Changes for using BoI Visa debit card for online purchases

coylemj

I downloaded my BoI quarterly current account statement last week and spotted this at the foot of each page......

On a phased basis from 5 July 2017 we are introducing one-time passcodes for online debit card purchases. Instead of needing a Verified by Visa password to complete the purchase, a unique one-time passcode will be sent to your mobile.

See www.boi.com/3DSecureFAQs

So when the rollout is complete, each time you use your BoI Visa debit card to make an online purchase, a code will be sent to your mobile which you will enter instead of the 'Verified by Visa' password.

What is a one-time passcode?

A one-time passcode is a random number. When you use 3D Secure, a passcode is automatically sent to the mobile phone number you have provided to us. The passcode will only be valid for the online purchase you have received it for. You do not need to remember this passcode. Each time you make a purchase online with a participating retailer, and authentication is required, a new passcode will be sent by SMS text message to the mobile phone number you have provided to us.

ED E

SS7 is not secure.

Really this is a step backwards by the banks. If you want OTP use time based keying like Google Authenticator.

coylemj

ED E wrote: »

SS7 is not secure.

Really this is a step backwards by the banks. If you want OTP use time based keying like Google Authenticator.

OP here. Could you give us that in plain English please, this is not a technical forum.

Are you suggesting that a Visa debit customer has a choice when making an online purchase?

ED E

Imagine a system from 1975. Was security a big deal then? So is it very security conscious? Nope.

Now realize that's how you receive text messages. And Visa/BOI are now using it to send a secret for a security system. Its kinda like putting a wad of cash in an envelope and posting it.


No choice, other than move to a smarter bank.

Spocker

coylemj wrote: »

OP here. Could you give us that in plain English please, this is not a technical forum.

Are you suggesting that a Visa debit customer has a choice when making an online purchase?

A lot of people have had issues in the past with the 3D Secure functionality (for Mastercard and Visas equivalent 'Verified by Visa') due to the intermittent implementation by sellers - some times you'd be asked, and sometimes you wouldn't

I had seen something recently were this was being phased out, and this is obviously Bank of Irelands replacement. Instead of you having to remember a password, the bank will now text you a one-time code instead. This will require you to register your phone with your account. This would apply to online purchases only.


The SS7 that ED E refers to is a communication standard for telephone networks; yes it has some flaws, but IMO the average person (such as you coylemj) being the victim of an attack is unlikely - the one-time code will likely be tied to the merchant and amount you're buying from at that day/time and will probably expire if not used.

I don't know of any Irish bank (or Revolut or N26) that uses OTP (Google Authenticator and the like) so asking the OP to move is not really very practical

ED E

It was more a rant against a backwards step than an instruction to the OP. Nothing he can do until some of the banks make the move in the right direction.