# New Bank Of Ireland security requirement



## cremeegg (19 Jan 2021)

I am trying to log in to Bank of Ireland Banking Online and I am getting a message that I need to set up a security device. Is this genuine. It seems like something that would have been advertised.

Thanks for any info.


----------



## PGF2016 (19 Jan 2021)

cremeegg said:


> I am trying to log in to Bank of Ireland Banking Online and I am getting a message that I need to set up a security device. Is this genuine. It seems like something that would have been advertised.
> 
> Thanks for any info.


Got this email a few weeks back:

"Over the coming weeks, you’ll notice extra security when you bank online. When you log on to 365 online, you’ll be asked to set up a “security device” i.e. your smartphone or tablet. You’ll need this anytime you log in or carry out transactions online, for example, to make a payment.
We will send messages to your phone or tablet so that you, and only you, can confirm that it’s you logging on to and using your account."


----------



## 1dave123 (19 Jan 2021)

Yes banking 365 are moving to a more secure login process. U should have received an email in the last week or so. Maybe check they have your most up to date email address. It's genuine though.


----------



## Peanuts20 (19 Jan 2021)

it's all part of what is called "dual factor authentication" which is changes banks and other such providers are having to make in line with Payments Services Directive 2 (PSD2)


----------



## LS400 (19 Jan 2021)

Bank of Ireland must be the last bank  to apply this security feature. I thought they all had this in place.


----------



## Steven Barrett (19 Jan 2021)

From this week, anytime I want to log in from my laptop, I have to confirm the log in from my phone. The app on my phone updated a couple of months ago. 



LS400 said:


> Bank of Ireland must be the last bank  to apply this security feature. I thought they all had this in place.



Their online offering was years behind everyone else. They spent a fortune in just catching up with the others. They only became available on Apple Wallet (and I presume Google Pay) with the upgrade.


----------



## odyssey06 (19 Jan 2021)

I have a family member who has a smartphone, but it's an old version of Android. The app needs at least Android version 6.
There doesn't seem to be any fallback option i.e. via SMS.
For the moment, can still logon via browser, old app is dead.

Not an ideal time to be changing phones.

I don't think there are any reliable app 'emulators' for laptops.


----------



## RichInSpirit (19 Jan 2021)

Phew, I'm not alone. 
I was thinking that everyone else here had all this sussed out already and was a bit embarrassed to ask on askaboutmoney.com. 
I found that you can access the previous site on this link https://original.365online.com/online365/spring/authentication?execution=e1s1


----------



## LS400 (19 Jan 2021)

odyssey06 said:


> Not an ideal time to be changing phones.



Just on that point, Im sure plenty of folk forget to delete Bank Apps from their phones before changing them, also as far as im aware, you cannot download the app to your new phone unless the original one is deleted.


----------



## 1dave123 (19 Jan 2021)

@LS400   That's a good point.  FYI though .... I have the BOI app on two phones - both work no problem.  Same with the KBC app.  The PTSB app I think only works on one device at a time.  If u install and register on say phone B ..... it will be automatically deactivated on phone A.  Not sure about AIB app.


----------



## Cervelo (19 Jan 2021)

I'm surprised that they didn't just go the full hog and ask us to submit a DNA sample for logging into our bank accounts


----------



## Sadim (19 Jan 2021)

SBarrett said:


> From this week, anytime I want to log in from my laptop, I have to confirm the log in from my phone. The app on my phone updated a couple of months ago.
> 
> 
> 
> Their online offering was years behind everyone else. They spent a fortune in just catching up with the others. They only became available on Apple Wallet (and I presume Google Pay) with the upgrade.



I have never been prompted to change my password since I started with BOI Online about 24yrs ago!!


----------



## fizzy (19 Jan 2021)

odyssey06 said:


> I have a family member who has a smartphone, but it's an old version of Android. The app needs at least Android version 6.
> There doesn't seem to be any fallback option i.e. via SMS.
> For the moment, can still logon via browser, old app is dead.
> 
> ...


There is going to be a physical key you can get from bank of Ireland if you don’t have a compatible smart phone.
You can’t order these yet. When I contacted boi, they said they would contact those affected down the line (I.e. those who have not switched over to authenticating via the app)


----------



## Peanuts20 (20 Jan 2021)

Cervelo said:


> I'm surprised that they didn't just go the full hog and ask us to submit a DNA sample for logging into our bank accounts



its mandatory for them to do this and it is there to prevent you being a victim of fraud.


----------



## Cervelo (20 Jan 2021)

Sorry but I don't think "mandatory" is the correct term more like over cautious 
BOI had a 3 step login process, Your unique "User ID", a security question and finally 3 digits from your 6 digit pin
And now we have to have an additional electronic device beside me when I want to check my account on a laptop
It reminds me of our quality control dept, where we had to employ a person to check the checker, then the idea was floated that we really should be employing a checker to check the checker, who was checking the checker who was checking the product, total overkill IMO


----------



## NoRegretsCoyote (20 Jan 2021)

Cervelo said:


> BOI had a 3 step login process, Your unique "User ID", a security question and finally 3 digits from your 6 digit pin



I am not a security expert, but the issue is that these are all just strings of text that people often write down in the one place.

The point of a token, or SMS verification, is that it is a different _type _of of authentication mechanism. 

This makes it more secure.


----------



## jpd (20 Jan 2021)

At least, when you log in on your phone, you don't have to verify the login on your PC


----------



## Jim2007 (20 Jan 2021)

Cervelo said:


> I'm surprised that they didn't just go the full hog and ask us to submit a DNA sample for logging into our bank accounts



But you'd be OK, with them not following best practice and leaving your acocunt open for hacking? Seriously!!!!!


----------



## RedOnion (20 Jan 2021)

Cervelo said:


> Sorry but I don't think "mandatory" is the correct term more like over cautious


Mandatory is exactly the correct term here.

It's Strong Customer Authentication, part of PSD2.

2 factor authentication is required to be compliant, that is 2 of the following items:

1. Knowledge - something you know (for example personal access code (PAC), password)

2.Possession – something you have (for example a phone / app, code)

3. Inherence – something you are (for example fingerprint, face recognition)


----------



## Cervelo (20 Jan 2021)

I could and most likely be wrong here but I thought that PSD2 only applied to electronic payments and doesn't necessarily apply to just logging into your account to check a balance, 
why as JPD says can I log into my account with only my phone but with my computer I have to have a second electronic device like a phone
Surely if it's "mandatory" it applies to all ways of accessing your bank account??


----------



## EmmDee (20 Jan 2021)

Cervelo said:


> I could and most likely be wrong here but I thought that PSD2 only applied to electronic payments and doesn't necessarily apply to just logging into your account to check a balance,



I would assume that logging into the online portal isn't restricted to "view only" and therefore they have applied the security level for payments to account access as well



Cervelo said:


> why as JPD says can I log into my account with only my phone but with my computer I have to have a second electronic device like a phone
> Surely if it's "mandatory" it applies to all ways of accessing your bank account??



This is, I believe, due to use of app rather than website. If you're using the app, there is already verification of the device. Unlike SMS or email, messaging and interaction with an app is pretty secure. If you're logging in through a website, you're device isn't verified and so you get the second factor.

One way to check this - try logging on to the website on your phone browser (as opposed to the app). I'd assume you will get the verification request as you do on a PC


----------



## RedOnion (20 Jan 2021)

Cervelo said:


> I could and most likely be wrong here but I thought that PSD2 only applied to electronic payments and doesn't necessarily apply to just log


Yes. You are wrong.
Unless they separated their website into separate ones for checking balance, Vs doing transactions, they need SCA.



Cervelo said:


> why as JPD says can I log into my account with only my phone but with my computer I have to have a second electronic device like a phone
> Surely if it's "mandatory" it applies to all ways of accessing your bank account??


Nonsense.
Using your phone covers 2 factors.

'something you have' - your phone. When you first set up the App, you go through a series of validations, which creates a unique certificate on your phone.
'something you know' your password.

Some Apps allow fingerprint authentication - 'something you are'


----------



## Cervelo (20 Jan 2021)

Thanks RedOnion, does that mean that PTSB will be adopting this step to their log in process 
ATM I only need to do this extra step when making a payment or accessing any further data but log in is still the 3 step process??


----------



## RedOnion (20 Jan 2021)

I've no idea. Does the following answer it?






						Strong Customer Authentication | permanent tsb
					

Everything you need to know about Strong Customer Authentication (SCA) and how it  further enhances your security when transacting online and reduces the risk of fraud




					www.permanenttsb.ie
				



.


----------



## Cervelo (20 Jan 2021)

Thanks RedOnion, it kind of does but doesn't specifically mention logging in but would presume if one bank is doing it then the others will follow suit

Also thanks EmmDee, the difference between website and App was not something I had thought about and you are correct about the phone browser


----------



## RedOnion (20 Jan 2021)

Cervelo said:


> Thanks RedOnion, it kind of does but doesn't specifically mention logging in but would presume if one bank is doing it then the others will follow suit


It'll be clearer when they implement it. I've never banked with PTSB, but I took a look at AIB to double check how they implemented. I rarely use the web, as most functionality is available in their App.

When you login, AIB have an option to only have limited access, and bypass the 2nd factor. If I choose that, I can view accounts and transactions, but nothing else.

I don't see this option with any of the others.


----------



## RichInSpirit (20 Jan 2021)

One concern I'd have about the App and phone is if someone robs your phone, they have both the app and your phone. At least until you get to cancel the phone or something.


----------



## Cervelo (20 Jan 2021)

RedOnion said:


> When you login, AIB have an option to only have limited access, and bypass the 2nd factor. If I choose that, I can view accounts and transactions, but nothing else.
> I don't see this option with any of the others.



Sorry Red for dragging this out, It's a slow and painful death for me and probably the rest of youse 

So presumably AIB will have to update their log in process to comply with PSD2 or our they of the same understanding as me ??


----------



## RedOnion (20 Jan 2021)

Cervelo said:


> Sorry Red for dragging this out, It's a slow and painful death for me and probably the rest of youse
> 
> So presumably AIB will have to update their log in process to comply with PSD2 or our they of the same understanding as me ??


They created 2 versions of their website.

I've no idea if they intend to keep it this way. The regulations talk about SCA being required to access a payment account.

You'd really need to ask AIB about what their plans are


----------



## RedOnion (20 Jan 2021)

@Cervelo

Below is what AIB say about the limited access option. 
I was able to use it today because I had already logged in using 2 factor. So, I can only use it because I already did all the setup via App, etc.

"Limited Access gives you the option to log in without two factor authentication (provided you have already set up with SCA) for 90 days. With Limited Access you can make payments between your accounts and to your beneficiaries (people you pay), pay your bills, see your account list and view a limited number of transactions. If you need to access other services, you will need to log in with your chosen SCA method."


----------



## Black Sheep (20 Jan 2021)

Mine is an old IPhone which I inherited from a family member during the first lockdown when my own phone packed up. It's fine for my needs but is too old to take the BOI app. so I popped in to the Bank yesterday to see if there were any other options.  I do my online banking from my PC.
He assured me there was no problem and just continue as normal even after February and bypass the app. 
Don't think I believed him!


----------



## fizzy (21 Jan 2021)

By the time this does become mandatory you can get a physical security key from boi if you don’t have a compatible phone. They have now added some info about this here https://www.bankofireland.com/physical-security-key/
I was told by boi a couple of weeks back that these keys were not available to order yet & that boi would reach out to those who need them in due course.
I’d say it will be a very slow phase in. I know the new screen and red alert messages look high priority but that’s just to encourage people to act. With AIB you could just ignore it all for ages. A bank can only move as quickly as its customer base


----------



## NiallSparky (21 Jan 2021)

RichInSpirit said:


> One concern I'd have about the App and phone is if someone robs your phone, they have both the app and your phone. At least until you get to cancel the phone or something.



But they would also need your login and pin in this scenario. The app on the phone is useless without this.


----------

