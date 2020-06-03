Geekzone: technology news, blogs, forums
Devastation by stupidity
#271948 3-Jun-2020 09:25
I don't have a cell phone and until the lockdown, I didn't have Internet banking. Now that I do, I wonder how secure it really is without 2FA. It seems pretty secure to me, but of course I could be missing something.

 

With Kiwibank, you have to log in with account number and password. You are then presented with a randomly-selected security question from ones you have previously created. The answer to the question is displayed as blank spaces, and you have to correctly type in two randomly-selected blanks. This is done to prevent key loggers. 

 

So how secure is this, really? The only way I can think of offhand to defeat it would be something in memory that  copies the screen until the same answer has appeared enough times to fill in all the blanks, then keeps trying to log in until that question comes up again. Is there a better way to get around this?

 

 




  #2497218 3-Jun-2020 09:33
Westpac is pretty bad. No 2FA and password doesn't differentiate between upper case and lowercase

  #2497219 3-Jun-2020 09:34
Lightbulb:

 

Westpac is pretty bad. No 2FA and password doesn't differentiate between upper case and lowercase

 

 

Yeah, they are absolutely hopeless with that password policy, was one of the reasons I switched banks 2 years ago.

 
 
 
 


  #2497224 3-Jun-2020 09:40
So how secure is this, really? The only way I can think of offhand to defeat it would be something in memory that  copies the screen until the same answer has appeared enough times to fill in all the blanks, then keeps trying to log in until that question comes up again. Is there a better way to get around this?

 

The "standard" scammer approach is usually to fool you into loading Teamviewer or some other remote access software and then get you to log in "so they can check that the security changes they made are working"

 

 

 

Kiwibank do have 2FA for authorising online payments to accounts that are new to you,( ie not bill pay accounts Kiwibank already know)  How do you do this if you have no mobile?, or is it not enabled?

 

 

 

 

  #2497226 3-Jun-2020 09:42
I think Kiwibank is likely to be sufficiently secure. Anything can be defeated given enough time and effort. Run a virus / malware scan of your computer occasionally and you should be fine.

#2497227 3-Jun-2020 09:44
Lightbulb:

 

Westpac is pretty bad. No 2FA and password doesn't differentiate between upper case and lowercase

 

 

@Lightbulb No way that is mental

  #2497238 3-Jun-2020 09:55
A handy overview from Ryan Kurte on NZ banking two factor use 

  #2497262 3-Jun-2020 10:10
With BNZ you have three options as far as I am aware; (1) login with username and password (2) username, password, and authenticate with BNZ mobile app (3) username, password, 2FA with NetGuard card. 

Password is case sensitive and must include both letters & numbers. 

 

With NetGuard, it will prompt you to enter the letter/number given for C4 for example = M. Have to do this three times and if one is wrong, start again. 

(Image is from google).

 

 
 
 
 


  #2497265 3-Jun-2020 10:17
As a Kiwibank customer it's infuriating that they don't have app-based 2FA for their payment confirmation and their password/passphrase thing isn't great either. They are aware and have an app-based auth being worked on, but that was some months ago.

 

The SMS Text message payment confirmation thing is super annoying esp if you are overseas, and because often times it can take a few minutes to come through.

 

 

 

 

