AIB Card Security: FAIL

Following on from Active Growth’s post on Bank of Ireland security, I didn’t want AIB to feel left out.

They’ve an even worse card security procedure, which they continue to use despite my repeated complaints.

AIB

AIB

Picture the scene, if you will.  Something fishy is going on on your credit card (normally it’s small value internet transactions).  The transactions are flagged up to the credit card fraud department, and they call you.

The Withheld Number

They call you from a withheld number.  You answer the phone, and the caller claims to be AIB Credit Card services, and asks you to prove to them that you’re actually the card holder!

At this stage on one call (and I get many from them – often over the same repeated transaction…another fail) I pointed out that as I was in posession of a “known good” phone number (i.e. the one that was attached to the credit card), and they were in posession of nothing more than a claim to be AIB, I was the one who should be asking the verification questions.  They didn’t like that.

Anyway, if you’re not as security aware as I am, you give them your credit card number, expiry date and full billing address (having already confirmed your name at the start of the conversation), and they then proceed to query some transactions.

How to scam an AIB customer

All the would be scammer needs to do to get an AIB customer’s credit card details is dial #31#<target’s phone number>.  The call will come up on the target’s phone as “Number Witheld” or “Anonymous” or similar.

90% of customers will then give the credit card number, expiry date, billing address and probably even the CVV2 number from the back of the card without question.

If the person refuses to give the details, the scammer can even refer them to the phone number on the back of the card, where AIB’s real credit card services will confirm that yes, that is how the calls come.  But no, there’ s no flags on their account at the moment – it must have all been cleared up.

What AIB should be doing

The correct way to handle this, in so far as there is one, is to call from a verifiable number (i.e. the one that appears on the back of the card), and ask people to call back to the number that appears on the back of the card (not “call 01 654….”, but “call us on the number on the back of your credit card”), or even better, a well known freephone telephone banking number (along the lines of the 1890 242424 number).

Bruce Schneier would have a heart attack if he heard this was coming from the two largest banks in the country.  Although, given what those two banks have been up to, it’s shouldn’t be too much of a surprise…


Similar posts:

    None Found