Online Banking Smart Security Checks

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Online Banking Smart Security Checks

1 | 2

gjm

808 posts

Ultimate Geek

#836261 13-Jun-2013 12:13

You're right...wtf is that?

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

gjm

808 posts

Ultimate Geek

#836268 13-Jun-2013 12:24

Friend just tried ANZ and it is case sensitive but ASB isnt at all

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

1080p

1332 posts

Uber Geek
Inactive user

#836307 13-Jun-2013 13:26

ajobbins:
1080p: I think Kiwibank's system is the best. You can set it to ask you a question only you know the answer to and it will request a couple of letters from each answer every time you log in.

It really is an ingenious method of extra security without requiring you to carry a piece of plastic about or a dongle.

Obviously, if you answer their questions with information that others already know about you then it is not effective but that would be on you rather than Kiwibank.

It's just a bit cumbersome, and isn't true 2FA. 2FA is supposed to be something you know (a password) and something you have (A token). Kiwibank's is a something you know and something you know - or possibly a something you know and something others might know too.

And the fact you need it even to log in and check a balance or move money between your own accounts is just painful.

Given that two factor authentication was broken before it was even used widely does not inspire me with confidence.

What is more cumbersome is having to fish out a card/dongle every time you want to log in or receiving an SMS/e-mail. Kiwibank's security schema is much more intuitive, secure (keyloggers), and convenient (simply a password and two letters from a phrase only you know) than any other system in New Zealand.

Kyanar: Could be worse - Westpac's security is something you know (your password), something WE know (blackbox analysis of login to determine if trustworthy or not) and something everyone knows (your birthplace or one of 7 other stupid questions 5 seconds of searching on Google or Facebook can tell you - and even then only if Westpac determined that your login didn't match their pattern analysis).

Random factoid you probably didn't know - your password is case insensitive if you are with ASB, Westpac, and I believe Kiwibank and ANZ. TSB and BNZ your password is definitely case sensitive. Try it yourself sometime - enter the case of your password incorrectly and marvel as your bank happily logs you into your accounts!

I've just confirmed this with a Kiwibank and Westpac account. ANZ are case sensitive. An interesting find! I wonder who thought this was a good idea?

nickb800

2719 posts

Uber Geek

Trusted

#836313 13-Jun-2013 13:38

I can see the other side the case sensitive issue:
- Internet banking is used by normal people, not geeks, so complications in password entry will lead to more calls to customer service (which are expensive for the bank). IMHO phrases like 'case sensitive' or even 'is your cap lock on?' would confuse plenty of people (whether those sorts of people should be using internet banking is a different story...)
- I presume that with most banks, repeated attempts to login would be blocked, so brute force and educated guesses aren't as big a problem

Doesn't necessarily make it okay, but just other things to consider. Banks aren't stupid, so presumably this passed an internal cost/benefit, and they do cover the direct cost of fraud

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#836438 13-Jun-2013 16:37

But the question that has tp be asked is - is this because the bank normalises your password to a specific case prior to checking it against the stored hash in the database, or is that password stored in plain text instead? Good luck getting an answer to this question, of course.

(Note, I and a friend have already challenged Westpac and ASB about this already. ASB responded by pointing out that your communications with them are protected by "128 bit encrypitation" - yes spelt like that - and Westpac responded by mumbling something about Online Guardian and Zero Liability).

To those pointing out that banks cover the direct cost of fraud... well, no, they don't. In the case of credit cards they claw the money back from the merchants (meaning you the customer cover the cost of fraud) and in the case of online banking they bake these costs into their margins (meaning you the customer cover the cost of fraud).

ajobbins

5052 posts

Uber Geek

Trusted

#836449 13-Jun-2013 16:54

1080p:
Given that two factor authentication was broken before it was even used widely does not inspire me with confidence.

Ummm, substantiate please? There may be particular implementations that have been compromised - but as far as I am aware the vast majority of proper 2FA implementations in use are not broken.

What is more cumbersome is having to fish out a card/dongle every time you want to log in or receiving an SMS/e-mail. Kiwibank's security schema is much more intuitive, secure (keyloggers), and convenient (simply a password and two letters from a phrase only you know) than any other system in New Zealand.

Two parts to this. Firstly, you shouldn't need to use any kind of secondary authentication just to log in. This is my biggest beef with the Kiwibank system. Secondly, I absolutely disagree that it's more secure - it is easily the least secure of the bunch.

With most 2FA systems, keylogging is not an issue. The secondary authentication credential is forever changing. They generally expire after a number of seconds regardless of use, and usually are only good for one use. Even if you did log it, it would be useless. The kiwibank challenge questions are not only static, but often easily guessed. Someone could obtain the answers covertly through a number of mechanism (VNC/Remote screen access, hidden cameras with a view of your screen etc). If that was done with other 2FA methods it wouldn't matter as the credential would be expired.

In balancing intuitiveness and convenience with security, the other banks solutions are far superior in terms of security but only a tiny bit less convenient or intuitive. Being that the point of 2FA is enhanced security, I feel that the Kiwibank solution is both inferior and inadequate.

Twitter: ajobbins

ajobbins

5052 posts

Uber Geek

Trusted

#836454 13-Jun-2013 16:58

Kyanar: To those pointing out that banks cover the direct cost of fraud... well, no, they don't. In the case of credit cards they claw the money back from the merchants (meaning you the customer cover the cost of fraud) and in the case of online banking they bake these costs into their margins (meaning you the customer cover the cost of fraud).

Not quite true. Banks and merchants each have agreed responsibilities when it comes to protecting against fraud. In cases where the merchant did nothing wrong, they are not liable. If they didn't take reasonable steps to ensure that the card use was genuine and authorised however, they could be hit with a charge back.

Twitter: ajobbins

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#836643 14-Jun-2013 07:12

ajobbins: Not quite true. Banks and merchants each have agreed responsibilities when it comes to protecting against fraud. In cases where the merchant did nothing wrong, they are not liable. If they didn't take reasonable steps to ensure that the card use was genuine and authorised however, they could be hit with a charge back.

That's for a card present transaction. For a card not present transaction, you are pretty much boned unless you attempted 3DS authentication. Then and only then are you insulated against "it wasn't me" chargebacks. (It's in the merchant agreement. And yes I have one).

1 | 2