AIB Card Security: FAIL
Following on from Active Growth’s post on Bank of Ireland security, I didn’t want AIB to feel left out.
They’ve an even worse card security procedure, which they continue to use despite my repeated complaints.
AIB
Picture the scene, if you will. Something fishy is going on on your credit card (normally it’s small value internet transactions). The transactions are flagged up to the credit card fraud department, and they call you.
The Withheld Number
They call you from a withheld number. You answer the phone, and the caller claims to be AIB Credit Card services, and asks you to prove to them that you’re actually the card holder!
At this stage on one call (and I get many from them – often over the same repeated transaction…another fail) I pointed out that as I was in posession of a “known good” phone number (i.e. the one that was attached to the credit card), and they were in posession of nothing more than a claim to be AIB, I was the one who should be asking the verification questions. They didn’t like that.
Anyway, if you’re not as security aware as I am, you give them your credit card number, expiry date and full billing address (having already confirmed your name at the start of the conversation), and they then proceed to query some transactions.
How to scam an AIB customer
All the would be scammer needs to do to get an AIB customer’s credit card details is dial #31#<target’s phone number>. The call will come up on the target’s phone as “Number Witheld” or “Anonymous” or similar.
90% of customers will then give the credit card number, expiry date, billing address and probably even the CVV2 number from the back of the card without question.
If the person refuses to give the details, the scammer can even refer them to the phone number on the back of the card, where AIB’s real credit card services will confirm that yes, that is how the calls come. But no, there’ s no flags on their account at the moment – it must have all been cleared up.
What AIB should be doing
The correct way to handle this, in so far as there is one, is to call from a verifiable number (i.e. the one that appears on the back of the card), and ask people to call back to the number that appears on the back of the card (not “call 01 654….”, but “call us on the number on the back of your credit card”), or even better, a well known freephone telephone banking number (along the lines of the 1890 242424 number).
Bruce Schneier would have a heart attack if he heard this was coming from the two largest banks in the country. Although, given what those two banks have been up to, it’s shouldn’t be too much of a surprise…
I agree wholeheartedly with this. I have had several interactions by phone and mail with AIB Credit Card Services in the last year or so concerning suspected ‘fraudulent’ activity on my credit card.
One the last occasion they actually informed me that a previous card I thought had expired had actually remained open due to another of these ‘security’ checks remaining pending. On that occasion apparently they could not contact me by phone or mail so I had now have to incur a €30 Stamp Duty charge in having the account closed. There was no mention when I contacted them by phone of actually verifying the ‘questionable’ transactions.
In addition to the obvious dangers of the method by which AIB conduct these ‘checks’ I would be very interested to find out exactly how a supposed suspicious or fraudulent transaction is flagged by their system. On the past two occasions when speaking to them over the phone, I have had to orally approve virtually identical transactions I have genuinely made online over different time periods, to me it seems unnecessary and stupid.
In one sense, I suppose it is good to know that AIB take this seriously (the checking at least, if not the methodology) but I was always of the opinion that the onus was on me, the customer, to regularly check the transactions on my account , and then to report any suspicions or concerns to them, not vice versa, particularly when the process just picks the same transaction type on each occasion and thus the cycle begins all over again.