Westpac rides the Security Short Bus

, posted: 5-Oct-2010 14:40

So logging into the online banking for a club's bank account today at Westpac and I'm now required to set "security questions".

Anybody who has read my blog about the Kiwibank security questions knows I'm not a fan of this idea, but Westpac is even worse!

My biggest gripe here is, YOU CAN'T ENTER YOUR OWN QUESTION!

You have to select from a number of pre-defined questions, this has two primary issues:
  1. The questions are stupid, in this day and age of "social networking" where people seem to put up their every detail for the world to view on Facebook etc, and where a bit of careful Googling can  reveal considerable information about almost anybody, finding the answers to many of these questions is FAR too easy.

  2. The questions are in no way suitable for companies or organisations where multiple people may use the same login to access the internet banking.

Here is a sample of the questions I am forced to choose from:

"What was the model of your first car?"
"What is your grandmother's first name on your mothers side?"
"What is your oldest sister's birthday, month and year?"
"What is the last name of your favourite author?"
"In what city/town was your mother born?"
"What is the first name of your maid of honor at your wedding?"
"What is your favourite food?"


You are required to choose three questions (there are a few more than the above to choose from, but you get the idea at the retardedness of this all).

From a security point of view, this is little more than theater in my opinion, particularly if people choose some of these more "googleable" questions.  I'm not one of these social networkers, or twitterers or whatever, but I know people for whom finding out a lot of this stuff would be easy (this alone is a good reason NOT to be a social networker or twitterer).

From a usage point of view, this is atrocious for organisations as already pointed out, if one of my fellow committee members wants to have access to the accounts to check on my work, AS THEY SHOULD, why should I have to give them these personal answers so that they can.  And if I was to choose "fake" answers, I'm SURE to either forget what I answered, or have to write them down, total security failing!

Dammit Westpac, I like your internet banking for the most part, but this is damned retarded!
 

Other related posts:
Live by the sword
Diabetics - Deadline For Strips On Repeat - 1 March
3 News: What is your personal imcome...








Comment by NonprayingMantis, on 5-Oct-2010 15:51

I could be wrong, but I believe the challenge questions are not for the typical reason of giving you a new login if you forget your password (as would be the case with things like email accounts), but rather *in addittion* to the password.  This means that even if the answers are easily googlable, the person googling them still needs to know your password before they can use them.

I believe that they do not come up all the time either,  they only come up when unusual transactions are detected or if you login from an unusual IP adress or something.


Comment by graemeh, on 5-Oct-2010 15:54

Multiple people should NOT be using the same login for internet banking.

This might be acceptable if the login only has enquiry access but even then each person should have their own ID.


Author's note by sleemanj, on 5-Oct-2010 16:28

@graemeh

Yes in an ideal world.  However.  We are talking about a club committee here, where a member may (or more likely may not, this is somewhat a hypothetical when it comes to most committees who only really care how much money they have to spend every month) want a one-time access, or a backup access in case the treasurer keels over.

I dont' think Westpac exactly makes it easy to create a second login, the only mention I've seen of the capability is in the FAQ to this new security thing.


@nonpraying

The questions are used, amongst other times, when you need a password reset apparantly, but ONLY if you also give them your mobile number.  It's not actually clear when these questions are going to be used, I'd assumed every time you log in, but seemingly not.

The FAQ does mention something about a change in 2011 that sounds like it means you will need to have a mobile phone and answer a question when you want to make a payment (transfer) in your internet banking, but it's not very clear so maybe I'm reading it wrong.

Quoting: "In 2011 the Westpac Online Guardian system will incorporate two new security services (challenge questions and challenge code txts delivered to a mobile phone) into the payment sections in Online Banking. In preparation for this we are requesting the set up of the challenge services now."


Comment by nickb800, on 5-Oct-2010 16:34

Yup its a pain in the rear for little benefit. Just got it popup when I logged in to check the flat account, i think ill just avoid it as long as i can.


Comment by graemeh, on 5-Oct-2010 16:39

It is not hard to get a second login.  You just need to be a little creative.

Just get one of the other committee members setup at the bank to have enquiry only access on the account.  This will usually be done by a mandate or signing authority.  Once this is in place the person can go into a branch and get printouts etc.

The next step is for that person to get internet banking access.  Committee members can share this login and since it can't do anything but look you are reasonably safe.

I am making one assumption here which is that the Westpac internet banking supports enquiry only access but I can't believe it doesn't.


Comment by Linuxluver, on 5-Oct-2010 20:04

You can make up your answers. They do not have to be truthful answers. 

Grandmother's first name on mymother's side? "Butch".

What city or town was my mother born in? "Sin City".

What was the model of my first car? "Claudia Schiffer".

Go got it. Have fun.


Comment by JasonDarwin, on 5-Oct-2010 22:16

The Companies Office has a similar system.


Comment by Foo, on 6-Oct-2010 13:53

You raise a very good point and one that we have been discussing in our household.

I have to do this too, but haven't yet done so...next time I log in I will need to set my questions up.

As one way around it, could you not decide on a single secure answer to all three questions? Stick with the same answer for each question and use this for all these types of questions?


Comment by traderstu, on 6-Oct-2010 14:10

Yes & they have a major fail regarding mobile phones. To set up the mobile phone part it will not accept a number used on another account. It seems that nobody thought that a person operating 2 accounts would only have 1 phone.


Comment by TinyTim, on 6-Oct-2010 20:50

I had to sign up for something at the start of the year that required *6 questions*. (Victoria University email hosted by Microsoft I think it was.)

Where was your mother born?

Gore

Sorry, answer must have more than 4 characters.

So, new answer is either "Gorrrre" (southland accent) or "New Zealand" (really secret!)??

What a ridiculous waste of time.


Comment by wmoore, on 7-Oct-2010 08:20

I have a Lloyds TSB account here in the UK

It has User ID number, password then memorable information,
which can be any thing you like. When you log on if will ask you for random characters from your memorable information, up to four random characters.


Comment by oxnsox, on 7-Oct-2010 10:13

I dislike most of these 'security question' requirements for their inflexibility. Whether verbal or computer generated.

Especially when some bloke in another part of the world wants to know my birthdate, full name, and address.... so that I can then provide my credit card details to pay a bill for an account number I have already provided.  There is something fundamentally wrong with that sort of system


Comment by Foo, on 11-Oct-2010 07:13

I note that the security questions have been "postponed due to a technical issue experienced on Wednesday. We plan to resume this requirement soon."


Comment by Dratsab, on 11-Oct-2010 20:15

Yes - the technical issue where no one could actually get past the security screens and see their account details... :-)


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and placed in the moderation queue for the blog owner's approval.

Your name:

Your e-mail:

Your webpage:

sleemanj's profile

James Sleeman
Christchurch
New Zealand


PHP Programmer Extraordinaire

All views expressed are held by the poster, not necessarily any person or organisation associated therewith.