Are you with AIB?
A mathematician writes:
The principal danger with AIB’s online banking portal stems from the fact that there exist a great many accounts for which the first 6 digits of the ‘secret’ 8-digit registration number are simply the account holder’s birthday in DDMMYY format.
Oh.
Allied Irish Banks’s web and mobile banking portals are ‘protected’ by a level of security that is twice as easy to crack as would be provided by a single password containing only two lowercase letters.
Eek.
A person of malicious intent could easily gain access to hundreds, possibly thousands, of accounts as well as completely overwhelm the branch network by locking an estimated several 100,000s of people out of their online banking
Both AIB and the Irish Financial Services Ombudsman have refused to respond meaningfully to multiple communications each in which these concerns were raised privately [see link below]….
Mathematician and software engineer Oliver Nash
Anyone?
Read on: Security Theatre At AIB (Oliver Nash)
(Photocall Ireland)
AIB’s system is actually really good, it’s two factor authentication and requires a real person to enter the numbers in the correct sequence, or a really smart robot, or a highly trained banana, whatever.
They cannot help it that moron’s are choosing their birthday as a passcode, so yeah, this is a non story really.
B
Customers aren’t choosing their passwords. AIB allocates the passwords. The question is do they let you change it? If so change it. THEN it’s a non story
Yes they do let you change it.
Yep. The registration is a random selection of digits allocated to the customer and one of 2 levels of authentication required to access your account.
The first set is picked randomly, i.e. you’re access code, the second set is chosen by the customer, it’s nopt automatically set to your birthday.
The issue is not with the passcode, but with the registration number. When you register for online banking, you are sent a registration number that is determined by AIB and which you cannot change.
For many people (but not everyone) this registration number is their date of birth, followed by two digits; probably sequential based on when someone with that date of birth signed up (e.g. 21118500 would be assigned to the first person who signed up and whose birthday is the 21st November 1985, 21118501 to the second etc).
The passcode is random and can be changed, but no matter what you set it to, it doesn’t mitigate this attack as you have the same chance of guessing your passcode no matter what it is.
This ^
My 8 digit registration is nothing like my birthday.
The first two digits are over 31 for a start!
Same here. How does he know how many accounts start with DOB?
Don’t bring Denis O Brien into this.
Yep, my code is nothing like my birthday and AIB issued it.
Same here. My code is nothing like my birthday.
mine is not my birthday but is closely related to my bank a/c number (same first five numbers). My password is a random five digit number also give to them by me (although I could change it if I wanted to)
Ulster Bank are similar – except that they have four additional numbers, instead of two
Is the registration number meant to be secret?
There’s a password and other confirmation info required. Those are the secret steps.
They allocate the reg number. It’s random and has no link to a person’s date of birth. What’s he pissing his pants over?
Mine is exactly as is reported above.
When did you register for internet banking? Just wondering if it’s a new or old thing.
1998 I’d think.
I probably got mine 2005 or 2006 and it doesn’t bear any relation to my date of birth.
I have mine a few years and it’s not like this. Don’t know what’s going on there.
Mine uses my birthday, but the passcode is made up by me.
I think the older accounts use the birthday. I’m sure that if you are uncomfortable with the story above then you can create a new account with numbers.
However, it is much easier to hack an account or several accounts using just numbers. Any serious password protected site should use an alphanumeric string for the password.
And a bank is about as serious as it gets when it comes to private information.
Ulster Bank anytime has a 10 digit login and is the same in that the first 6 digits are the birthdate
All 10 digits of which are assigned to you fromnthe bank and which you cant change
Perhaps this would be a story if there wasn’t several other layers of authentication on top of entering registration number. I’d also assume banks are regularly audited by indpenent security experts which would have flagged this if it really was a weakness.
This is not that safe an assumption, actually.
Source: Work in IT security.
I’ve been using AIB’s online banking for around 12 or 13 years and the log on number is as reported here for me. There is a second authentication number required when logging on and that one is random.
The first 6 digits of my reg number used to be my birthday, but I got my codes changed a few years ago due to a malware scare and my current code doesn’t have any discernible pattern. I suspect they started out using DOB, but changed at some point.
That doesn’t matter according to the maths guy.
Looks like none of ye read the article.
AIB’s online login protocol
An AIB account holder’s online credentials consist of two secrets:
An 8-decimal-digit restistration number
A 5-decimal-digit personal access code
Each login requires the full 8-digit registration number and 3 digits from the 5-digit personal access code.
The web (though never the mobile) portal used to the have a third step in which a third semi-secret 4-decimal-digit code was also requested but this step was removed several months ago.
i hate that they removed the third step. what kind of bank makes logging in less secure?!
Both my AIB account in Ireland and HSBC account in the UK are less secure than they used to be. Huzzah!
And –
The dangers of AIB’s online banking portal
The principal danger with AIB’s online banking portal stems from the fact that there exist a great many accounts for which the first 6 digits of the ‘secret’ 8-digit registration number are simply the account holder’s birthday in DDMMYY format. Seriously!
Given the large number (estimated at several 100,000s) of extant accounts with such registration numbers, the following procedure can be expected to gain access to many hundreds of accounts (possibly thousands) at a rate of perhaps one account per hour without parallelism:
Pick a random birthdate DDMMYY for somebody aged 18 – 60 (say).
Pick a random number NN between 0 and 99.
Attempt to login using registration number DDMMYYNN.
Pick three random digits between 0 and 9 and submit these for the requested digits of the personal access code.
Repeat step 4 until either the account is locked or access is gained.
Go to step 1.
What evidence is there that “there exist a great many accounts for which the first 6 digits of the ‘secret’ 8-digit registration number are simply the account holder’s birthday in DDMMYY format.”
Show me that the blog post isn’t based on assumptions and I’ll listen.
Well if you think about it for about 2.5 seconds, if there’s even a few people here saying the registration code given to them includes their birthday, then it would have been used for a significant number of people.
So basically a brute force attack. Except it take a lot less time since you have the potential to know the first 6 digits of the registration number.
Mine isn’t my DOB, so I should be safer, but still potentially vulnerable.
You have 3 attempts before your PAC is automatically locked and a new one is posted out to you. You then have to ring up and authenticate this to make it active. Its a safe system.
The flaw in that step by step procedure is that you can only attempt the 3 random digits of passcode 3 times before it locks. System is safe, go home everyone, nothing to see here.
They’ve been well warned… they’ll be liable surely if thousands of accounts get hacked.
That’s in relation to –
The sequence of communciations was:
Email to AIB. No response.
Physical letter to AIB. Response failed to engage with substance; largely platitudes such as: “we take security seriously at AIB and aim to protect our customers against the threats associated with Internet fraud”.
Follow-up email to AIB. Response prevaricated in similar manner: “AIB has a multi layered approach including many processed[sic] and systems”.
Email to FSO. Response asserted: “such expertise is beyond the remit of this Office”.
Follow-up email to FSO. Response suggested: “you may wish to approach the Data Protection Commissioner”.
Basically your security is a lottery dependent on whether or not some quant hits your particular pattern.
https://www.jpmorgan.com/cm/BlobServer/13th_Annual_2012_Online_Fraud_Report.pdf?blobkey=id&blobwhere=1320571432216&blobheader=application/pdf&blobheadername1=Cache-Control&blobheadervalue1=private&blobcol=urldata&blobtable=MungoBlobs
This is factored into insurance projections so best of luck!!!!111!!1!!!1!!1!!1
I don’t have AIB myself, but I do have Ulster Bank, you only have a set number of times you can attempt before your logged in is suspended for a period. 30 mins I believe? So its going to take you a huge amount of time to break one, let alone thousands of accounts. You have to get a DOB sequence correct (Assuming the system tells you its correct) and then begin to crack the next code sequence. In hacking terms, that’s wayyyy too many requests to be making. Brute force is the equivalent of battering down a door, someone is going to notice.
Add to that, your IP or swarm of IPs is going to get tagged fairly sharpish for making a huge amount of requests that are nearly always failing. So you’ll either be blocked or immensely throttled. Any, even an office based, firewall or IDS is going to detect this.
Is this a concern? Yes. Is it going to cause AIB to be hacked? No.
Is this a concern? Insurance.
Will this cause AIB to be hacked? Irrelevant.
The majority of early users were given registration codes and they contained the users DOB plus 2 other random numbers. All new accounts since 2003 (approx) were given random 8 digit registration codes
An answer.
Thank you.
that pretty much explain all the mystery late night weekend withdrawls in me account I reckons.
The OP is your typical anti-bank crank.
Finally, someone sticking up for the banks. After all they’ve done for us these past ten… Nay thirty years!
My codes are 302108467 and 221198. Is that secure enough?
That Nigerian Prince who emailed me seemed to think so anyway.
Ulster bank do this also, my aib login is nothing like my DOB
Yup my login is as reported.
Never even thought about it before!
Thanks AIB!
Got fup all in any account.
Whatever about how many accounts still have this it sounds very insecure. All you have to do is guess 5 digits correctly. Posting the code to do it though is very irresponsible.
Which is more irresponsible; posting the code to highlight how easy it is? (its really easy) ,or for AIB to repeatedly ignore concerns raised?
Numbers are stupid and money is evil.
Live your life, don’t spend it.
Ulster bank do this but with 4 digits at the end but then they have both a pin and an alphanumeric password so it’s not quite the same.
nothing to do with my birthday anyway logging in
I keep my money in a bag in a hole in the ground.
Watch out for badgers
The usual security “experts” making waves. The facts are the vast majority of security failures concerning online personal details stem from wholesale hacking if the companies themselves not individual random attempts. Online banking has proved very secure worldwide. Credit card details far less so. Meantime we’ll all mindlessly be forced to change our passwords.. Again!
This is wrong on multiple, multiple counts.
Passwords are useless, every tv program i’ve ever watched they guess the password by just looking around the room. If somebody got in front of my computer i can’t see how I can keep them out as they would just know my password. Then 5 clicks later all my money has been transferred to a secret account in Zurick and the next time I log in a big laughing skeleton head would appear on my screen and it would seem as if all my files are scrambling in some nice little graphical way that would make it easy for me to understand what is happening..