ASB online banking passwords not case sensitive!

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor. If investing please consider our affiliate links for new accounts: Sharesies or Hatch. To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification

Forums › Finance and wealth management › ASB online banking passwords not case sensitive!

1 | 2 | 3 | 4 | 5 | 6 | 7

250 posts

Master Geek

#988567 16-Feb-2014 22:15

insane: Well as the title suggests, ASB online banking passwords don't seem to be case sensitive. I first noticed it when I tried to add complexity to my password, however was told I can't reuse my existing password. So I tried logging on using an incorrect password (adding upper case letters where there shouldn't be) and can happily login.

Can any other ASB customers try replicate this?

Their website says they should be... but clearly not.

"Note: Passwords must be eight to ten characters in length, are case sensitive and must contain at least two letters and two numbers."

Westpac is the same, I can type my password all caps, all lower case or random, it lets me in. Raised with their phone support, also in person when I was doing some other things in the bank, they had no clue what I was talking about, they even not escalated it to higher level.

MCSE+M/S, MCITP

Mighty Ape

Affiliate link

Affiliate link: Shop Mighty Ape for electronics, games, computers books and more.

billgates

4399 posts

Uber Geek

Trusted

#988573 16-Feb-2014 22:36

I bank with both ASB and ANZ. I have setup 2FA via SMS code sent to my 021 number ported on Telecom few years ago without issues since setup. I understand that SMS can go unreliable anytime but it's the better security system out there at least with these 2 banks. Also have netcode limit set with ASB.

Do whatever you want to do man.

nakedmolerat

4589 posts

Uber Geek

Trusted

Lifetime subscriber

#988576 16-Feb-2014 22:41

engedib:
insane: Well as the title suggests, ASB online banking passwords don't seem to be case sensitive. I first noticed it when I tried to add complexity to my password, however was told I can't reuse my existing password. So I tried logging on using an incorrect password (adding upper case letters where there shouldn't be) and can happily login.

Can any other ASB customers try replicate this?

Their website says they should be... but clearly not.

"Note: Passwords must be eight to ten characters in length, are case sensitive and must contain at least two letters and two numbers."

Westpac is the same, I can type my password all caps, all lower case or random, it lets me in. Raised with their phone support, also in person when I was doing some other things in the bank, they had no clue what I was talking about, they even not escalated it to higher level.

Yeah, Westpac needs lots of improvement with their banking account. They are however, very good at monitoring your account and calls you whenever they think something is 'suspicious'.

tardtasticx

3032 posts

Uber Geek

#988603 17-Feb-2014 01:53

Definitely surprised to see this. Especially since ASBs whole image screams modern and up to date. I've had netcode or whatever it is on for the last 6 months and was considering turning it off as it does get annoying, but seeing this I think it might be a better idea to leave it on for now.

How long do you think this has been the case? Surely a lot of people at ASB know about it.

Bachelor of Computing Systems (2015)

Late 2013 MacBook Pro with Retina Display (4GB/2.4GHz i5/128GB SSD) - HP DV6 (8GB/2.8GHz i7/120GB SSD + 750GB HDD)
iPhone 6S + (64GB/Gold/Vodafone NZ) - Xperia Z C6603 (16GB/White/Spark NZ)

Sam, Auckland

tripp

3671 posts

Uber Geek

Trusted

Lifetime subscriber

#988613 17-Feb-2014 07:38

tardtasticx: Definitely surprised to see this. Especially since ASBs whole image screams modern and up to date. I've had netcode or whatever it is on for the last 6 months and was considering turning it off as it does get annoying, but seeing this I think it might be a better idea to leave it on for now.

How long do you think this has been the case? Surely a lot of people at ASB know about it.

Ha don't forget bankdirect which is the bast**d child of the ASB group.
Ended up moving away most things from them to another bank, I don't even think bankdirect has an mobile banking site (they do have a wap one however).

I asked ASB about 2 years ago if there will ever be a bankdirect app or give customer access to the ASB one, they said no, I asked them why don't they kill the brand off then, never got a reply.

Bankdirect was the same, no lower/upper case, limit of 8 chars etc.
I still have the account but that is where my direct debts come out of, I would not trust it for anything else these days.

tripp

3671 posts

Uber Geek

Trusted

Lifetime subscriber

#988614 17-Feb-2014 07:43

Just had a look at the bankdirect site it still even has this on their login page

"© ASB Bank Limited 2013"

So we are almost in march and it still shows 2013.

johnr

19282 posts

Uber Geek
Inactive user

#988615 17-Feb-2014 07:53

mrtoken: Just had a look at the bankdirect site it still even has this on their login page

"© ASB Bank Limited 2013"

So we are almost in march and it still shows 2013.

That is not related to what year it is

AidanS

458 posts

Ultimate Geek

#988616 17-Feb-2014 07:55

Just tested the same issue with my Kiwibank internet banking and sure enough all caps passwords work too.

-A.

jaymz

1132 posts

Uber Geek

#988652 17-Feb-2014 09:14

Tested with mine, and i can confirm it.

I have a netcode token device, any transfer's out of my account require the random pin. Works well :)

Talkiet

4573 posts

Uber Geek

Trusted

#988657 17-Feb-2014 09:24

I raised the issue with Westpac a while ago and didn't let go... Their "security people" ended up staunchly defending the case insensitivity of their online banking passwords saying that it was "entirely secure"

I know all about how legacy systems can cause unbelievable password constraints, but I would have thought a bank might have the funds to sort it... After all, it's not like they are that poor.

Cheers - N

Please note all comments are the product of my own brain and don't necessarily represent the position or opinions of my employer, previous employers, colleagues, friends or pets.

TinyTim

981 posts

Ultimate Geek

Trusted

#988666 17-Feb-2014 09:50

BNZ *is* case sensitive. And it also warned me that my caps lock was on.

johnr

19282 posts

Uber Geek
Inactive user

#988668 17-Feb-2014 09:52

TinyTim: BNZ *is* case sensitive. And it also warned me that my caps lock was on.

I am just in the process of moving to BNZ

tardtasticx

3032 posts

Uber Geek

#988678 17-Feb-2014 10:08

johnr:
TinyTim: BNZ *is* case sensitive. And it also warned me that my caps lock was on.

I am just in the process of moving to BNZ

that's funny because so did the ASB site, warning me of caps lock on. Then it accepted my password anyway.

Bachelor of Computing Systems (2015)

TinyTim

981 posts

Ultimate Geek

Trusted

#988681 17-Feb-2014 10:15

johnr:
TinyTim: BNZ *is* case sensitive. And it also warned me that my caps lock was on.

I am just in the process of moving to BNZ

It doesn't get talked about much, but I really like the BNZ internet banking. (Though I can only compare to ASB.) I prefer the Netcard for 2 factor over having a text messages sent to a mobile.

gundar

488 posts

Ultimate Geek

Trusted

#988720 17-Feb-2014 11:12

Gosh, I hope this thread doesn't turn into a "my bank is better than yours" rant.

JamesL: Not a fan text message 2fa though, also that large sum netcode is pointless as they could just drain your account using small amounts :p

I also realised by accident that ASB don't have case sensitivity and I activated 2fa - as mentioned in another thread here at GZ before - 2fa is something you have and something you know and I think txt messaging meets this criteria (if your phone has a pin lock and does not display incoming txt messages on the lock screen, this is better). I've heard of people who get txt messages a long time after they are sent etc, but I've never had that experience with ASB, so I guess it's not an ASB thing.

To my knowledge, the txt message netcode for log in is one time use and tied to the session in progress.

ASB has other mechanisms in place to lock down your account, but as mentioned before on other threads, these seem to be inactive by default and likely becasue the perception is that a majority of customers don't care, can't be bothered or are too tech illiterate to work them out; I have found out by accident that there is a lock out in place using ASB Internet banking, so a weak password could easily be protected from brute force or guess-ware.

PS. I don't work for ASB (I also don't have any reasonable amount of cash in the bank at any time).

I have been ripped off before though, but that was through PayPal having access to my VISA card, which in my ignorance, defeated all the banking security anyway.

1 | 2 | 3 | 4 | 5 | 6 | 7