ASB online banking passwords not case sensitive!

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › ASB online banking passwords not case sensitive!

1 | 2 | 3 | 4 | 5 | 6 | 7

254 posts

Ultimate Geek
+1 received by user: 93

#988567 16-Feb-2014 22:15

insane: Well as the title suggests, ASB online banking passwords don't seem to be case sensitive. I first noticed it when I tried to add complexity to my password, however was told I can't reuse my existing password. So I tried logging on using an incorrect password (adding upper case letters where there shouldn't be) and can happily login.

Can any other ASB customers try replicate this?

Their website says they should be... but clearly not.

"Note: Passwords must be eight to ten characters in length, are case sensitive and must contain at least two letters and two numbers."

Westpac is the same, I can type my password all caps, all lower case or random, it lets me in. Raised with their phone support, also in person when I was doing some other things in the bank, they had no clue what I was talking about, they even not escalated it to higher level.

MCSE+M/S, MCITP

billgates

4706 posts

Uber Geek
+1 received by user: 672

Trusted

#988573 16-Feb-2014 22:36

I bank with both ASB and ANZ. I have setup 2FA via SMS code sent to my 021 number ported on Telecom few years ago without issues since setup. I understand that SMS can go unreliable anytime but it's the better security system out there at least with these 2 banks. Also have netcode limit set with ASB.

Do whatever you want to do man.

nakedmolerat

4631 posts

Uber Geek
+1 received by user: 874

Trusted

Lifetime subscriber

#988576 16-Feb-2014 22:41

engedib:
insane: Well as the title suggests, ASB online banking passwords don't seem to be case sensitive. I first noticed it when I tried to add complexity to my password, however was told I can't reuse my existing password. So I tried logging on using an incorrect password (adding upper case letters where there shouldn't be) and can happily login.

Can any other ASB customers try replicate this?

Their website says they should be... but clearly not.

"Note: Passwords must be eight to ten characters in length, are case sensitive and must contain at least two letters and two numbers."

Westpac is the same, I can type my password all caps, all lower case or random, it lets me in. Raised with their phone support, also in person when I was doing some other things in the bank, they had no clue what I was talking about, they even not escalated it to higher level.

Yeah, Westpac needs lots of improvement with their banking account. They are however, very good at monitoring your account and calls you whenever they think something is 'suspicious'.

tardtasticx

3084 posts

Uber Geek
+1 received by user: 483

#988603 17-Feb-2014 01:53

Definitely surprised to see this. Especially since ASBs whole image screams modern and up to date. I've had netcode or whatever it is on for the last 6 months and was considering turning it off as it does get annoying, but seeing this I think it might be a better idea to leave it on for now.

How long do you think this has been the case? Surely a lot of people at ASB know about it.

tripp

3848 posts

Uber Geek
+1 received by user: 1220

Trusted

Lifetime subscriber

#988613 17-Feb-2014 07:38

tardtasticx: Definitely surprised to see this. Especially since ASBs whole image screams modern and up to date. I've had netcode or whatever it is on for the last 6 months and was considering turning it off as it does get annoying, but seeing this I think it might be a better idea to leave it on for now.

How long do you think this has been the case? Surely a lot of people at ASB know about it.

Ha don't forget bankdirect which is the bast**d child of the ASB group.
Ended up moving away most things from them to another bank, I don't even think bankdirect has an mobile banking site (they do have a wap one however).

I asked ASB about 2 years ago if there will ever be a bankdirect app or give customer access to the ASB one, they said no, I asked them why don't they kill the brand off then, never got a reply.

Bankdirect was the same, no lower/upper case, limit of 8 chars etc.
I still have the account but that is where my direct debts come out of, I would not trust it for anything else these days.

tripp

3848 posts

Uber Geek
+1 received by user: 1220

Trusted

Lifetime subscriber

#988614 17-Feb-2014 07:43

Just had a look at the bankdirect site it still even has this on their login page

"© ASB Bank Limited 2013"

So we are almost in march and it still shows 2013.

Lego

Shop now for Lego sets and other gifts (affiliate link).

johnr

19282 posts

Uber Geek
+1 received by user: 2526
Inactive user

#988615 17-Feb-2014 07:53

mrtoken: Just had a look at the bankdirect site it still even has this on their login page

"© ASB Bank Limited 2013"

So we are almost in march and it still shows 2013.

That is not related to what year it is

AidanS

458 posts

Ultimate Geek
+1 received by user: 135

#988616 17-Feb-2014 07:55

Just tested the same issue with my Kiwibank internet banking and sure enough all caps passwords work too.

-A.

jaymz

1136 posts

Uber Geek
+1 received by user: 76

#988652 17-Feb-2014 09:14

Tested with mine, and i can confirm it.

I have a netcode token device, any transfer's out of my account require the random pin. Works well :)

Talkiet

4819 posts

Uber Geek
+1 received by user: 3935

Trusted

#988657 17-Feb-2014 09:24

I raised the issue with Westpac a while ago and didn't let go... Their "security people" ended up staunchly defending the case insensitivity of their online banking passwords saying that it was "entirely secure"

I know all about how legacy systems can cause unbelievable password constraints, but I would have thought a bank might have the funds to sort it... After all, it's not like they are that poor.

Cheers - N

Please note all comments are from my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

TinyTim

1058 posts

Uber Geek
+1 received by user: 167

Trusted

#988666 17-Feb-2014 09:50

BNZ *is* case sensitive. And it also warned me that my caps lock was on.

Mighty Ape

Shop now at Mighty Ape (affiliate link).

johnr

19282 posts

Uber Geek
+1 received by user: 2526
Inactive user

#988668 17-Feb-2014 09:52

TinyTim: BNZ *is* case sensitive. And it also warned me that my caps lock was on.

I am just in the process of moving to BNZ

tardtasticx

3084 posts

Uber Geek
+1 received by user: 483

#988678 17-Feb-2014 10:08

johnr:
TinyTim: BNZ *is* case sensitive. And it also warned me that my caps lock was on.

I am just in the process of moving to BNZ

that's funny because so did the ASB site, warning me of caps lock on. Then it accepted my password anyway.

TinyTim

1058 posts

Uber Geek
+1 received by user: 167

Trusted

#988681 17-Feb-2014 10:15

johnr:
TinyTim: BNZ *is* case sensitive. And it also warned me that my caps lock was on.

I am just in the process of moving to BNZ

It doesn't get talked about much, but I really like the BNZ internet banking. (Though I can only compare to ASB.) I prefer the Netcard for 2 factor over having a text messages sent to a mobile.

gundar

488 posts

Ultimate Geek
+1 received by user: 80

Trusted

#988720 17-Feb-2014 11:12

Gosh, I hope this thread doesn't turn into a "my bank is better than yours" rant.

JamesL: Not a fan text message 2fa though, also that large sum netcode is pointless as they could just drain your account using small amounts :p

I also realised by accident that ASB don't have case sensitivity and I activated 2fa - as mentioned in another thread here at GZ before - 2fa is something you have and something you know and I think txt messaging meets this criteria (if your phone has a pin lock and does not display incoming txt messages on the lock screen, this is better). I've heard of people who get txt messages a long time after they are sent etc, but I've never had that experience with ASB, so I guess it's not an ASB thing.

To my knowledge, the txt message netcode for log in is one time use and tied to the session in progress.

ASB has other mechanisms in place to lock down your account, but as mentioned before on other threads, these seem to be inactive by default and likely becasue the perception is that a majority of customers don't care, can't be bothered or are too tech illiterate to work them out; I have found out by accident that there is a lock out in place using ASB Internet banking, so a weak password could easily be protected from brute force or guess-ware.

PS. I don't work for ASB (I also don't have any reasonable amount of cash in the bank at any time).

I have been ripped off before though, but that was through PayPal having access to my VISA card, which in my ignorance, defeated all the banking security anyway.

1 | 2 | 3 | 4 | 5 | 6 | 7