AIB, Ireland’s largest bank, locks thousands of users out of their accounts during botched last-minute PSD2 update
Edit: This is being discussed extensively on Reddit
On the 14th of September 2019, the deadline for EU banks to implement the so-called PSD2 requirements passed. As the Irish Central Bank will explain, “Strong Customer Authentication”, or Two Factor authentication (the term used by the rest of the world) is one of these requirements.
Unfortunately, AIB did not do a good job.
The disruption to our lives in this process is merely a technical support issue.
Canned twitter responses are usually a sign of a company on the defensive, a twitter search for “AIB rooted” brings up many more responses…
(story continues after the images)
And lest we forget reddit:
Let’s look at one example of this failure in some detail. About a week prior, my father, a lifelong customer of theirs, received this email.
Myself, along with hundreds of other technically inclined children then found ourselves unexpectedly asked the question “What is a rooted device?”.
I proceeded to assure him that it was nothing to worry about. I had purchased this device for him myself, new, from a Vodafone official store, and it certainly was not rooted. This was simply bad messaging on AIB’s part.
Until…A week later. He tells me that he can no longer access his accounts. Please forgive the photograph of this error, but the AIB app forbids screenshots. (Unless you have a rooted device I imagine).
My father relies on the app to put credit on his pre-pay mobile phone account. Without access to the app he will soon lose access to his phone.
As we have seen from other users on Twitter, AIB will not acknowledge any fault.
But it gets even worse. Simultaneously, AIB required that any user of the desktop interface first authenticate via the app. Which of course they cannot. They are now completely locked out.
This so-called security, it should be noted, is a sham, as it relies on SMS, which has been shown time and time again to be vulnerable to sim-swap or other carrier level attacks. In addition, to be permitted to use the Two Factor authentication on my mobile device, AIB insisted on posting a letter with a secret code to my house. A backwards facing company is being dragged into modernity by these EU regulations.
But, if you can believe it, it gets even worse. Upon receiving this vaunted letter, and using my lucky device, which does not trigger their block, I still cannot activate Two Factor Authentication.
AIB have positioned themselves above scrutiny. Twitter is not a substitute for public discourse or regulatory oversight. In our brave new world, it is possible for a company to completely disrupt the lives of thousands of its customers in a fully automated way, yet we humans, (consumers) find ourselves holding the bag at the end, with no ability to communicate problems upstream. The disruption to our lives in this process is merely a technical support issue.