someone breaks into your house and steals your pc, on which you have very foolishly left a note of both your Reg number and passcode.

How would they then be able to discover your mobile phone number?

Really? Someone who's written down their Reg number and passcode, but nowhere in their entire house do they have any reference to their mobile phone number? I find that to be a pretty unlikely scenario. Even if it were true, a mobile number is not a difficult thing to discover. If I had someone's reg number and passcode, targeting their phone number would be trivial

Not to mention that there's not a whole lot you can do with just the reg number and passcode. For any kind of transfer, you'd need your card-reader and PIN

Chelon

I just reckon a smash and grab thief would do just that - he wouldn't spend time scouring the house for stuff like a phone number.

Just aksing because I've tried to find mobile numbers for people online before and it wasn't that easy.