Sunday 24 February 2019

Bank of Ireland aware of browser security issue – but say use it anyway

Adrian Weckler

Adrian Weckler

Big Irish companies have often been laggards with their web strategy. But Bank of Ireland's refusal to acknowledge a problem with the security of its nominated online banking web browser is very disappointing.

To recap: Bank of Ireland is continuing to insist that its thousands of Business On Line banking customers use the newly-insecure, unpatched Internet Explorer for all sensitive transactions.

The bank has reiterated its stance days after countless IT security experts, the US and UK governments and even Microsoft itself warned that there is an unfixed security problem with the internet browser in question.

This security flaw, according to Microsoft, could lead to theft of data or "the complete compromise" of a user's PC. And the warning is not just theoretical. Microsoft says that "targeted attacks" using the exploit have already occurred. Security firm FireEye has gone further, referring to an "active campaign" by hackers targeting the security flaw.

Until the problem is fixed, virtually all IT security experts now recommend scaling back use of Internet Explorer for sensitive transactions or switching to a rival browser.

But Bank of Ireland is still insisting that its business customers use the threatened web browser in their day-to-day banking.

The Business On Line service remains "only compatible with browser Internet Explorer" according to the bank and "using any web browser other than Internet Explorer . . . will prevent Business On Line from working correctly".

The result is confusion among Bank of Ireland business banking customers. Should they continue with their daily online banking via Internet Explorer or not?

To be fair to the bank, a lenient interpretation of the bank's thinking could be that the flaw mostly requires a user to click on a malicious link from an email or instant message or on a dodgy ad. Hence, it should not affect users who only use their browser to visit non-dodgy sites, such as the bank's Business On Line service.

If this is the bank's thinking – it will not answer questions on the matter, for some reason – it might buttress its theory that a problem with Internet Explorer is not necessarily a problem for Bank of Ireland. After all, how can it be held responsible for Microsoft and Internet Explorer and international hackers?

Unfortunately, this logic breaks down at the bank's insistence that only Internet Explorer may be used for its service. In other words, if Bank of Ireland customers want business online banking, they must use the condemned Internet Explorer.

This is the bank's choice – it could easily allow its customers to use any of the other modern, mainstream web browsers that do not currently carry security risks. So by chaining itself to an ageing, vulnerable internet browser, Bank of Ireland can not be surprised if customers worry that their sole means of accessing their money is via a browser that currently carries severe security concerns.

The entire situation is an unhappy place for Bank of Ireland, and its customers, to be in. Ironically, Internet Explorer is only used by a minority of Irish internet users (though its penetration among large businesses is higher than among consumers).

So why can't the bank provide a modern, widespread means of accessing its business banking?

Unfortunately, the company is not in a mood to discuss the issue. When I asked about this, the bank replied with a non-specific holding answer, devoid of specifics.

"Bank of Ireland is aware of issues in the media in relation to Microsoft Internet Explorer browser and we are in close liaison with our service providers and Microsoft to resolve the matter.

"In the interim, access to Business On Line is not impacted and full service is available."

Is this just a media issue? I'm not sure the bank's business customers think so.

Indo Business

Also in Business