Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.



ForumsFinance and wealth managementPossible Kiwibank bug?
1024kb

1197 posts

Uber Geek
+1 received by user: 519

ID Verified
Lifetime subscriber

#302510 28-Nov-2022 14:27
Send private message

A customer called me concerned about unauthorized charges to his new Kiwibank Visa. When he activated the card by phone call, the Kiwibank phone system wanted his access number then PIN followed by hash. First entry was rejected, do it again. Repeated the entry - nope, do it again. Third time round, exactly the same data entry, this time accepted. Then the fraud activity commenced.

Since then every call to Kiwibank has required triple entry of access code & PIN. Not recognized, not recognized, you're in.

Me, with my suspicious little mind, find this concerning. A digital system accepts correct data & rejects incorrect data. It doesn't think about it a couple times then changes it's mind & let's you in anyway. Doesn't work like that. My thought is that the first entry / entries are being hijacked & sent elsewhere before the third entry is put back to Kiwibank to allow access to their system.

I've just explained this to Kiwibank call center, they've escalated the issue. Has anyone else here experienced the triple entry login requirement?




Megabyte - so geek it megahertz

Create new topic
Aaroona
3204 posts

Uber Geek
+1 received by user: 169


  #3006569 6-Dec-2022 19:12
Send private message

It could be any number of things... Could be a system thing at Kiwibank's side, but could also be an issue with the DTMF tones being sent from the handset, etc. 

 

Does it happen when using the same phone? all phones? If mobile, does it happen when in a different area? 

 

Will be interesting to see what Kiwibank say. 



cokemaster
Exited
4937 posts

Uber Geek
+1 received by user: 1089

Retired Mod
Trusted
Lifetime subscriber

  #3006584 6-Dec-2022 21:07
Send private message

I think whats happening is that the IVR is attempting to authenticate you by using your customer number/access code and your phone banking PIN (not your credit card/eftpost card pin). Many banks do this in order to speed up the authentication process on calls, although some use different techniques eg. SMS or voice ID. 

 

Ideally Kiwibank shouldn't be giving you three attempts before falling back because the first two attempts indicate whether the pin is valid or not by virtue of asking you to re-enter. They should ask once and then pass that pass/fail result to the agent.




webhosting

Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!

cokemaster
Exited
4937 posts

Uber Geek
+1 received by user: 1089

Retired Mod
Trusted
Lifetime subscriber

  #3006587 6-Dec-2022 21:14
Send private message

To further clarify (and this is coming from someone who has involvement with Kiwibank other than being a customer), I would strongly caution against thinking that the requests are being highjacked from the phone call. 

 

A. Banks IVR's are hardened to ensure that they don't leak out information or are vulnerable to hacking attempts. 
B. If using mobile# or landlines*, it is extremely unlikely that the mobile network or landline networks ** have been compromised. 

 

Exceptions being: 
# if you have rooted/jailbroken your phone, who knows what is running on it.
* if you are using one of those 'free' overseas VoIP providers, one cannot speak to their security arrangements. 
** Whilst it is technically possible for someone to 'tap' your copper line and listen in, the probability is extremely low and even a moot point if you are using Fibre or mobile.




webhosting

Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!



1024kb

1197 posts

Uber Geek
+1 received by user: 519

ID Verified
Lifetime subscriber

  #3006604 6-Dec-2022 23:11
Send private message

cokemaster:

To further clarify (and this is coming from someone who has involvement with Kiwibank other than being a customer), I would strongly caution against thinking that the requests are being highjacked from the phone call. 


A. Banks IVR's are hardened to ensure that they don't leak out information or are vulnerable to hacking attempts. 
B. If using mobile# or landlines*, it is extremely unlikely that the mobile network or landline networks ** have been compromised. 


Exceptions being: 
# if you have rooted/jailbroken your phone, who knows what is running on it.
* if you are using one of those 'free' overseas VoIP providers, one cannot speak to their security arrangements. 
** Whilst it is technically possible for someone to 'tap' your copper line and listen in, the probability is extremely low and even a moot point if you are using Fibre or mobile.



Stock (Knox = 0) Galaxy Note 10+ on Spark was used originally then switched to my stock (locked bootloader) Huawei P40 on 2DM for comparison testing before reverting to his Note 10. Same result each & every time. His phone using direct to mobile, mine using WiFi calling. All calls made on a fine, clear day within 800m of the Spark tower.

I know it's difficult to see where the possible hack could come from, but after all that knowledge is applied there is still the issue of the system reject, reject, accepting the same access codes repeatedly. I don't get how a secure, unadulterated system can do that.

As an aside, I'm also wondering just how many attempts at entering the correct combination of access code & PIN number the Kiwibank system allows - we know it's at least 3, probably more. I'd suggest that 2 attempts would be a far more secure limit. Thank you, goodbye. Ring again if you want to.

The Visa card was new, fresh, activated within a few days & unused apart from a single online transaction with a reputable retailer. When my client used his card physically, the payment bounced. There were 2 accesses - Kiwibank when activating the card, one online transaction. Then the fraud activity.

While my knowledge of incoming voice response systems is very limited, I'm reminded of Agatha Christie's Sherlock Holmes in The Sign Of The Four - "When you have eliminated the impossible, whatever remains, however improbable, must be the truth"




Megabyte - so geek it megahertz

Rikkitic
Awrrr
19064 posts

Uber Geek
+1 received by user: 16304

Lifetime subscriber

  #3006643 7-Dec-2022 08:01
Send private message

1024kb:

 

While my knowledge of incoming voice response systems is very limited, I'm reminded of Agatha Christie's Sherlock Holmes in The Sign Of The Four - "When you have eliminated the impossible, whatever remains, however improbable, must be the truth"

 

Agatha Christie? Sherlock Holmes? Not sure I see the connection here. Is it elementary?

 

 




Plesse igmore amd axxept applogies in adbance fir anu typos

 


 

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright