Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 
36 posts

Geek
+1 received by user: 30


  Reply # 966856 14-Jan-2014 14:59 Send private message

i stand corrected on ANZ not having 2FA login, i did get that wrong.

However since we are being snide about other people's reply when all i was doing was trying to provide more information

BruceHamilton: ...Semantics perhaps. But the original claim was that ANZ ( and other banks ) do not have 2FA login.

XKCD's Duty Calls cartoon is probably appropriate for this post, and perhaps thread.


the original claim which i was addressing was "banks with 2FA login are in the minority". that still holds true, given that 2 out of the 7 banks do not implement 2FA login. Sounds very much like a minority to me...

BDFL
49992 posts

Uber Geek
+1 received by user: 4645

Administrator
Trusted
Geekzone
Subscriber

  Reply # 966861 14-Jan-2014 15:06 Send private message

BNZ Netguard is optional for login and online payments to existing payees but if you want to send money to a new account or create/modify a payee then you must enter the Netguard credentials.

also note that with the amount of problems our telcos have delivering service SMS I don't trust this method not a bit...




2509 posts

Uber Geek
+1 received by user: 245

Trusted
Subscriber

  Reply # 966892 14-Jan-2014 15:31 One person supports this post Send private message

BruceHamilton: As noted above, ANZ applies 2FA to your login, and it's mandatory if you wish to perform transactions >$10,000, or send money overseas.
It's not applied specifically to those transactions, but at the account login. You can choose to use it for all logins, as it's fairly easy, but some people may have good reasons not to routinely use it for transactions where 2FA is not mandated by ANZ.

I can't comment on whether other banks only apply it to specific transactions, but to me that would seem to be a secondary login required for the transaction to occur. Semantics perhaps. But the original claim was that ANZ ( and other banks ) do not have 2FA login.

XKCD's Duty Calls cartoon is probably appropriate for this post, and perhaps thread.


So long as it's not mandatory, it might as well not exist. My mother has an ANZ account. Does she have 2FA set up? Nope. Has she ever been asked by ANZ to set it up? Again, nope. I have a TSB account. Does it have 2FA? Nope. Have I ever been asked to set it up? Nope. I have a BNZ account. This does have 2FA in the form of that annoying card. Though if I use my phone, it considers that the second factor and lets me do anything without it. I also have an ASB account which has 2FA for transactions over $800. but they never mentioned to me that I could use it at login. Amusingly, 2FA is not required to transact in ASB Securities, despite the fact that the values involved are far, far larger. Last but not least, I have a Westpac account. Does it have 2FA? Nope. It has "Something you know, and something everyone with access to the BDM registry, electoral roll, or Facebook knows".

1137 posts

Uber Geek
+1 received by user: 73


  Reply # 966927 14-Jan-2014 15:59 Send private message

blakamin:
charsleysa:
blakamin: All the banks *might* have 2-factor authentication, but how many regular (non-geek) people know about it?
How many know how to use it?
How many have actually set it up?
How many people (that know it exists) don't use it because they find it annoying?
Why is it not mandatory?


I'm quite sure (don't take my word on it) that 2 factor authentication is now mandatory for most if not all banks, maybe old accounts that were set up before they brought it in may not have it.


But westpac never ask the questions, ANZ haven't informed me, with ASB you have to know where to enable it... that's 3.... 
Mind you, I don't even use my NZ ANZ account anymore, so they might have changed in the last month.
See the above post (from sonyxperiageek) about ASB.


When the BNZ started using Netguard and I tried to log in it automatically sent me to the sign up for netguard page which I now use religiously

now to sign in I have to provide a 9 digit number and a Password and a 3 digit random pick from a netguard card this card is renewed every few months so anyone trying to use an old card wont be given access also if im out of range of a mobile phone network I don't have to relay on a TxT to log in




Asus Crosshair V Formula AMD FX8320, 8GB Corsair Vengence LP, 2X Sapphire Radeon HD7850 2GB 1000/1300, 1x WesternDigital WD2500AAJS 7200rpm 8MB cache SATAII , 1x Samsung spinpoin F1 HD502IJ 1x storage mode, 2x Samsung Spinpoint F1 HD502IJ RAID0 Boot, 1x Pioneer DVR212s 18x DVDRW, SilverStone ST75F-P (750W) Full Modular PSU, OS WIN7 x64 ultimate SP1 (7601), SilverStone RaVeN RV02B-W (with USB3.0 upgrade)

Awesome
4021 posts

Uber Geek
+1 received by user: 584

Trusted
Subscriber

  Reply # 966938 14-Jan-2014 16:15 Send private message

Athlonite: now to sign in I have to provide a 9 digit number and a Password and a 3 digit random pick from a netguard card this card is renewed every few months so anyone trying to use an old card wont be given access also if im out of range of a mobile phone network I don't have to relay on a TxT to log in


Netguard cards are valid for at least a year. It might even be two. Certainly not months.

This is very different from one use codes either on a hardware/software token or sent by SMS which are good for a single use, or expire if unused in seconds or minutes at most.

Also means yet another card you have to carry in your wallet, and I already have way more than I want.

Netguard is the worst in terms of both usability and security.

For me, the best solution would be for the banks to let me use Google Authenticator, or another soft token like Symantec VIP. Works offline, is random and expires every 30 seconds, requires me to have my phone (which I always have), but isn't reliant on having a network connection.




Twitter: ajobbins

36 posts

Geek
+1 received by user: 30


  Reply # 966956 14-Jan-2014 16:49 Send private message

i just want to provide more context to newer posts, if i may just to explain the reasoning behind the netguard card and internet banking app not requiring further 2FA.

1) a netguard card is considered personal property, not to be left lying around. if one loses it, you are expected to report it to BNZ so that they can cancel the current one and re-issue a new card. also note that losing a netguard card still requires a PW to get in, so 2FA works as expected.

2) a phone is also considered personal property, as per point 1.

at the end of the day, nothing is 100% full proof to stop banking fraud. however it is hoped that with 2FA/netguard it provides enough protection long enough to report missing personal items to the bank to cancel & re-issue whatever is necessary

if a user is silly enough to provide (inadvertently) the PW and the 2FA auth code/token there is nothing the bank can do to stop the transaction going through.

Awesome
4021 posts

Uber Geek
+1 received by user: 584

Trusted
Subscriber

  Reply # 966978 14-Jan-2014 17:12 Send private message

tilde:
1) a netguard card is considered personal property, not to be left lying around. if one loses it, you are expected to report it to BNZ so that they can cancel the current one and re-issue a new card. also note that losing a netguard card still requires a PW to get in, so 2FA works as expected.


Both a password, username and netguard credentials can be obtained over time via key logging/screen capture. If the user used it once a day, it could be compromised in as little as a few days, but the credentials be valid for months or more.

On the other hand, an OTP by SMS or via a token or soft token is good for minutes at most and can be used one time at most, so no amount of key logging could compromise it.




Twitter: ajobbins

Aussie
2226 posts

Uber Geek
+1 received by user: 223

Trusted
Subscriber

  Reply # 967018 14-Jan-2014 18:12 Send private message

BruceHamilton:
blakamin: All the banks *might* have 2-factor authentication, but how many regular (non-geek) people know about it?
How many know how to use it?
How many have actually set it up?
How many people (that know it exists) don't use it because they find it annoying?
Why is it not mandatory?


With regard to ANZ, as I posted earlier, it is mandatory for transactions >$10,000 and for sending money overseas (>$100 for direct transfers?). It was promoted to bank clients when introduced, and is still promoted if clients choose to read the information/suggestions about enhanced security.

Some bank clients may feel they don't need 2FA, and whether that is an informed choice may be hard to ascertain. 2FA is available, and there may be good reasons why some clients don't want it for their routine bank use. It's a readily-available choice.


In a lot of cases I could clean out somebodys bank account without going anywhere near $10k. 

And I just logged in and still know nothing about it. Lucky I don't use that account and will close it next time I'm in NZ.

367 posts

Ultimate Geek
+1 received by user: 69


  Reply # 967374 15-Jan-2014 09:52 Send private message

I like Kiwibank's 2F login (even if it isn't strictly 2F) as I don't want to carry additional cards or random # generators with me. When I had a BNZ account it was a pain to have to have to pull out my Netguard card and with Rabobank it was worse as I had to carry around their random number gadget.

And remember, as long as you have complied with your bank's terms and conditions re not sharing your password etc, in the unlikely event you have money stolen, the bank will refund you. An inconvenience, yes, but not the end of the world. So relax, let the bank worry about their security, you don't have to! (-;

(Happy to be shown otherwise re bank not refunding, but I have never heard of anyone who kept their PIN/password secure remaining out of pocket).


36 posts

Geek
+1 received by user: 30


  Reply # 967419 15-Jan-2014 10:41 2 people support this post Send private message

@ ajobbins
completely agree re: netguard card logging but i'll address that concern below

@ blakamin
yes, you probably could, but you probably wouldn't be able to either keep the money for long or transfer it out of NZ. there are many behind the scenes bank alerts/fraud systems that are not advertised to the public that deals with the hypothetical scenarios raised.

there is no 100% truly foolproof system, and banks work on the risk vs reward system. for every geekzone user (remembering that you are not typical of the population) that wants a 2FA/OTP/retina capture system/finger scan, there are dozen of users who question the need for even a PW to get into their account to check their balance because they are after speed and convenience.

as dafman pointed out, banks will refund your money if fraud occurs and you have not contributed to it. if 10 cases of $10k happen a year (total cost of $100k) and the cost of implementing a solution (technical & training & business) = $4mil, you can see why banks will take the risk that on the odd occasion fraud happens and pay out.

Awesome
4021 posts

Uber Geek
+1 received by user: 584

Trusted
Subscriber

  Reply # 967727 15-Jan-2014 19:08 Send private message

Most of the decision making in the banking industry comes back to risk




Twitter: ajobbins

689 posts

Ultimate Geek
+1 received by user: 23

Subscriber

  Reply # 968883 17-Jan-2014 13:43 Send private message

Kyanar: So long as it's not mandatory, it might as well not exist. My mother has an ANZ account. Does she have 2FA set up? Nope. Has she ever been asked by ANZ to set it up? Again, nope. I have a TSB account. Does it have 2FA? Nope. Have I ever been asked to set it up? Nope. I have a BNZ account. This does have 2FA in the form of that annoying card. Though if I use my phone, it considers that the second factor and lets me do anything without it. I also have an ASB account which has 2FA for transactions over $800. but they never mentioned to me that I could use it at login. Amusingly, 2FA is not required to transact in ASB Securities, despite the fact that the values involved are far, far larger. Last but not least, I have a Westpac account. Does it have 2FA? Nope. It has "Something you know, and something everyone with access to the BDM registry, electoral roll, or Facebook knows".


I think you will find that with TSB, by default, any attempt to create a Payee will require 2FA and there is also a dollar limit on outgoing payments, over which 2FA is required.

On the other hand I'm somewhat appalled at ANZ's Android GoMoney app, that can be set up to access all of your account details, process payments etc, with no more that a 4 digit PIN code to log in. This can be disabled to revert to a more conventional login, but who is going to bother?

2604 posts

Uber Geek
+1 received by user: 438

Trusted
Subscriber

  Reply # 969302 18-Jan-2014 11:15 Send private message

freitasm:
Geektastic: My HSBC account has a random number thing that creates a number and you have to enter that after name and assword.

Seems fairly secure. My ASB accounts - both business and personal - are just login and assword.


Not so fast. Those generators can be and are defeated.

Geektastic: Given how complex this all sounds, surely no one would bother unless the amounts are significant?


It's not complex at all. Once it is automated it's easy to reproduce. That's why there are botnets with millions of infected PCs.

People don't realise the amount of money involved in this. For example the story of Egor Shevelev who made US$ 5 million from 95,000 stolen bank card numbers. Or even better read about Max Butler who stole two million card numbers and charged more than US$ 85 million. Credit card fraud (a.k.a. Carding) is a big business.

Read Wired's article "One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards", which tells part of Max Butler's story, then read the book "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground" by Kevin Poulsen, the guy who wrote the Wired article.

The numbers are not small. Every now and then I have a lunch with someone from Symantec, AVG and other security companies. The numbers they show are incredible. With more than 2.6 billion PCs around the world there are plenty of systems where bad people can dip their toes.

When security firms issue press releases pointing out this a lot of "technical people" come out saying they are just spreading FUD to sell their software.  Nope, they're out there to prevent the criminals getting your money.



That's why even my generally safe Mac has Eset Cyber Security Pro running.

I have also seen apps on Mac etc that can run virtual keyboards to help defeat keystroke logging - and ASB make you add the PIN to your cards after they arrive by using a virtual number pad in Fastnet, you have to enter it twice and the position of the numbers on the 'square' changes each time which can be confusing....!!

Should have been born later into the computer age, rather than straddling the no computer/computer worlds! Maybe I would have understood programming and been able to retire to my private island by now.








1 | 2 | 3 | 4 | 5 
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

How good is your general Science Knowledge?
Created by Aredwood, last reply by joker97 on 31-Oct-2014 23:44 (39 replies)
Pages... 2 3


Government Limos
Created by networkn, last reply by Bung on 31-Oct-2014 12:39 (94 replies)
Pages... 5 6 7


Snap refuses to replace faulty gear
Created by Brendan, last reply by MadEngineer on 28-Oct-2014 19:07 (92 replies)
Pages... 5 6 7


Sky will be 'upgrading software' of My Sky to connect to internet. What does that mean?
Created by Geektastic, last reply by NonprayingMantis on 31-Oct-2014 23:55 (27 replies)
Pages... 2


Shutup and take my money (via NFC on my mobile phone)
Created by sxz, last reply by sonyxperiageek on 31-Oct-2014 22:34 (24 replies)
Pages... 2


Uber: a cheaper taxi ride?
Created by kingdragonfly, last reply by livisun on 31-Oct-2014 14:47 (34 replies)
Pages... 2 3


OneDrive code giveaway - go!
Created by freitasm, last reply by pgsheng on 1-Nov-2014 01:50 (33 replies)
Pages... 2 3


DDos Protection from ISP
Created by charsleysa, last reply by freitasm on 31-Oct-2014 12:11 (46 replies)
Pages... 2 3 4



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.