Security Vulnerability Bank of Ireland

When using bank of ireland payment cards online sometimes you will be asked to enter a one time passcode in addition to your payment card details.

This is what is known as two factor authentication or 2FA.

2FA is widely used online nowadays for various online services.

The purpose behind 2FA is to add an additional layer of security in validating that it is actually you using the bank of ireland payment card online.

Even if someone criminally obtains your bank of ireland payment card details, they should not be able to use the card online for making large payments unless they physically have your 2FA device i.e. mobile phone.

The criminal will enter your bank of ireland payment card details online and then they will be asked to enter a one time passcode which bank of ireland will text message to your mobile phone number. As the criminal does not have your physical mobile phone they can not complete payment online.

The issue I have is with the way bank of ireland have implemented two factor authentication.

The only method of two factor authentication that bank of ireland offer is by sending SMS text messages to your mobile phone number.

This method of two factor authentication is inferior in comparison with two factor authentication applications that you install such as Google Authenticator, Bitwarden, andOTP, etc.

Two factor authentication applications generate the one time passcode without the need for any SMS text messages.

The reason SMS text messages are not secure is because they are not encrypted. When bank of ireland sends the two factor authentication one time passcode by SMS text message to your mobile phone, it is sent in plain text, anyone that intercepts the text message can read and use your one time passcode and use it to make payments with your bank of ireland account.

However this is not the biggest issue.

The biggest vulnerability with the the bank of ireland system is that it is vulnerable to SIM swap attacks.

A SIM swap attack is where someone who knows your mobile phone number transfers it to another SIM card that they are in control of.

Think about all the people and companies and websites that know your mobile phone number.

All it takes is for one of those people to telephone your mobile phone carrier, speak to some inexperienced or careless employee working for your mobile phone company and convince them they they lost their phone, bought a new SIM card and need to transfer their old mobile phone number to their new SIM card.

SIM swap attacks happen frequently and you have no way to prevent them. You are completely reliant on the employee of your mobile phone company.

So the criminal has your bank of ireland payment card details and now they have also taken over your SIM card. Bank of ireland are SMS text messaging your one time passcodes to the criminal and the criminal is spending your money.

The solution is for bank of ireland to offer the option to use two factor authentication applications such as Google Authenticator, Bitwarden, andOTP, etc.

Two factor authentication applications are considered far more secure than SMS text messages.

Bank of ireland should also be using 2FA for login on bank356. The current login system justs asks you for 3 digits to login to bank365. That means a criminal just has to guess a number between 0-9 three times correctly which means they would only have to enter 1000 different combinations before they would guess correctly and access your bank365 account.

Considering bank of ireland is responsible for protecting your money they should have higher security standards.