# Verified by Visa (AIB) - mandatory mobile phone



## happypat (26 Aug 2016)

I use my Visa Debit to purchase a lot of things online.  Normally, for merchants that use "Verified by Visa", I have to enter a couple of digits of a personal password to continue with purchases.  That's been the case for years.

But now, AIB, from this October, are removing the password facility and instead you get a text to your mobile with a passcode.  You therefore have to have your valid mobile number stored with AIB and if you don't have your phone on you, you can't purchase online with your debit card.

(If you have no mobile phone they say to ring customer services, presumably on a case by case basis for a passcode?)

Views?  I'm not happy.  I don't want to have to interact with my mobile when purchasing stuff online, the password was more efficient.


----------



## ppmeath (26 Aug 2016)

Have to say that I hope they roll it out with all banks. This to me is an enhanced security measure. I think this makes much more sense the the system in operation now. 

Personally, as someone who does a lot of shopping on-line, I much prefer the idea of having a code sent to my phone for each purchase. It makes more sense. 

For me personally I hate the current system, it's just a matter of opinion, but to me a phone code per purchase is a great idea.


----------



## vandriver (26 Aug 2016)

If a lady had her bag containing her phone and card stolen, doesn't this make it easier to order stuff fraudulently?
Or am I missing something?


----------



## ppmeath (26 Aug 2016)

Great point, I have my phone on an automatic lock after a couple of minutes, so in order to get to the code, they would have to get into the phone, now that's in my case.


----------



## T McGibney (27 Aug 2016)

ppmeath said:


> Great point, I have my phone on an automatic lock after a couple of minutes, so in order to get to the code, they would have to get into the phone, now that's in my case.


The type of criminal who habitually steals phones can easily bypass all those automatic lock programs on any common phone.

The OP needs a new card provider.


----------



## odyssey06 (27 Aug 2016)

This is contemptible stuff from AIB. As noted earlier, if bag and card stolen together, what do AIB advise?
Anyone who says banks are serious about security is either a fool or a tool.


----------



## Sue Ellen (27 Aug 2016)

With the present system it is too easy to reset the password and as most people have already provided their phone number to their bank I don't see it as a problem.  I prefer for them to be able to ring me if there is an attempted use of one of my cards and they have done this in the past.


----------



## Jim2007 (27 Aug 2016)

T McGibney said:


> The type of criminal who habitually steals phones can easily bypass all those automatic lock programs on any common phone.



The typical criminal simply do a physical factory reset, actually breaking a code is beyond most of them.



T McGibney said:


> The OP needs a new card provider.



This is the latest standard, so you can expect to see it introduced by all providers going forward.

It's actually a three way process to validate the transaction, so even cloning a chip is difficult.  Phones bought before about 2014 may need a new chip.


----------



## happypat (30 Aug 2016)

Sue Ellen said:


> With the present system it is too easy to reset the password



How is it "too easy" to reset the password?  How would the "robber" of my phone easily reset my password?



Jim2007 said:


> actually breaking a code is beyond most of them.



But not beyond _all_ of them.  However, getting my password would be beyond all of them.

Either way, even if I am the only one with the view, I just know that there will come a time when I need to purchase something online and I won't have my phone handy.  That will be a nuisance.  There should be a password option, even if they supplement it with an extra pin or something - just not enforce a requirement to have your physical phone with you.

Already with doing international transfers I need a card reader.  So if I don't carry that around I can't do transfers until I get home.  It's getting more difficult to be efficient!


----------



## Sue Ellen (30 Aug 2016)

happypat said:


> How is it "too easy" to reset the password?  How would the "robber" of my phone easily reset my password?




I was referring to resetting the password on 'Verified by Visa' and not resetting the password on your phone.


----------



## PGF2016 (31 Aug 2016)

KBC mastercard has required this since last year.


----------



## Brendan Burgess (31 Aug 2016)

OK, if an IT savvy thief robs my handbag with my credit card and my mobile in it, they may be able to access my phone before I have reported the loss to the credit card company.  

If someone steals my card I might not notice it. I would notice the loss of my handbag immediately. I would notice the loss of my mobile immediately. 

If someone clones my card, I wouldn't know until I get a phone call on my mobile giving me a code. 

It sounds like a brilliant idea to me.  But then maybe I am "a fool or a tool".   

Brendan


----------



## trasneoir (31 Aug 2016)

T McGibney said:


> The type of criminal who habitually steals phones can easily bypass all those automatic lock programs on any common phone.


Stolen phones have the sim card removed immediately, and get erased promptly (before the owner can get the network or apple/google to remotely locate/disable them).



happypat said:


> Views?  I'm not happy.  I don't want to have to interact with my mobile when purchasing stuff online, the password was more efficient.


I'm happy. Humans are not well suited to passwords - we can't be bothered remembering a long unique password for every different application, which is the only way to make them secure. Verified by visa was horrendously insecure. All you needed to reset the password was information written on the card, plus the owner's date of birth.

The best alternative we've come up with is to use a physical token (card reader, number wheel, mobile phone) to generate one-time passes as needed. The text message has the added bonus of alerting you if/when a malicious third party is trying to use your card.


----------



## PGF2016 (31 Aug 2016)

trasneoir said:


> The text message has the added bonus of alerting you if/when a malicious third party is trying to use your card.


It also alerts when your spouse is using the card.


----------



## Seagull (1 Sep 2016)

In my case, I am the credit card holder, and my wife is added as a second card holder. What happens in this case? She goes shopping, and encounters verified by visa, and I then get a text with the passcode and have to phone her?

I'm sure I posted this reply yesterday, but it's vanished.


----------



## PGF2016 (1 Sep 2016)

Seagull said:


> In my case, I am the credit card holder, and my wife is added as a second card holder. What happens in this case? She goes shopping, and encounters verified by visa, and I then get a text with the passcode and have to phone her?
> 
> I'm sure I posted this reply yesterday, but it's vanished.


It's only for online purchases.

I would forward the passcode text to my wife if and when she uses it when I'm not there.


----------



## Brendan Burgess (1 Sep 2016)

Seagull said:


> In my case, I am the credit card holder, and my wife is added as a second card holder. What happens in this case? She goes shopping, and encounters verified by visa, and I then get a text with the passcode and have to phone her?
> 
> I'm sure I posted this reply yesterday, but it's vanished.



Maybe your wife is using your Askaboutmoney log in and deleted the post?


----------



## Jim2007 (1 Sep 2016)

Seagull said:


> In my case, I am the credit card holder, and my wife is added as a second card holder. What happens in this case? She goes shopping, and encounters verified by visa, and I then get a text with the passcode and have to phone her?
> 
> I'm sure I posted this reply yesterday, but it's vanished.



From what I remember it is the card being verified not the account holder.  Therefore the second card will also be mapped to a phone, your wife's in this case.


----------



## odyssey06 (7 Sep 2016)

Having just seen a tv3 documentary on how easy it is to spoof a text messages point of origin... i am even more wary of it being part of verified by visa.


----------



## Jim2007 (7 Sep 2016)

odyssey06 said:


> Having just seen a tv3 documentary on how easy it is to spoof a text messages point of origin... i am even more wary of it being part of verified by visa.



How exactly would being able to spoof a text message help you break the validation?  The original request that sends the text does not originate from a mobile device???


----------



## odyssey06 (8 Sep 2016)

Jim2007 said:


> How exactly would being able to spoof a text message help you break the validation?  The original request that sends the text does not originate from a mobile device???



AIB are sending passcodes by SMS ... verify easy to insert a fake re-authenticate passcode and a new URL to capture your verified by visa details. I don't think major finanacial institutions should be relying on an unauthenticated protocol. 
When you get an SMS you have absolutely no way to know for sure that it is authentic, and you are now reliant on the bank sending you a passcode via such means.


----------



## trasneoir (8 Sep 2016)

odyssey06 said:


> I don't think major finanacial institutions should be relying on an unauthenticated protocol.


Neither email, sms, or post provides any assurance that the sender is who they say they are. Unfortunately, these are the only practical ways for companies to send us 2 factor authentication keys. 
Given that people are whinging about the inconvenience of a text message, how do you think the public would react if verified by visa required a dedicated android/ios app?



odyssey06 said:


> AIB are sending passcodes by SMS ... verify easy to insert a fake re-authenticate passcode and a new URL to capture your verified by visa details.


This falls back to the advice that everybody has been hearing about email phishing forever - never trust a url that's been sent to you. 

For a legitimate transaction, it will never be necessary to send a url by sms:
1. I enter my card details on my laptop at (say) tesco.ie 
2. I am redirected to the verified by visa gateway, I enter my password, and then i'm prompted to enter an auth code.
3. I receive a text message "Your verified by visa auth code is 1234. If you didn't authorize a transaction please call your cc provider."
4. I transcribe the code from the sms to the laptop.


----------



## Jim2007 (8 Sep 2016)

odyssey06 said:


> AIB are sending passcodes by SMS ... verify easy to insert a fake re-authenticate passcode and a new URL to capture your verified by visa details. I don't think major finanacial institutions should be relying on an unauthenticated protocol.
> When you get an SMS you have absolutely no way to know for sure that it is authentic, and you are now reliant on the bank sending you a passcode via such means.



In order for your 'theory' to work your hacker would have to have access to the primary device requesting the authentication which is situated within the credit card company, a merchant account to which he can divert the funds and the ability to generate dual transactions on both the original merchant account and their account.  In addition to having the ability to intercept the original message from the bank.  In other words it is not going to happen any time soon and even if it did the credit card company would be responsible as they would have allowed access to the primary device.

On top of this the card company's normal fraud checks would cause both merchant accounts to be frozen once a dual transaction is detected, it is a standard check.  So even after all this the hacker has to figure out how to get their hands on the cash.


----------



## Jim2007 (8 Sep 2016)

I might add that the newer version of this technology, I'm a trial user on involves the phone company issuing you with a new chip that encrypts the messages.  While this is even more secure the down side is that you have to back to the phone company for a new chip when you change phone etc.  even taking the chip out and putting it back in causes it to throw a wobble as I have discovered this week!


----------



## mathepac (10 Sep 2016)

Disabling a phone (by the manufacturer or by the network provider) can be achieved by two methods primarily:

1. Remove / disable services from the SIM card
2. Remove / disable services from the device using the IMEI number

In scenarion 1, inserting a new SIM card MAY get the phone working again, in scenario 2 a new SIM with not re-enable the device.

Contrary to urban myth, removing the SIM card or powering the device off before the manufacturer/ network operator takes action to deny access to services will not prevent either 1 or 2 working.

I just had an interesting interaction with AIB's servers in relation to my debit card.

I initiated two transaction with the same merchant using the same card within a few minutes of each other today. This seems to have been recognised as "unusual activity" and I got a txt asking me to transmit "Y" to authorise the transaction or "N" to cancel it. Card details were  exchanged with the merchant over the phone. AIB Named the merchant, the amount, date & time, last 4 digits of card in the initial txt. I sent "Y" as a message response and got back confirmation of the transaction with the merchant and a message saying it was OK to continue using the card.

My first time experiencing this. I reckon it was a good spot and a nice simple, sensible and secure way to handle it. This is one of the reasons you need a mobile phone for a card account. I know ApplePay and loyalty card use are the other reasons, getting rid of plastic card entirely.


----------



## amtc (10 Sep 2016)

I just got this from boi. Two m and s transactions within minutes, both online, and got text message to say reply y or n, and then once replied an OK.


----------



## mathepac (10 Sep 2016)

Neither of my transactions would bail out a kid's piggy-bank, 18 & 41 euro, but re-assuring nonetheless.


----------



## ScottSF (15 Nov 2016)

I hadn't heard this from AIB so thanks very much for letting us know. They are not good about informing customers from my experience. 

What concerns me greatly is that *AIB (correct me if I'm wrong) only accepts an Irish mobile number. So if you travel a lot and use local SIM cards and phone numbers in other countries, there is no way to receive the text message to complete an online purchase. *Any advice for that? There really needs to be a secondary way to confirm an online purchase either by email or allowing international numbers as well. It's interesting how in Europe the banks are making it harder to shop online (for good reasons of course) and in the USA they are fighting to keep it as easy as possible.

Now my biggest problem with AIB and the need to prevent fraud is their lack of transactional email alerts. Every US credit card company offers instant email alerts for every purchase. That would let me be notified about potential fraudulent transactions as quickly as possible. Does AIB really expect me to login every few days to make sure all my purchases are valid since they can't catch everything. Several months ago I luckily caught a fraud purchase but it could have taken me weeks longer to notice and report it.


----------



## mathepac (15 Nov 2016)

I don't understand the scenario. Are there other people who would be using the card while you are out of the country? Why would you shop in Ireland when you are else where. What about a dual SIM phone that covers all the wave-bands - insert local SIM in foreign country, keep Irish SIM active on roaming for text messages to confirm purchases?


----------



## newirishman (15 Nov 2016)

ScottSF said:


> I hadn't heard this from AIB so thanks very much for letting us know. They are not good about informing customers from my experience.
> 
> What concerns me greatly is that *AIB (correct me if I'm wrong) only accepts an Irish mobile number. So if you travel a lot and use local SIM cards and phone numbers in other countries, there is no way to receive the text message to complete an online purchase. *Any advice for that? There really needs to be a secondary way to confirm an online purchase either by email or allowing international numbers as well. It's interesting how in Europe the banks are making it harder to shop online (for good reasons of course) and in the USA they are fighting to keep it as easy as possible.
> 
> Now my biggest problem with AIB and the need to prevent fraud is their lack of transactional email alerts. Every US credit card company offers instant email alerts for every purchase. That would let me be notified about potential fraudulent transactions as quickly as possible. Does AIB really expect me to login every few days to make sure all my purchases are valid since they can't catch everything. Several months ago I luckily caught a fraud purchase but it could have taken me weeks longer to notice and report it.



It isn't offered, simple as. I make it a habit to very regularly check my account online - there's no real excuse for not checking "every few days" given it is quick and easy with things like the mobile app. As you might be aware, email is not a reliable (or secure) way of communicating. Don't think it is too onerous to keep an eye on one's account especially when travelling and using your card abroad. Pushing all the responsibility to the bank is a bit harsh I think.
And was always, if you don't like what AIB offers: it is very easy to switch banks these days.


----------

