Joe Duffy, Bank of Ireland and Someone's Missing A Few Grand!
How to confuse the F**K out of all of us
Over a cup of tea post-lunch, as we tune into Live Line, we find ourselves amidst tales of dodgy emails and texts and a hell of a lot of mysteriously missing money. The ever-present pr statement from the banks, ever-so-polite and dripping with concern, assuring us of their unwavering commitment to digital safety as soon as Joe opens his mouth about yet another scam.
But let's take a step back and have a look at just one bank, the Bank of Ireland. With just a bit of digging, a completely different story unravels, making one wonder – how much of the 'bank-we-take-security-seriously-speak' can we take at face value?
Where is Bank of Ireland?
One of the most evident issues is the disparate web addresses used by Bank of Ireland. A quick glance shows:
Thanks for reading AJ’s Substack! Subscribe for free to receive new posts and support my work.
Main Website: https://www.bankofireland.com/
Personal Banking: https://www.365online.com/Digital/servletcontroller
Business Banking: https://www.businessonline-boi.com/WebUI/login-flow.html
For an average user, especially those not well-versed with online banking, such variances can be confusing. It is expected that a bank's primary activities - personal and business banking - should be hosted under a common domain, making it intuitive for users.
Imagine a customer named Joan. She usually accesses her BOI 365 banking on her laptop. But she has had a coffee moment and her new laptop is waiting to be set up. So she grabs the kids laptop while running for work, to pay a bill quickly. She Googles BOI 365 Banking. Several results pop up, including fake websites set up by fraudsters and clicks on boi-365online.com. Click - The Live Line Is Open!
Given the bank's use of multiple, unrelated domains, Joan struggles to differentiate the legitimate business banking domain from a potentially malicious one.
These inconsistencies don't just make navigation harder; they pose a security risk. Fraudsters can easily replicate such disjointed setups, making their phishing sites seem genuine. A unified, consistent domain structure would be more challenging to spoof and easier for users to recognize.
Links that Lead Astray
Further complicating matters are the support references on all of their pages. Business banking users are directed to https://businessbanking.bankofireland.com/ while personal banking customers are sent to a long, almost cryptic URL full of session or reference parameters.
Disparate support references add another layer of complexity. Typically, support links should redirect to a subdomain of the main website or, at the very least, a URL with a recognizable structure. When different, lengthy, and non-intuitive URLs are introduced, users can easily be redirected to phishing sites that mirror these inconsistencies
Joan, from our previous example, once on the business banking page, decides to check the support section to understand some features. She finds herself on a completely different domain. The next time she receives an email with a link to a "support page" that's also on a different domain (but this time a phishing site), she recalls the bank's inconsistent domain structure and does not give it a second thought… click and the “Live Line is now open”
Which 2FA Do You Use?
The strategy Bank of Ireland employs is confusing. Personal banking uses their application, while business banking uses HID approve. This separation might seem efficient from an internal standpoint, but from the perspective of an end-user, it is just another layer of complexity. Why isn't there a unified 2FA process for both personal and business banking? This inconsistency adds another dimension for potential fraud, as scammers can exploit users' unfamiliarity with these varied processes.
In particular, senior users, who might not be as tech-savvy as younger generations, are at a particular disadvantage. When faced with multiple domains and varied 2FA processes, the chances of them getting misled or being victims of fraud rise exponentially.
To .IE or Not .IE
Top-level domains (TLDs) are more than just the tail end of a website address. They carry a specific significance, signaling the origin or nature of the website. For institutions based in Ireland, the .ie domain acts as a beacon of authenticity, clearly indicating an Irish origin.
It's puzzling that the Bank of Ireland, a name synonymous with the country's financial landscape, opts for a .com domain over the localized .ie for its primary services. The .com TLD, being one of the most widely used, is rife with domain registrations, making it a vast sea where misleading or fraudulent domains can easily hide. In contrast, the .ie domain, with its narrower focus, is better poised to spot and act against suspicious domains, offering a cleaner namespace.
For Irish users, a .ie domain can serve as an added reassurance of dealing with a local, legitimate entity. This psychological trust factor, combined with the tighter control of .ie registrations, would significantly deter phishing attempts. By using a .ie domain, the bank could substantially reduce the risk of users stumbling upon misleading or malicious sites.
While the global appeal of a .com domain is understandable for businesses seeking international reach, the Bank of Ireland's core clientele is primarily local. By not capitalizing on the .ie domain's trust factor and its heightened oversight against fraudulent registrations, the bank seems to be missing out on a strategic and security advantage.
The Basic Failures
Both the personal and the business banking sites fail on something called DNSSEC. The Domain Name System (DNS) is often likened to the phonebook of the internet, translating user-friendly domain names into IP addresses that browsers can understand. But what if someone tampered with that phonebook, redirecting users to malicious sites without them realizing? This is where DNSSEC comes into play. By providing an additional layer of verification, it ensures that the information from the DNS is authentic and hasn't been tampered with, effectively preventing DNS spoofing and poisoning attacks.
Surprisingly, a preliminary review of the Bank of Ireland's domains indicates a lack of DNSSEC support.
Such an basic omission is alarming, especially for an institution that holds sensitive financial data. Without DNSSEC, users like Joan are at a heightened risk of being redirected to fraudulent sites, even if they type in the correct web address. Scammers can exploit DNS vulnerabilities to lead users to fake sites that look identical to the bank's genuine sites. From there, capturing login credentials, personal information, or even deploying malware becomes frighteningly easy.
Implementing DNSSEC is neither costly nor particularly challenging, especially for major institutions with robust IT infrastructures. The Bank of Ireland, and indeed all banks, should consider it non-negotiable in their online security protocols. While no single measure can guarantee complete online safety, layers of defense like DNSSEC are critical in building a fortified digital presence.
I dare not even look at their MX records.. SPF anyone? Bueller, Bueller, Bueller, Bueller…
Unraveling the Digital Knots of Bank of Ireland
As the kettle cools post our Live Line session, it's evident that the tales of digital mishaps aren't just the stuff of radio banter. Banks, as cornerstones of our financial landscape, bear a heavy responsibility, not just in keeping our money safe but in ensuring their online presence stands as a bastion of security and clarity. As our delve into the Bank of Ireland’s digital realm suggests, there's ample room for enhancement.
1. Unified Digital Strategy: To mitigate confusion, the Bank of Ireland should streamline its web addresses. A singular domain for all primary activities – be it personal or business banking – would not only simplify user navigation but also bolster security.
2. Clearer Support Links: Support references must be intuitive and preferably under a main domain or recognizable subdomain. A clearer digital path would reduce the chances of users wandering into the treacherous territories of phishing sites.
3. Unified 2FA Process: A consistent two-factor authentication process for both personal and business banking is essential. Such consistency would shield users, especially the elderly, from potential scams exploiting varied processes.
4. Embrace .IE: Tapping into the trust associated with the .ie domain could be transformative. Given the bank’s primarily local clientele, this shift would not only build confidence but would also offer an added layer of protection against malicious entities.
5. Implement DNSSEC: This can't be emphasized enough. DNSSEC acts as a digital seal of authenticity, ensuring users land where they intend to. For a bank of its stature, the Bank of Ireland must consider this a critical component in its digital safety blueprint.
6. Review MX Records and Implement SPF: It’s a digital age old saying - a secure mail exchange is worth a thousand secure transactions. The Bank should fortify its email communication by ensuring proper MX records and implementing the Sender Policy Framework (SPF) to prevent email spoofing.
In sum, while the Bank of Ireland has made strides in its digital journey, the path ahead requires more than just incremental steps. It’s about building an online fortress that's not only impregnable but also intuitive for its users to use.
Thanks for reading AJ’s Substack! Subscribe for free to receive new posts and support my work.