Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5
404 posts

Ultimate Geek
+1 received by user: 73


  Reply # 966452 13-Jan-2014 21:15 Send private message

blakamin: All the banks *might* have 2-factor authentication, but how many regular (non-geek) people know about it?
How many know how to use it?
How many have actually set it up?
How many people (that know it exists) don't use it because they find it annoying?
Why is it not mandatory?


I'm quite sure (don't take my word on it) that 2 factor authentication is now mandatory for most if not all banks, maybe old accounts that were set up before they brought it in may not have it.




Regards
Stefan Andres Charsley

1199 posts

Uber Geek
+1 received by user: 73


  Reply # 966453 13-Jan-2014 21:16 Send private message

Haha, it does seem like we ARE doing most of the dirty work for the criminals now.. :P




2021 posts

Uber Geek
+1 received by user: 300

Trusted
Subscriber

  Reply # 966455 13-Jan-2014 21:20 Send private message

My HSBC account has a random number thing that creates a number and you have to enter that after name and assword.

Seems fairly secure. My ASB accounts - both business and personal - are just login and assword.

Given how complex this all sounds, surely no one would bother unless the amounts are significant?








1199 posts

Uber Geek
+1 received by user: 73


  Reply # 966457 13-Jan-2014 21:22 Send private message

Geektastic: My HSBC account has a random number thing that creates a number and you have to enter that after name and assword.

Seems fairly secure. My ASB accounts - both business and personal - are just login and assword.

Given how complex this all sounds, surely no one would bother unless the amounts are significant?


Another guy (could be the same one) that wrote "assword".. lol

ASB does have 2FA and it is called Netcode. You have to click on "Personal Details", then "Set Netcode at Sign on".




Aussie
2179 posts

Uber Geek
+1 received by user: 197

Trusted
Subscriber

  Reply # 966482 13-Jan-2014 21:43 Send private message

charsleysa:
blakamin: All the banks *might* have 2-factor authentication, but how many regular (non-geek) people know about it?
How many know how to use it?
How many have actually set it up?
How many people (that know it exists) don't use it because they find it annoying?
Why is it not mandatory?


I'm quite sure (don't take my word on it) that 2 factor authentication is now mandatory for most if not all banks, maybe old accounts that were set up before they brought it in may not have it.


But westpac never ask the questions, ANZ haven't informed me, with ASB you have to know where to enable it... that's 3.... 
Mind you, I don't even use my NZ ANZ account anymore, so they might have changed in the last month.
See the above post (from sonyxperiageek) about ASB.

BDFL
49512 posts

Uber Geek
+1 received by user: 4367

Administrator
Trusted
Geekzone
Subscriber

  Reply # 966507 13-Jan-2014 22:33 One person supports this post Send private message

Geektastic: My HSBC account has a random number thing that creates a number and you have to enter that after name and assword.

Seems fairly secure. My ASB accounts - both business and personal - are just login and assword.


Not so fast. Those generators can be and are defeated.

Geektastic: Given how complex this all sounds, surely no one would bother unless the amounts are significant?


It's not complex at all. Once it is automated it's easy to reproduce. That's why there are botnets with millions of infected PCs.

People don't realise the amount of money involved in this. For example the story of Egor Shevelev who made US$ 5 million from 95,000 stolen bank card numbers. Or even better read about Max Butler who stole two million card numbers and charged more than US$ 85 million. Credit card fraud (a.k.a. Carding) is a big business.

Read Wired's article "One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards", which tells part of Max Butler's story, then read the book "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground" by Kevin Poulsen, the guy who wrote the Wired article.

The numbers are not small. Every now and then I have a lunch with someone from Symantec, AVG and other security companies. The numbers they show are incredible. With more than 2.6 billion PCs around the world there are plenty of systems where bad people can dip their toes.

When security firms issue press releases pointing out this a lot of "technical people" come out saying they are just spreading FUD to sell their software.  Nope, they're out there to prevent the criminals getting your money.





28 posts

Geek
+1 received by user: 5


  Reply # 966508 13-Jan-2014 22:38 Send private message

blakamin: All the banks *might* have 2-factor authentication, but how many regular (non-geek) people know about it?
How many know how to use it?
How many have actually set it up?
How many people (that know it exists) don't use it because they find it annoying?
Why is it not mandatory?


With regard to ANZ, as I posted earlier, it is mandatory for transactions >$10,000 and for sending money overseas (>$100 for direct transfers?). It was promoted to bank clients when introduced, and is still promoted if clients choose to read the information/suggestions about enhanced security.

Some bank clients may feel they don't need 2FA, and whether that is an informed choice may be hard to ascertain. 2FA is available, and there may be good reasons why some clients don't want it for their routine bank use. It's a readily-available choice.

BDFL
49512 posts

Uber Geek
+1 received by user: 4367

Administrator
Trusted
Geekzone
Subscriber

  Reply # 966510 13-Jan-2014 22:42 Send private message

People should also treat their passwords with care - use different passwords for different services, use 2FA where available (I use 2FA on Twitter, Facebook, Google, Dropbox, LastPass, Microsoft account and more).

Read How Apple and Amazon Security Flaws Led to My Epic Hacking to find out how one security flaw in one system (Amazon) can lead to a string of social engineering hacks.

What is secure for one company is not to another and that's one big problem.

I am always surprise how in this age of "I don't care about privacy and post everything on Facebook" people don't realise how thin is the protection they have...





BTR

438 posts

Ultimate Geek
+1 received by user: 91


  Reply # 966552 14-Jan-2014 08:14 Send private message

Did he use his card at an ATM, it may have been skimmed...

Watchmaker Wizard
2403 posts

Uber Geek
+1 received by user: 57

Subscriber

  Reply # 966572 14-Jan-2014 08:44 Send private message

charsleysa:
blakamin: All the banks *might* have 2-factor authentication, but how many regular (non-geek) people know about it?
How many know how to use it?
How many have actually set it up?
How many people (that know it exists) don't use it because they find it annoying?
Why is it not mandatory?


I'm quite sure (don't take my word on it) that 2 factor authentication is now mandatory for most if not all banks, maybe old accounts that were set up before they brought it in may not have it.


Not mandatory for ANZ or Westpac at least.





406 posts

Ultimate Geek
+1 received by user: 62

Trusted
Subscriber

  Reply # 966602 14-Jan-2014 09:34 Send private message

I started using this a few weeks back for some other financial sites. I've only seen hardware tokens on some banks and would be intereseted to know if any banks support these types of apps?

http://www.windowsphone.com/en-us/store/app/authenticator/021dd79f-0598-e011-986b-78e7d1fa76f8

BDFL
49512 posts

Uber Geek
+1 received by user: 4367

Administrator
Trusted
Geekzone
Subscriber

  Reply # 966610 14-Jan-2014 09:46 Send private message

AFAIK local banks do not support Authenticator but most of the online industry does, seeing is a standard being pushed by Google.




36 posts

Geek
+1 received by user: 30


  Reply # 966675 14-Jan-2014 10:58 Send private message

i just wanted to point out that kyanar is technically correct when he said banks with 2FA login are in the minority. the banks either use 2FA with transactions, or it's not 2FA at all (re kiwibank). only BNZ have 2FA & login, and even then i understand it can be turned off as an option.

1) as i understand 2FA, it comprises something you know, and something you have. kiwibank's login is actually something you know, and something you know. hence not true 2FA.

2) ANZ and ASB both have 2FA. just to note, banks don't consider logins as a risky concern. the 3 main concerns are
a) when a payment leaves an account
b) when personal details are changed (or requested)
c) when pre-set payees details are changed (stops people paying away without realising bank account numbers have changed

3) banks have to balance cost with security, and with many people login in multiple times a day just to check their balance it is impractical to expect lots of netcode/onlinecode notifications to be sent

4) for every person that asks for more security, there are multiple others that asks for convenience. a very hard issue to balance.

hope this info is useful and dispels myths about the online banking system.

28 posts

Geek
+1 received by user: 5


  Reply # 966728 14-Jan-2014 11:49 Send private message

tilde: i just wanted to point out that kyanar is technically correct when he said banks with 2FA login are in the minority. the banks either use 2FA with transactions, or it's not 2FA at all (re kiwibank). only BNZ have 2FA & login, and even then i understand it can be turned off as an option.

1) as i understand 2FA, it comprises something you know, and something you have. kiwibank's login is actually something you know, and something you know. hence not true 2FA.

2) ANZ and ASB both have 2FA. just to note, banks don't consider logins as a risky concern. the 3 main concerns are ...



As noted above, ANZ applies 2FA to your login, and it's mandatory if you wish to perform transactions >$10,000, or send money overseas.
It's not applied specifically to those transactions, but at the account login. You can choose to use it for all logins, as it's fairly easy, but some people may have good reasons not to routinely use it for transactions where 2FA is not mandated by ANZ.

I can't comment on whether other banks only apply it to specific transactions, but to me that would seem to be a secondary login required for the transaction to occur. Semantics perhaps. But the original claim was that ANZ ( and other banks ) do not have 2FA login.

XKCD's Duty Calls cartoon is probably appropriate for this post, and perhaps thread.

Awesome
3946 posts

Uber Geek
+1 received by user: 475

Trusted
Subscriber

  Reply # 966855 14-Jan-2014 14:57 Send private message

ASB has (IMO) by far the best 2FA offering. You can choose between receiving a unique code by text message, or a hardware token (RSA SecurID), and you can choose to require it at login or only at high risk points.

As someone mentioned above, a login in itself isn't a risky event, it's money leaving the account that is, so it makes sense to require 2FA at that point, rather than at login which gets highly annoying.

BNZ used to require NetGuard at login for many years, only recently making it optional after much feedback (including from me). Also, neither BNZ or Kiwibank solutions are very good. Kiwibank don't use true 2FA as pointed out above, and BNZ's NetGuard is flawed as it is static (Eg, you only have to gain physical access to it once to compromise it for the life of the card). With screen/key logging, it would also be possible to obtain the whole card over time, something that expiring tokens are not susceptible to.

I don't have accounts with ANZ or Westpac, so can't comment on their tech.





Twitter: ajobbins

1 | 2 | 3 | 4 | 5
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Suddenly limited to 1mbps download speed on spark VDSL
Created by Jase2985, last reply by ianajmes on 29-Aug-2014 22:02 (29 replies)
Pages... 2


Orcon Global Mode launched
Created by freitasm, last reply by kiwirock on 29-Aug-2014 23:12 (113 replies)
Pages... 6 7 8


Debian can't access DNS
Created by dcole13, last reply by gstarkey on 28-Aug-2014 20:46 (28 replies)
Pages... 2


"best" bank in New Zealand
Created by ScuL, last reply by DravidDavid on 29-Aug-2014 23:22 (41 replies)
Pages... 2 3


Vodafone TV multicast settings on pfSense?
Created by kenkeniff, last reply by kenkeniff on 27-Aug-2014 10:32 (182 replies)
Pages... 11 12 13


Another Gaming computer help question
Created by Lyderies, last reply by timmmay on 26-Aug-2014 18:06 (38 replies)
Pages... 2 3


Lightbox press event release
Created by freitasm, last reply by defragger on 29-Aug-2014 22:43 (561 replies)
Pages... 36 37 38


Lightbox quality comments
Created by ronw, last reply by tdgeek on 30-Aug-2014 00:01 (51 replies)
Pages... 2 3 4



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.