bank of ireland 365online “upgrade”

The login procedure for BOI’s 365online changed recently. I am not sure why they did it, but they’ve made it less secure.

Previously, the login was something like this:

Please enter your six digit User ID
Please enter the last four digits of your contact number
Please enter the first, second and fourth numbers of your pin
* * *

They separated the form in the upgrade. The first two inputs are on the first page, and the PIN input is on the second page.

Notice that the User ID and contact number fields above are not password inputs – when something is typed into it, you can see what was typed. The only security with the above form is in the PIN input. Each input there is a password field, and there are only random bits of the PIN that are requested. Someone would need to watch your fingers to know what you typed.

Contrast that with the new PIN input system:

Please enter the first, second and fourth numbers of your pin
01234
56789
01234
56789
* 01234
56789
* *

In the actual BOI form, when you select a number from the above, it is masked immediately after selection by changing it to a ‘*’ symbol. But that makes no bloody difference at all because everyone in the room can see me choose the numbers in the first damn place.

And if they miss it the first time around, all the need to do is wait for me to transfer some money to an account, because they ask for the PIN to be inputted again, using the same stupid insecure form!

Please, BOI, when you decide to change a login form, make it more secure – not less.