MBNA

Online Payments Blog

Industry News and discussions relating to Online Payments and Application Security.

MBNA

Feb 19

2011

O2 offer new prepay Visa card

Posted by sharkey in Visa PayWave , Visa , ruby money , ruby card , online payments , MBNA , Mastercard PayPass , MasterCard , ireland , 3V voucher

Telefónica O2 Ireland Ltd. have recently announced their O2 Money Card, a prepaid Visa (debit) card which customers can purchase at O2 shops nationwide for €4.99. We have reported on similar products in this space on the Irish market, in particular Rubycard, MoneyBookers and the Dublin City Gift Card, both prepaid Mastercards.

The important factors for these products are always the ease of access to top-up facilities, costs and how widespread the acceptance of the cards are as payment mechanisms. Being backed by credit card companies, the prepaid Visa card is accepted wherever you see the Visa sign and similarly the Mastercard endorsed cards are accepted wherever you see the Mastercard logo. The costs however tend to vary widely, see our other posts about prepaid Mastercards from Dublin City Business Association and Tuxedo Money.

To buy an O2 Money card for €4.99; you need to be 18 years or older, have an Irish registered mobile phone and you need to place minimum €20 on the card (maximum €150).

Checking your balance

The balance on the card can be checked by:

Texting the word 'BALANCE XXXX' to 50280 where XXXX is replaced by the last four digits of the 13-digit customer number imprinted on the back of every O2 money card; or

Signing into your O2 Money card account online

Topping up the card

Transferring funds from your bank account appears to the the most cost-effective method offered. As with any bank transfer, it may take 3-5 days to process. The cost of the transfer is deducted from the amount transferred and the maximum you can transfer in one day is €350. These transaction costs apply:

€20.00 - €59.99 charge €0.80
€60.00 - €99.99 charge €1.25
€100.00 - €159.99 charge €1.70
€160.00 - €350.00 charge €2.55

Two other methods are available, both subject to the same topup costs. Topping up in an O2 store or at a Payzone outlet should make the new balance available on the card ten minutes later, however O2 do recommend retaining the receipt for up to 24 hours just in case. These transaction charges apply:

€20 - €50 charge €0.99
€60 - €90 charge €1.49
€100 - €150 charge €1.99
€160 - €350 charge €2.99

There are other charges and limits that apply, for example ATM withdrawls and moving money to another O2 card are charged at €1 per transaction; replacing a lost or stolen card or moving money back to a bank account is charged at €5; if you use the card as a credit card Government stamp duty (€2.50, once per 12 month period) will be charged and if you use the card in an ATM a second stamp duty applies (Again €2.50, once per 12 month period).

Do you use a prepard Visa or Mastercard? We'd love to hear your comments below!

Ultan.

If you liked this article then you can:

Subscribe to our Blog RSS feed
Become a fan of webpayments.ie on Facebook
Follow us on Twitter

Related Blog Posts:

Comment (2)

Apr 11

2010

Changes to the MBNA login process

Posted by Dave in MBNA , ireland , Chip and PIN , Application Security

Those of you who read my Blog post about MBNA and 3D secure will know I am an MBNA Visa card customer. MBNA provide their cardholders with a comprehensive online banking solution. You can review your recent transactions, recent statements, transfer balances and even view your PIN online. Recently, MBNA made some updates to their site, modifying the login process so it is now a two step process.

This change appears to be an attempt to improve usability on the site by simplifying the log-in process. The website provides a "Where do I enter my password?" link giving MBNA's reasons for a two-step login process, reasons which I believe are misguided.

MBNA say the new two-step login process will better safeguard the privacy and security of their customers personal information. These changes in fact compromise the security of their customers and provide scope for denial of service attacks. Here, I'm going to show you why.

The first step in the log-in process where you enter your username. Here we encounter the first problem - if you enter an incorrect username you get a message saying that the username does not match their records. Unfortunately, this means that the system can be used to find valid usernames of MBNA customers.

After entering a valid username you are presented with the password entry screen.

If an incorrect password is entered then this is indicated to the user.

Now we encounter problem number two - MBNA implement an invalid login attempts policy by which accounts are locked after 3 invalid login attempts. This itself is not the problem but combined with the ability to determine valid usernames it becomes a problem.

The invalid login attempts will prevent an attacker from carrying out a brute force attack to find the password for a cardholders username but it does leave MBNA open to a type of denial of service attack. For example, an attacker could determine a list of valid usernames for MBNA cardholders and then proceed to make three invalid login attempts for each username, locking out the accounts in the process.

The lesson is simple - when securing these systems think about the malicious mind. It is good usability practice to return useful error messages, however the error message need only be useful to the point of correcting the users error. In the MBNA example there is no logic in having a second step. It does not provide any benefit to the customer in terms of security or data protection. I would also argue that it does not provide any benefits in terms of usability as the user now has to deal with two screens, two page loads and has an extra click to submit each form.

The username and password should be entered in the same form i.e. a single step sign in process. An informative error message such as "The username or password is incorrect." can then be displayed when an invalid username or password is entered. In this way the user benefits from the usability practices behind returning useful error messages however an attacker gains no extra knowledge to help compromise the system.