Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Rikkitic

Awrrr
12948 posts

Uber Geek

Lifetime subscriber

#271948 3-Jun-2020 09:25
Send private message

I don't have a cell phone and until the lockdown, I didn't have Internet banking. Now that I do, I wonder how secure it really is without 2FA. It seems pretty secure to me, but of course I could be missing something.

 

With Kiwibank, you have to log in with account number and password. You are then presented with a randomly-selected security question from ones you have previously created. The answer to the question is displayed as blank spaces, and you have to correctly type in two randomly-selected blanks. This is done to prevent key loggers. 

 

So how secure is this, really? The only way I can think of offhand to defeat it would be something in memory that  copies the screen until the same answer has appeared enough times to fill in all the blanks, then keeps trying to log in until that question comes up again. Is there a better way to get around this?

 

 





I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney
 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
Lightbulb
68 posts

Master Geek

Lifetime subscriber

  #2497218 3-Jun-2020 09:33
Send private message

Westpac is pretty bad. No 2FA and password doesn't differentiate between upper case and lowercase


engedib
218 posts

Master Geek


  #2497219 3-Jun-2020 09:34
Send private message

Lightbulb:

 

Westpac is pretty bad. No 2FA and password doesn't differentiate between upper case and lowercase

 

 

Yeah, they are absolutely hopeless with that password policy, was one of the reasons I switched banks 2 years ago.


 
 
 
 


wellygary
5005 posts

Uber Geek


  #2497224 3-Jun-2020 09:40
Send private message

So how secure is this, really? The only way I can think of offhand to defeat it would be something in memory that  copies the screen until the same answer has appeared enough times to fill in all the blanks, then keeps trying to log in until that question comes up again. Is there a better way to get around this?

 

The "standard" scammer approach is usually to fool you into loading Teamviewer or some other remote access software and then get you to log in "so they can check that the security changes they made are working"

 

 

 

Kiwibank do have 2FA for authorising online payments to accounts that are new to you,( ie not bill pay accounts Kiwibank already know)  How do you do this if you have no mobile?, or is it not enabled?

 

 

 

 


timmmay
16530 posts

Uber Geek

Trusted
Subscriber

  #2497226 3-Jun-2020 09:42
Send private message

I think Kiwibank is likely to be sufficiently secure. Anything can be defeated given enough time and effort. Run a virus / malware scan of your computer occasionally and you should be fine.


Linux
6928 posts

Uber Geek

Trusted
Lifetime subscriber

#2497227 3-Jun-2020 09:44
Send private message

Lightbulb:

 

Westpac is pretty bad. No 2FA and password doesn't differentiate between upper case and lowercase

 

 

@Lightbulb No way that is mental


knoydart
893 posts

Ultimate Geek

Trusted
Subscriber

  #2497238 3-Jun-2020 09:55
Send private message

A handy overview from Ryan Kurte on NZ banking two factor use 


Wakrak
368 posts

Ultimate Geek


  #2497262 3-Jun-2020 10:10
Send private message

With BNZ you have three options as far as I am aware; (1) login with username and password (2) username, password, and authenticate with BNZ mobile app (3) username, password, 2FA with NetGuard card. 

Password is case sensitive and must include both letters & numbers. 

 

With NetGuard, it will prompt you to enter the letter/number given for C4 for example = M. Have to do this three times and if one is wrong, start again. 

(Image is from google).

 


 
 
 
 


networkn
23472 posts

Uber Geek

Trusted
Lifetime subscriber

  #2497265 3-Jun-2020 10:17
Send private message

As a Kiwibank customer it's infuriating that they don't have app-based 2FA for their payment confirmation and their password/passphrase thing isn't great either. They are aware and have an app-based auth being worked on, but that was some months ago.

 

The SMS Text message payment confirmation thing is super annoying esp if you are overseas, and because often times it can take a few minutes to come through.

 

 

 

 


Linux
6928 posts

Uber Geek

Trusted
Lifetime subscriber

  #2497271 3-Jun-2020 10:24
Send private message

BNZ is very good with the App authentication


Rikkitic

Awrrr
12948 posts

Uber Geek

Lifetime subscriber

  #2497275 3-Jun-2020 10:31
Send private message

wellygary:

 

So how secure is this, really? The only way I can think of offhand to defeat it would be something in memory that  copies the screen until the same answer has appeared enough times to fill in all the blanks, then keeps trying to log in until that question comes up again. Is there a better way to get around this?

 

The "standard" scammer approach is usually to fool you into loading Teamviewer or some other remote access software and then get you to log in "so they can check that the security changes they made are working"

 

Kiwibank do have 2FA for authorising online payments to accounts that are new to you,( ie not bill pay accounts Kiwibank already know)  How do you do this if you have no mobile?, or is it not enabled?

 

 

Not enabled, I suppose. I am a pensioner and have very simple banking needs and the very few payments I make are either in person or by credit card.  This has always worked well for me, which is why I never had Internet banking until the lockdown.

 

Edited to add: I am fairly immune to phishing. I am very obstinate and never do what anyone tells me to, especially on-line. I don't click on anything that comes via email. I have my email set to text only so HTML attacks are impossible. I get very little spam and it all goes into the rubbish folder.

 

 

 

 

 

 

 

 





I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney
 


antonknee
490 posts

Ultimate Geek


  #2497276 3-Jun-2020 10:32
Send private message

So Kiwibank's annoying text message verification is (one reason) why I left them, I often did not receive these text messages... unfortunately I went to Westpac and I did not realise their security was so horrendous. Might be looking for a new bank now...





Ant  Reformed geek | Referral links: Electric Kiwi  Sharesies  Stake


michaelmurfy
/dev/null
9635 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2497280 3-Jun-2020 10:43
Send private message

To answer your question properly, Internet Banking is as secure as you make it. With Kiwibank, their Keepsafe login is old but it works well provided the answers you've made are unique and not easily guessable. I'm a Foundation customer with Kiwibank and set my answers make no logical sense + I use a password manager.

 

The biggest security weakness with internet banking are the users. For example, users who are either using weak or compromised passwords. Check https://haveibeenpwned.com to see if you've been compromised in any other accounts along with enter your password into https://haveibeenpwned.com/Passwords (which is secure) to check if the password has been compromised on any lists. Lastly, use a password manager like Lastpass or Dashlane coupled with 2 factor security on your password vault.

 

Logins are normally vetted by their fraud systems (the same systems used to protect your credit card / visa debit card) and the bank will cover you for any losses provided you didn't contribute to that loss with both. It is also vitally important you don't use systems like POLi as this goes against your internet banking terms of use (as systems like POLi "man in the middle you" and login to your internet banking to make a payment) - banks can detect when such systems are used and whilst they allow them, they may use this against you if you get compromised in the future.

 

So, the likelihood of getting compromised if you follow the standard steps (using complex, randomly generated passwords from a password manager, not disclosing your login details, using a secure computer with a modern, up-to-date browser) is remarkably low. Banks are a high target and there are often security teams along with security applications working to keep users safe at all times.





floydbloke
2298 posts

Uber Geek


  #2497286 3-Jun-2020 10:58
Send private message

knoydart:

 

A handy overview from Ryan Kurte on NZ banking two factor use 

 

 

It might be handy if it was current.  It doesn't mention 2FA using the app for BNZ.......makes you wonder what else is missing/out of date.

 

Would be more useful if it included a 'last updated on __/__/__' and a disclaimer that things may have changed since then.





= > ÷

 

 


Lightbulb
68 posts

Master Geek

Lifetime subscriber

  #2497287 3-Jun-2020 11:02
Send private message

I use LastPass for all my passwords except for internet banking and other important financial sites.  I've always been a bit nervous of putting my banking passwords in LastPass - just in case Lastpass gets compromised.

 

Am I being too cautious for banking / financial sites?


michaelmurfy
/dev/null
9635 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2497293 3-Jun-2020 11:12
Send private message

@Lightbulb Honestly, not at all.

 

I personally use Lastpass for Internet Banking myself (which is protected with 2FA with another app along with a strong master password). All my banks have some type of 2FA on them also and if any attacker got in they'll find the majority of my accounts are useless to them being protected with 2FA and the attackers will be stupid to login to my main bank account anyway as it'll ping me a message + app notification and I also work on this internet banking platform for my job. Lastpass have a good security writeup here: https://www.lastpass.com/security/what-if-lastpass-gets-hacked and disclose if they've been compromised (and how) since it is in their best interest to.

 

As-long as you're using a secure password not repeated anywhere else then that is fine. But also if you're using a secure password + 2FA for your password vault then using that for your internet banking and generating new passwords on a regular basis is better. I often say, the only secure password are the ones you can't remember.





 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic





News »

Huawei launches IdeaHub Pro in New Zealand
Posted 27-Oct-2020 16:41


Southland-based IT specialist providing virtual services worldwide
Posted 27-Oct-2020 15:55


NASA discovers water on sunlit surface of Moon
Posted 27-Oct-2020 08:30


Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05


Nokia selected by NASA to build first ever cellular network on the Moon
Posted 21-Oct-2020 08:34


Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.