AIB beefs up online security


22 Nov 2005

AIB has updated the access measures for its online and telephone banking facility and has begun rolling out a new security feature for certain money transfer functions.

From 6 December, when customers sign on to use AIB’s phone or internet banking services they will be asked for three digits from their five-digit personal access code (PAC) instead of the two that are currently requested. In a statement issued to siliconrepublic.com, the bank said that requesting three rather than two digits would make it “significantly more difficult” to guess the PAC.

In a further development, bank customers who want to avail of newly launched money transfer and self-service options will be required to use a new code card. This list, measuring the size of a credit card, contains 100 codes and is unique to each person’s registration number. AIB said that even if a third party obtained the card, it would be useless without the corresponding registration number and PAC.

Bank customers will be asked to enter a random code from the list in order to complete a transaction. Each code is only used once and when most of the 100 codes have already been entered, AIB will issue that customer with a new card. Customers who don’t plan to use the new services will not be issued with a code card.

The code card can be ordered online from www.aib.ie/internetbanking. It is being introduced on a phased basis between 6 December and the end of February 2006, to coincide with a staggered introduction of new online banking services. These include the ability to make one-off transfers to other banks in the Republic of Ireland, as well as a self-service facility that allows customers to set up bank and credit card accounts to which they can transfer money.

According to AIB, the code card option is a form of two-factor authentication that is an accepted industry standard for internet banking security and has been used by other financial institutions around the world. The two-factor authentication principle may be introduced for other services as required, the bank said.

Some online banks use electronic ‘tokens’ that generate one-time passwords as a way of authenticating users and AIB confirmed that it considered alternative technologies before deciding on the code card. “It is felt that ‘code card’ is the best option for AIB Phone and Internet Banking and our customers at this time,” the bank said.

The bank has begun notifying its customers about the new developments by post, in a letter that strongly emphasises that its services offer “the highest levels of security”. The letter also contains a warning against phishing scams, by advising customers that AIB will never asks them to provide login information or other personal details via email.

In its statement, the bank said its new security measures were not specifically a response to phishing, but the outcome of a constant review of risks and threats associated with all internet services. “However, ‘one-time use’ code as presented on the AIB Internet Banking Code Card does address the threat of phishing,” the bank added.

On more than one occasion over the past 18 months, scammers have attempted to get Irish people to reveal their banking passwords by sending a faked email that appears to come from AIB and there have been similar attempts using the names of Bank of Ireland and the credit card provider MBNA.

Phishing is one of the key areas of IT security that Irish internet users still need to be educated about, recent research has shown. A survey for this year’s Make IT Secure campaign showed low public awareness of the problem, with just 13pc of internet users saying they understood what the term meant.

By Gordon Smith