# PTSB Open 24 - Security Gone Mad



## DublinTexas (11 Dec 2006)

So I decide I need to transfer money to a "3rd party account" I do not have registered in open24. Usualy a quick call to Open24 fixes that but here is what I got today:

"I can not do that for you, we have new security procedures. I will take down your details and someone will call you back within 1 hour to confirm this. Can I have a number please."

50 minutes later a call from "withheld number" telling me that she calls about my setup and needs to verify open 24 number, 3 digits of the code, landline, office number, date of birth, job title, employer and mother maiden name.

After verifying that she had what I told the other agent before (sort of to ensure she was from PTSB) I went through the whole proccess.

I asked if this is now going to happen every time or this is a once off and she tells me "this is a new security policy we have here at PTSB and this is needed everyt time you set somebody up".

Now other banks allow you to set up new receivers online but with PTSB it's now 2 phone calls and the feeling that "unless you proof with a strip search that you are who you claim you are we think you are a liar".

I think it's really time to swap to a modern bank.


----------



## conor_mc (11 Dec 2006)

Happened to me on Friday also. Funnily enough, had to do another payment today and they did it on the spot - but then again, there was an existing SO to that account so maybe that was why they did the once-off payment immediately.

Personally, I'm not too bothered by the extra measures. There's been so much talk of phishing etc going on recently, that they're obviously concerned that I may not be who I say I am.

At least they're doing something to counter-act it, I suppose.


----------



## exile (11 Dec 2006)

It's not just PTSB.  Bank of Ireland have introduced new procedures too ... you call up and ask for the new 3rd party account to be added, they send you a letter through the post to confirm (the idea being that if you unexpectedly get one of these letters you'll call them and say "I never asked for that?"), then after 5 working days you can use the account.  Relatively speaking, PTSB's system sounds better (you don't have to wait a whole week to transfer some money!)

Clearly they are extremely scared of what can be achieved with a phishing attack now.  It's pretty inconvenient, but a bit paranoid to suggest the bank are calling you a 'liar' - their fear is that "you" are not you.

The real solution is to have a website that's truly secure (or as close as technologically possible).  An ID number, a pin number and your phone number/birth date just isn't security anymore.


----------



## DublinTexas (11 Dec 2006)

Only in Ireland banks could be scared of phishing attacks and implement letters to combat that.

In any other european countries there are digipass (like rabo had the sense to do here) or even electronic certificates on your chip card or less technical Transaction Number Lists in addition to other credentionals.

Maybe investing some of the billions of profit into modern technology would stop fraud instead of me giving my whole life story to some person in a call center.

Most fraud with banks these days is comming from people in underpaid positions in call centers selling personal information than from some person falling for some spoof website.


----------



## CCOVICH (11 Dec 2006)

DublinTexas said:


> Most fraud with banks these days is comming from people in underpaid positions in call centers selling personal information than from some person falling for some spoof website.



Is this just speculation, or do you know it for a fact-i.e. how the majority of bank fraud is committed?


----------



## DublinTexas (11 Dec 2006)

CCOVICH said:


> Is this just speculation, or do you know it for a fact-i.e. how the majority of bank fraud is committed?



I should have said MORE than most.

And from personal experience: I never got problems because of fishing only because someone in some contact center sold my information last year. It took month to recover the funds from checking accounts/credit card. Sure, it was a US based bank, but still. Or the problems because someone in some credit reference bureau sold my data to a fraudaulent company who went out missue it.

The more data I have to provide to organisations the less controll I have over what is done with my information and the more exposed my data becomes.

They claim they call back to verify that I am who I am but they call from a withheld number and they don't give you the ability to verify that they are who they are. Is that safer than me giving the information to a person on the phone who I only got after their phone system identified me with my open24 number and PIN and connected me? Certainly not.

In addition the most of the info they requested they did not even have in their system because I never provided them with it. (Work Number, Mobile Number).

The process is flaw and an inconvience to the myself, give me a digipass or load a cert/password on my Lasercard that I can use to identify myself and allow me to do it online.

Phishing is not new, anybody who still falls for it, has been under a rock or two.


----------



## CCOVICH (11 Dec 2006)

DublinTexas said:
			
		

> I should have said MORE than most.



So you have data that proves that more bank fraud is committed by call centre employees selling confidential data than by phishing?  I don't dispute that you may have been the victim of such fraud, but one swallow does not a summer make etc.

I'd genuinely be interested in seeing any stats you have on bank fraud.


----------



## exile (12 Dec 2006)

DublinTexas said:


> Only in Ireland banks could be scared of phishing attacks and implement letters to combat that.
> 
> In any other european countries there are digipass (like rabo had the sense to do here) or even electronic certificates on your chip card or less technical Transaction Number Lists in addition to other credentionals.



I believe NIB use Digipass too, and AIB give out some list of one-time codes.  I did write to BOI and told them I was moving bank due to their poor online offering.  Maybe a few more like that and they'll give it some thought!


----------



## MugsGame (12 Dec 2006)

Yes, NIB have an ActiveCard option, and AIB use a one-time list of codes for verifying once-off transfers and setting up new third party accounts.


----------



## tiger (12 Dec 2006)

I seem to remember a report on BBC a few months ago about fraud in Indian call centres.  A quick search for bbc news on  throws lots of such stories!


----------



## polo9n (12 Dec 2006)

Originally Posted by *DublinTexas* 
_I should have said MORE than most._

I totally agreed with DublinTexas, theres always flaw and criminals always has a way to get around it, i think the point is to get the message across to the majority people visitng this place. can't really understand why so rigid to statement made by poser, say no more, people knows exactly what and why!
the fraud avoidance procedure is a norm here in Ireland, 
personally my opinion public's fraud awareness are so low. 
so all that Q&A suits the majority public, 
as far as i concern, one can stay away from this 24 hr banking stuff if they not happy with the bank fraud procedures and go back to the old way queuing in the bank. vice versa, theres a pros & cons to everything.


----------



## theresa1 (16 Oct 2010)

Mother is in Hospital so she asked me to top up her mobile from her open24 online service. It wanted me to fill out details etc no problem but it would then text a security code to the mobile. I was not with my Mother at the time so that was not good and would delay things - my Mother wanted credit asap. I went over to my BOI 365 online service and after 10 minutes or so my Mother had her credit.

PTSB need to review it's online service -could make it much better with a few simple improvements.


----------

