ANZ Bank Internet Banking Security

Forums › Finance and wealth management › ANZ Bank Internet Banking Security

kramgk

16 posts

Geek

#237796 18-Jun-2018 15:41

My wife locked herself out of her Internet Banking account and used the "Forgot Password" facility to reset her account. She gave her customer number, a new password, and then the system sent her a text message with an "online code" to validate the password change. Too easy by far, and pretty typical behavior for lots of web sites. The online code is about providing two-factor authentication, but in this case, you don't authenticate with the bank at all. You are relying on having a PIN on your phone, and having set the phone to not show an incoming text messages. This seems like another example of why it's a bad idea for people to have their phone and wallet together.

Does anyone know of ways in which a customer can make this system better? A CSR at ANZ Bank said there was a setting on the web site to stop the online code for password change, but this still allows password changes.

Oblivian

4304 posts

Uber Geek

#2039859 18-Jun-2018 15:50

When you call up, it usually asks for your ID and a different verification pin.. (or they transfer you to enter it before going further) thats not known to those you think would know it... double check the procedure experienced..

Oblivian

4304 posts

Uber Geek

#2039865 18-Jun-2018 15:57

What I'm getting at..

Previously when I hit the PW reset. As I didn't have online code registered, It gives you a reference number (proves someone hit the request)

Call, enter customer ID *

Enter separate verification Pin*

Or if chosing personal CSR, xferred to the automated system to complete this before CSR is handed back - the 1st security check

Your details come back on screen for them to see. You are then asked to verify DOB etc - the additional security check

Either advised/emailed or txt alternate unlock PW.

Sure the ID and pin wasn't entered via touchtone at some point....

https://help.anz.co.nz/app/answers/detail/a_id/49

If you're not registered for OnlineCode, we'll give you a reference number on the next page. Call us on 0800 368 524 or +64 4 473 0370 if overseas, quote the reference number and we'll confirm your password.

michaelmurfy

/dev/null
9622 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2039883 18-Jun-2018 16:18

Doing what you suggest is a 2 edged sword.

You can disable Online Code under Your Settings --> Change Online Code settings however this stops a SMS when you're changing your online code from within ANZ's internet banking itself.

Now for the other part - you're protected from fraudulent activities if you're following ANZ's Electronic Banking Conditions. If your wife is following this and has her phone go missing with somebody deciding to reset her password for her internet banking then she is still covered as long as she didn't contribute to this. There is some somewhat complex fraud checking going on behind the scenes and (without going into too much detail) this kind of activity will more than likely alert on their end anyway. If the system suspects something phishy is going on it'll actually ask to give them a call with a code for manual verification...

Another way to mitigate this is to disable lock screen notification previews - on iPhones this is under Settings --> Notifications --> Show Previews. This doesn't prevent people from just removing the SIM though.

But, keep Online Code enabled - while it is not perfect it is still adds an additional layer of security. I totally get what you're saying around manual verification but quite frankly if they did this then every 2nd call that comes into the contact centre would be a password reset request.

Lastman

286 posts

Ultimate Geek

#2039938 18-Jun-2018 17:41

Any perpetrator would need both the customer number and the person's cellphone which surely makes fraud here quite unlikely. I never write down my customer number and, unlike email addresses, are not something freely available.

rugrat

2197 posts

Uber Geek

Lifetime subscriber

#2039958 18-Jun-2018 18:29

Lastman:
Any perpetrator would need both the customer number and the person's cellphone which surely makes fraud here quite unlikely. I never write down my customer number and, unlike email addresses, are not something freely available.

OP had if you have wallet and phone together. Guessing most people will have cards in wallet, and on those cards is the persons customer number, my ANZ eftpos card has it there.

Maybe BNZ netguard does have some benefits over cell phone 2FA.

Lastman

286 posts

Ultimate Geek

#2039975 18-Jun-2018 19:01

rugrat:
Lastman:
Any perpetrator would need both the customer number and the person's cellphone which surely makes fraud here quite unlikely. I never write down my customer number and, unlike email addresses, are not something freely available.

OP had if you have wallet and phone together. Guessing most people will have cards in wallet, and on those cards is the persons customer number, my ANZ eftpos card has it there.

Maybe BNZ netguard does have some benefits over cell phone 2FA.

I think that’s the crux of it, you should protect your customer number like a password.

michaelmurfy

/dev/null
9622 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2039989 18-Jun-2018 19:20

Lastman:

I think that’s the crux of it, you should protect your customer number like a password.

Not really. The customer number is written on cards from ANZ also. People are often stupid and will attempt to paywave these before even thinking of potentially breaking into somebody's internet banking account. Either way, the use of machine learning means this is often picked up very quickly in both cases.

Lastman

286 posts

Ultimate Geek

#2040013 18-Jun-2018 20:16

michaelmurfy:
Lastman:

I think that the crux of it is, you should protect your customer number like a password.

Not really. The customer number is written on cards from ANZ also. People are often stupid and will attempt to paywave these before even thinking of potentially breaking into somebody's internet banking account. Either way, the use of machine learning means this is often picked up very quickly in both cases.

I think the crux of it is, you should protect your customer number like a password.

rugrat

2197 posts

Uber Geek

Lifetime subscriber

#2040015 18-Jun-2018 20:24

Lastman, the bank puts the customer number on the card, anyone that finds your card has that number.

Other then not losing the card, how do you propose to protect it like a password?

Lastman

286 posts

Ultimate Geek

#2040026 18-Jun-2018 20:49

rugrat:
Lastman, the bank puts the customer number on the card, anyone that finds your card has that number.

Other then not losing the card, how do you propose to protect it like a password?

Certainly don’t carry it in your wallet, remember it, it’s only 7 digits long (or mine is.) No harder than remembering a phone number.

The customer number is different from your account number, likely mainly for the reason that account numbers become more public.

michaelmurfy

/dev/null
9622 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2040123 19-Jun-2018 00:09

@Lastman I think you're missing the point... You're saying don't carry your card around in your wallet?

Your customer number is printed on your card. Anyway, it doesn't matter at all if somebody knows your customer number. There is many other ways to commit fraud if somebody is adamant to do so.

Honestly - do not worry about it! Just live your life. The bank has got your back and trust me as I work for them and used to deal with this on a day to day basis... Enable Online Code on your internet banking, use the app on your phone (it is more secure than doing so on your PC), enable Apple Pay / GoMoney Wallet etc.

All customers are protected by the Visa Zero Liability guarantee along with the Internet Banking security guarantee as long as you're following the terms and conditions of your account (in other words - don't ever use POLi). This means if fraud does happen then you're covered and the bank has got your back.

Lastman

286 posts

Ultimate Geek

#2040161 19-Jun-2018 08:04

michaelmurfy:
@Lastman I think you're missing the point... You're saying don't carry your card around in your wallet?

Your customer number is printed on your card. Anyway, it doesn't matter at all if somebody knows your customer number. There is many other ways to commit fraud if somebody is adamant to do so.

Honestly - do not worry about it! Just live your life. The bank has got your back and trust me as I work for them and used to deal with this on a day to day basis... Enable Online Code on your internet banking, use the app on your phone (it is more secure than doing so on your PC), enable Apple Pay / GoMoney Wallet etc.

All customers are protected by the Visa Zero Liability guarantee along with the Internet Banking security guarantee as long as you're following the terms and conditions of your account (in other words - don't ever use POLi). This means if fraud does happen then you're covered and the bank has got your back.

By jove, it is too. That would seem silly move by the banks, IMHO but, I guess, they would just get too many call-ins.

kramgk

16 posts

Geek

#2040332 19-Jun-2018 11:19

Thanks for the comments and I'm glad the bank is watching the password reset process.

To clarify, the CSR at the bank said there was an option in the Settings menu to disallow a password reset via the online code system. She certainly didn't recommend stopping online codes for everything, and I wouldn't want this either because it would remove the two factor authentication.

allan

1313 posts

Uber Geek

Subscriber

#2040387 19-Jun-2018 13:08

michaelmurfy:

Your customer number is printed on your card. Anyway, it doesn't matter at all if somebody knows your customer number. There is many other ways to commit fraud if somebody is adamant to do so.

Interestingly neither of my ANZ cards have the customer number printed on the card. There is a pre-printed heading for it on the back of the cards, but no number actually printed there.

michaelmurfy

/dev/null
9622 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2040440 19-Jun-2018 13:44

@allan If you got the cards directly from the branch then it'll have "ANZ Customer" as the name with no customer number. If you get the Visa Debit / Eftpos cards sent out to you then it'll have the customer number printed.

My Airpoints Visa Platinum doesn't have my customer number on it either - I suspect it may be all credit cards too but the majority of ANZ customers have a card with their customer number on it.