Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


kramgk

16 posts

Geek


#237796 18-Jun-2018 15:41
Send private message

My wife locked herself out of her Internet Banking account and used the "Forgot Password" facility to reset her account.  She gave her customer number, a new password, and then the system sent her a text message with an "online code" to validate the password change.  Too easy by far, and pretty typical behavior for lots of web sites.  The online code is about providing two-factor authentication, but in this case, you don't authenticate with the bank at all.  You are relying on having a PIN on your phone, and having set the phone to not show an incoming text messages.  This seems like another example of why it's a bad idea for people to have their phone and wallet together. 

 

Does anyone know of ways in which a customer can make this system better?  A CSR at ANZ Bank said there was a setting on the web site to stop the online code for password change, but this still allows password changes.

 

 


Filter this topic showing only the reply marked as answer Create new topic
Oblivian
4304 posts

Uber Geek


  #2039859 18-Jun-2018 15:50
Send private message

When you call up, it usually asks for your ID and a different verification pin.. (or they transfer you to enter it before going further) thats not known to those you think would know it... double check the procedure experienced..


Oblivian
4304 posts

Uber Geek


  #2039865 18-Jun-2018 15:57
Send private message

What I'm getting at..

 

Previously when I hit the PW reset. As I didn't have online code registered, It gives you a reference number (proves someone hit the request)

 

Call, enter customer ID *

 

Enter separate verification Pin*

 

Or if chosing personal CSR, xferred to the automated system to complete this before CSR is handed back - the 1st security check

 

Your details come back on screen for them to see. You are then asked to verify DOB etc - the additional security check

 

Either advised/emailed or txt alternate unlock PW.

 

 

 

Sure the ID and pin wasn't entered via touchtone at some point....

 

 

 

https://help.anz.co.nz/app/answers/detail/a_id/49 

 

If you're not registered for OnlineCode, we'll give you a reference number on the next page. Call us on 0800 368 524 or +64 4 473 0370 if overseas, quote the reference number and we'll confirm your password.


 
 
 
 


michaelmurfy
/dev/null
9622 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2039883 18-Jun-2018 16:18
Send private message

Doing what you suggest is a 2 edged sword.

 

You can disable Online Code under Your Settings --> Change Online Code settings however this stops a SMS when you're changing your online code from within ANZ's internet banking itself.

 

Now for the other part - you're protected from fraudulent activities if you're following ANZ's Electronic Banking Conditions. If your wife is following this and has her phone go missing with somebody deciding to reset her password for her internet banking then she is still covered as long as she didn't contribute to this. There is some somewhat complex fraud checking going on behind the scenes and (without going into too much detail) this kind of activity will more than likely alert on their end anyway. If the system suspects something phishy is going on it'll actually ask to give them a call with a code for manual verification...

 

Another way to mitigate this is to disable lock screen notification previews - on iPhones this is under Settings --> Notifications --> Show Previews. This doesn't prevent people from just removing the SIM though.

 

But, keep Online Code enabled - while it is not perfect it is still adds an additional layer of security. I totally get what you're saying around manual verification but quite frankly if they did this then every 2nd call that comes into the contact centre would be a password reset request.

 

 





Lastman
286 posts

Ultimate Geek


  #2039938 18-Jun-2018 17:41
Send private message

Any perpetrator would need both the customer number and the person's cellphone which surely makes fraud here quite unlikely. I never write down my customer number and, unlike email addresses, are not something freely available.


rugrat
2197 posts

Uber Geek

Lifetime subscriber

  #2039958 18-Jun-2018 18:29
Send private message

Lastman:

Any perpetrator would need both the customer number and the person's cellphone which surely makes fraud here quite unlikely. I never write down my customer number and, unlike email addresses, are not something freely available.



OP had if you have wallet and phone together. Guessing most people will have cards in wallet, and on those cards is the persons customer number, my ANZ eftpos card has it there.

Maybe BNZ netguard does have some benefits over cell phone 2FA.

Lastman
286 posts

Ultimate Geek


  #2039975 18-Jun-2018 19:01
Send private message

rugrat:
Lastman:

Any perpetrator would need both the customer number and the person's cellphone which surely makes fraud here quite unlikely. I never write down my customer number and, unlike email addresses, are not something freely available.



OP had if you have wallet and phone together. Guessing most people will have cards in wallet, and on those cards is the persons customer number, my ANZ eftpos card has it there.

Maybe BNZ netguard does have some benefits over cell phone 2FA.


I think that’s the crux of it, you should protect your customer number like a password.

michaelmurfy
/dev/null
9622 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2039989 18-Jun-2018 19:20
Send private message

Lastman:

I think that’s the crux of it, you should protect your customer number like a password.

 

Not really. The customer number is written on cards from ANZ also. People are often stupid and will attempt to paywave these before even thinking of potentially breaking into somebody's internet banking account. Either way, the use of machine learning means this is often picked up very quickly in both cases.





 
 
 
 


Lastman
286 posts

Ultimate Geek


  #2040013 18-Jun-2018 20:16
Send private message

michaelmurfy:

Lastman:

I think that the crux of it is, you should protect your customer number like a password.


Not really. The customer number is written on cards from ANZ also. People are often stupid and will attempt to paywave these before even thinking of potentially breaking into somebody's internet banking account. Either way, the use of machine learning means this is often picked up very quickly in both cases.



I think the crux of it is, you should protect your customer number like a password.


rugrat
2197 posts

Uber Geek

Lifetime subscriber

  #2040015 18-Jun-2018 20:24
Send private message

Lastman, the bank puts the customer number on the card, anyone that finds your card has that number.

 

Other then not losing the card, how do you propose to protect it like a password?


Lastman
286 posts

Ultimate Geek


  #2040026 18-Jun-2018 20:49
Send private message

rugrat:

Lastman, the bank puts the customer number on the card, anyone that finds your card has that number.


Other then not losing the card, how do you propose to protect it like a password?



Certainly don’t carry it in your wallet, remember it, it’s only 7 digits long (or mine is.) No harder than remembering a phone number.

The customer number is different from your account number, likely mainly for the reason that account numbers become more public.

michaelmurfy
/dev/null
9622 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2040123 19-Jun-2018 00:09
Send private message

@Lastman I think you're missing the point... You're saying don't carry your card around in your wallet?

 

Your customer number is printed on your card. Anyway, it doesn't matter at all if somebody knows your customer number. There is many other ways to commit fraud if somebody is adamant to do so.

 

Honestly - do not worry about it! Just live your life. The bank has got your back and trust me as I work for them and used to deal with this on a day to day basis... Enable Online Code on your internet banking, use the app on your phone (it is more secure than doing so on your PC), enable Apple Pay / GoMoney Wallet etc.

 

All customers are protected by the Visa Zero Liability guarantee along with the Internet Banking security guarantee as long as you're following the terms and conditions of your account (in other words - don't ever use POLi). This means if fraud does happen then you're covered and the bank has got your back.





Lastman
286 posts

Ultimate Geek


  #2040161 19-Jun-2018 08:04
Send private message

michaelmurfy:

@Lastman I think you're missing the point... You're saying don't carry your card around in your wallet?


Your customer number is printed on your card. Anyway, it doesn't matter at all if somebody knows your customer number. There is many other ways to commit fraud if somebody is adamant to do so.


Honestly - do not worry about it! Just live your life. The bank has got your back and trust me as I work for them and used to deal with this on a day to day basis... Enable Online Code on your internet banking, use the app on your phone (it is more secure than doing so on your PC), enable Apple Pay / GoMoney Wallet etc.


All customers are protected by the Visa Zero Liability guarantee along with the Internet Banking security guarantee as long as you're following the terms and conditions of your account (in other words - don't ever use POLi). This means if fraud does happen then you're covered and the bank has got your back.



By jove, it is too. That would seem silly move by the banks, IMHO but, I guess, they would just get too many call-ins.



kramgk

16 posts

Geek


#2040332 19-Jun-2018 11:19
Send private message

Thanks for the comments and I'm glad the bank is watching the password reset process.

 

To clarify, the CSR at the bank said there was an option in the Settings menu to disallow a password reset via the online code system.  She certainly didn't recommend stopping online codes for everything, and I wouldn't want this either because it would remove the two factor authentication. 

 

 


allan
1313 posts

Uber Geek

Subscriber

  #2040387 19-Jun-2018 13:08
Send private message

michaelmurfy:

 

Your customer number is printed on your card. Anyway, it doesn't matter at all if somebody knows your customer number. There is many other ways to commit fraud if somebody is adamant to do so.

 

Interestingly neither of my ANZ cards have the customer number printed on the card. There is a pre-printed heading for it on the back of the cards, but no number actually printed there.


michaelmurfy
/dev/null
9622 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2040440 19-Jun-2018 13:44
Send private message

@allan If you got the cards directly from the branch then it'll have "ANZ Customer" as the name with no customer number. If you get the Visa Debit / Eftpos cards sent out to you then it'll have the customer number printed.

 

My Airpoints Visa Platinum doesn't have my customer number on it either - I suspect it may be all credit cards too but the majority of ANZ customers have a card with their customer number on it.





Filter this topic showing only the reply marked as answer Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS1621+ 
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.