What’s Your Birthday?

at

AIBinternet

Are you with AIB?

A mathematician writes:

The principal danger with AIB’s online banking portal stems from the fact that there exist a great many accounts for which the first 6 digits of the ‘secret’ 8-digit registration number are simply the account holder’s birthday in DDMMYY format.

Oh.

Allied Irish Banks’s web and mobile banking portals are ‘protected’ by a level of security that is twice as easy to crack as would be provided by a single password containing only two lowercase letters.

Eek.

A person of malicious intent could easily gain access to hundreds, possibly thousands, of accounts as well as completely overwhelm the branch network by locking an estimated several 100,000s of people out of their online banking

Both AIB and the Irish Financial Services Ombudsman have refused to respond meaningfully to multiple communications each in which these concerns were raised privately [see link below]….

Mathematician and software engineer Oliver Nash

Anyone?

Read on: Security Theatre At AIB (Oliver Nash)

(Photocall Ireland)

61 thoughts on “What’s Your Birthday?

  1. BenTen

    AIB’s system is actually really good, it’s two factor authentication and requires a real person to enter the numbers in the correct sequence, or a really smart robot, or a highly trained banana, whatever.

    They cannot help it that moron’s are choosing their birthday as a passcode, so yeah, this is a non story really.

    B

    1. Tony

      Customers aren’t choosing their passwords. AIB allocates the passwords. The question is do they let you change it? If so change it. THEN it’s a non story

      1. Kevin Finnerty

        Yep. The registration is a random selection of digits allocated to the customer and one of 2 levels of authentication required to access your account.

        1. BenTen

          The first set is picked randomly, i.e. you’re access code, the second set is chosen by the customer, it’s nopt automatically set to your birthday.

    2. Peter

      The issue is not with the passcode, but with the registration number. When you register for online banking, you are sent a registration number that is determined by AIB and which you cannot change.

      For many people (but not everyone) this registration number is their date of birth, followed by two digits; probably sequential based on when someone with that date of birth signed up (e.g. 21118500 would be assigned to the first person who signed up and whose birthday is the 21st November 1985, 21118501 to the second etc).

      The passcode is random and can be changed, but no matter what you set it to, it doesn’t mitigate this attack as you have the same chance of guessing your passcode no matter what it is.

  2. JohnJoe

    My 8 digit registration is nothing like my birthday.
    The first two digits are over 31 for a start!

    1. lolly

      mine is not my birthday but is closely related to my bank a/c number (same first five numbers). My password is a random five digit number also give to them by me (although I could change it if I wanted to)

  3. LookingOn

    Ulster Bank are similar – except that they have four additional numbers, instead of two

  4. Malta

    Is the registration number meant to be secret?

    There’s a password and other confirmation info required. Those are the secret steps.

  5. donthaveanafro

    They allocate the reg number. It’s random and has no link to a person’s date of birth. What’s he pissing his pants over?

      1. donthaveanafro

        I have mine a few years and it’s not like this. Don’t know what’s going on there.

        1. Someone

          Mine uses my birthday, but the passcode is made up by me.

          I think the older accounts use the birthday. I’m sure that if you are uncomfortable with the story above then you can create a new account with numbers.

          However, it is much easier to hack an account or several accounts using just numbers. Any serious password protected site should use an alphanumeric string for the password.
          And a bank is about as serious as it gets when it comes to private information.

  6. squidlimerick

    Ulster Bank anytime has a 10 digit login and is the same in that the first 6 digits are the birthdate

  7. Dave

    Perhaps this would be a story if there wasn’t several other layers of authentication on top of entering registration number. I’d also assume banks are regularly audited by indpenent security experts which would have flagged this if it really was a weakness.

  8. Margaret

    I’ve been using AIB’s online banking for around 12 or 13 years and the log on number is as reported here for me. There is a second authentication number required when logging on and that one is random.

  9. McMacalot

    The first 6 digits of my reg number used to be my birthday, but I got my codes changed a few years ago due to a malware scare and my current code doesn’t have any discernible pattern. I suspect they started out using DOB, but changed at some point.

    1. Anne

      That doesn’t matter according to the maths guy.

      Looks like none of ye read the article.

      AIB’s online login protocol
      An AIB account holder’s online credentials consist of two secrets:

      An 8-decimal-digit restistration number
      A 5-decimal-digit personal access code

      Each login requires the full 8-digit registration number and 3 digits from the 5-digit personal access code.

      The web (though never the mobile) portal used to the have a third step in which a third semi-secret 4-decimal-digit code was also requested but this step was removed several months ago.

      1. Starina

        i hate that they removed the third step. what kind of bank makes logging in less secure?!

        1. Lu

          Both my AIB account in Ireland and HSBC account in the UK are less secure than they used to be. Huzzah!

  10. Anne

    And –

    The dangers of AIB’s online banking portal
    The principal danger with AIB’s online banking portal stems from the fact that there exist a great many accounts for which the first 6 digits of the ‘secret’ 8-digit registration number are simply the account holder’s birthday in DDMMYY format. Seriously!

    Given the large number (estimated at several 100,000s) of extant accounts with such registration numbers, the following procedure can be expected to gain access to many hundreds of accounts (possibly thousands) at a rate of perhaps one account per hour without parallelism:

    Pick a random birthdate DDMMYY for somebody aged 18 – 60 (say).
    Pick a random number NN between 0 and 99.
    Attempt to login using registration number DDMMYYNN.
    Pick three random digits between 0 and 9 and submit these for the requested digits of the personal access code.
    Repeat step 4 until either the account is locked or access is gained.
    Go to step 1.

    1. java

      What evidence is there that “there exist a great many accounts for which the first 6 digits of the ‘secret’ 8-digit registration number are simply the account holder’s birthday in DDMMYY format.”

      Show me that the blog post isn’t based on assumptions and I’ll listen.

      1. Anne

        Well if you think about it for about 2.5 seconds, if there’s even a few people here saying the registration code given to them includes their birthday, then it would have been used for a significant number of people.

    2. Gobster

      So basically a brute force attack. Except it take a lot less time since you have the potential to know the first 6 digits of the registration number.

      Mine isn’t my DOB, so I should be safer, but still potentially vulnerable.

    3. Weldoninhio

      You have 3 attempts before your PAC is automatically locked and a new one is posted out to you. You then have to ring up and authenticate this to make it active. Its a safe system.

    4. Gers

      The flaw in that step by step procedure is that you can only attempt the 3 random digits of passcode 3 times before it locks. System is safe, go home everyone, nothing to see here.

  11. Anne

    They’ve been well warned… they’ll be liable surely if thousands of accounts get hacked.

    1. Anne

      That’s in relation to –

      The sequence of communciations was:

      Email to AIB. No response.
      Physical letter to AIB. Response failed to engage with substance; largely platitudes such as: “we take security seriously at AIB and aim to protect our customers against the threats associated with Internet fraud”.
      Follow-up email to AIB. Response prevaricated in similar manner: “AIB has a multi layered approach including many processed[sic] and systems”.
      Email to FSO. Response asserted: “such expertise is beyond the remit of this Office”.
      Follow-up email to FSO. Response suggested: “you may wish to approach the Data Protection Commissioner”.

  12. Colin

    I don’t have AIB myself, but I do have Ulster Bank, you only have a set number of times you can attempt before your logged in is suspended for a period. 30 mins I believe? So its going to take you a huge amount of time to break one, let alone thousands of accounts. You have to get a DOB sequence correct (Assuming the system tells you its correct) and then begin to crack the next code sequence. In hacking terms, that’s wayyyy too many requests to be making. Brute force is the equivalent of battering down a door, someone is going to notice.

    Add to that, your IP or swarm of IPs is going to get tagged fairly sharpish for making a huge amount of requests that are nearly always failing. So you’ll either be blocked or immensely throttled. Any, even an office based, firewall or IDS is going to detect this.

    Is this a concern? Yes. Is it going to cause AIB to be hacked? No.

  13. DarraghNoob

    The majority of early users were given registration codes and they contained the users DOB plus 2 other random numbers. All new accounts since 2003 (approx) were given random 8 digit registration codes

  14. Conski

    that pretty much explain all the mystery late night weekend withdrawls in me account I reckons.

    1. Tannoy

      Finally, someone sticking up for the banks. After all they’ve done for us these past ten… Nay thirty years!

  15. Bazler

    My codes are 302108467 and 221198. Is that secure enough?

    That Nigerian Prince who emailed me seemed to think so anyway.

  16. csm

    Whatever about how many accounts still have this it sounds very insecure. All you have to do is guess 5 digits correctly. Posting the code to do it though is very irresponsible.

    1. 21secondstogo

      Which is more irresponsible; posting the code to highlight how easy it is? (its really easy) ,or for AIB to repeatedly ignore concerns raised?

  17. Trouble

    Ulster bank do this but with 4 digits at the end but then they have both a pin and an alphanumeric password so it’s not quite the same.

  18. Cloud9

    The usual security “experts” making waves. The facts are the vast majority of security failures concerning online personal details stem from wholesale hacking if the companies themselves not individual random attempts. Online banking has proved very secure worldwide. Credit card details far less so. Meantime we’ll all mindlessly be forced to change our passwords.. Again!

  19. pissedasanewt

    Passwords are useless, every tv program i’ve ever watched they guess the password by just looking around the room. If somebody got in front of my computer i can’t see how I can keep them out as they would just know my password. Then 5 clicks later all my money has been transferred to a secret account in Zurick and the next time I log in a big laughing skeleton head would appear on my screen and it would seem as if all my files are scrambling in some nice little graphical way that would make it easy for me to understand what is happening..

Comments are closed.

Do NOT follow this link or you will be banned from the site!