Internet banking security

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Internet banking security

1 | 2 | 3

3928 posts

Uber Geek

Trusted

#2497295 3-Jun-2020 11:16

I use Kiwibank and I am totally comfortable with their security. I change my password and security questions every few months and, as someone else noted, my questions and answers do not make logical sense (so can't be guessed).

And as long as you don't share your logon details and password, you will be ok.

Golden rule: NEVER, EVER, EVER input your logon details from a text or email request to do so. No matter how convincing it looks, your bank will NEVER email you and ask you to update from an email.

antonknee:

So Kiwibank's annoying text message verification is (one reason) why I left them, I often did not receive these text messages... unfortunately I went to Westpac and I did not realise their security was so horrendous. Might be looking for a new bank now...

I really like this added security feature. From what I can gather, Kiwibank only txt me if I log in from a new device or are making a significant payment to a new payee - otherwise, they don't text. I'm totally ok with this.

antonknee

1133 posts

Uber Geek

#2497304 3-Jun-2020 11:38

dafman:

antonknee:

So Kiwibank's annoying text message verification is (one reason) why I left them, I often did not receive these text messages... unfortunately I went to Westpac and I did not realise their security was so horrendous. Might be looking for a new bank now...

I really like this added security feature. From what I can gather, Kiwibank only txt me if I log in from a new device or are making a significant payment to a new payee - otherwise, they don't text. I'm totally ok with this.

Oh I think it's a fine idea and I believe ANZ (and others) do the same. My issue with it was just I often didn't receive those text codes and no amount of troubleshooting could fix it. In fairness to Kiwibank they were more than happy to do the verification over the phone.

OldGeek

899 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#2497333 3-Jun-2020 13:08

When I first looked into Internet Banking (TSB, ANZ and Kiwibank at various times) many years ago I did so for 2 main reasons:

Indemnity.
Unsurpassed access to account data.

By Indemnity I mean that at long as I do not surrender logon data to any unrelated 3rd party, the use of Internet Banking is at the banks risk. Internet banking allows me to view account status and latest transactions whenever I choose to. Transactions appear within minutes these days for all transaction account types. The key here is convenience and risk-free when long-practiced security of userids and passwords is maintained.

I monitor accounts daily and report questionable transactions (all on credit card account these days) through the Internet Banking securemail facility.

The days of waiting for account statements through the post and reconciling cheque account balances with paper and cheque-book are long gone and I don't regret their passing.

Edit: typos fixed

--

OldGeek.

Quic referal code: https://account.quic.nz/refer/581402

kiwiace

54 posts

Master Geek

#2497336 3-Jun-2020 13:12

regarding SMS 2FA:

It seems useful when you are logging on from a PC

[although even then, the kurte.nz site links to a 4 year old warning it can be compromised (and there have been high profile simjackings leading to bitcoin theft overseas).]

But it seems risky to me to have SMS 2FA and a mobile banking app - if the phone was compromised you could rapidly be in trouble surely?

antonknee

1133 posts

Uber Geek

#2497345 3-Jun-2020 13:17

kiwiace:

regarding SMS 2FA:

It seems useful when you are logging on from a PC

[although even then, the kurte.nz site links to a 4 year old warning it can be compromised (and there have been high profile simjackings leading to bitcoin theft overseas).]

But it seems risky to me to have SMS 2FA and a mobile banking app - if the phone was compromised you could rapidly be in trouble surely?

If your phone was compromised you'd be in trouble anyway right?

I suppose that's the whole point, adding another factor to make compromising any one thing less likely to be a showstopper.

zespri

414 posts

Ultimate Geek

Lifetime subscriber

#2497346 3-Jun-2020 13:22

michaelmurfy:

It is also vitally important you don't use systems like POLi as this goes against your internet banking terms of use (as systems like POLi "man in the middle you" and login to your internet banking to make a payment) - banks can detect when such systems are used and whilst they allow them, they may use this against you if you get compromised in the future.

This is something I find very puzzling. POLi should not exist the way it is and has been, yet, it's allowed. I'm a technical person, so I know how bad it is, but to convince a non-techie, that POLi is much worse than, say paying via a credit card, or internet banking is very difficult, because it's all the same to them. When POLi first appeared on my radar I was hoping that it would be closed down soon, so apparently it is insecure. Yet it keeps being around a year after year.

ANglEAUT

2325 posts

Uber Geek

Trusted

Lifetime subscriber

#2497350 3-Jun-2020 13:28

floydbloke:

It might be handy if it was current. It doesn't mention 2FA using the app for BNZ.......makes you wonder what else is missing/out of date.

Would be more useful if it included a 'last updated on __/__/__' and a disclaimer that things may have changed since then.

It's hosted on Github and the last commit was on 2018/06/14.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

JaBZ

404 posts

Ultimate Geek

#2497356 3-Jun-2020 13:34

ANglEAUT:

floydbloke:

It might be handy if it was current. It doesn't mention 2FA using the app for BNZ.......makes you wonder what else is missing/out of date.

Would be more useful if it included a 'last updated on __/__/__' and a disclaimer that things may have changed since then.

It's hosted on Github and the last commit was on 2018/06/14.

Yes its outdated why bother. Westpac has had 2FA "Other" for a number of years. I get the 2FA SMS for transfers/payments.

https://www.westpac.co.nz/branch-mobile-online/safety-and-security-online/westpac-online-guardian/

My opinions and ideas expressed in posts are solely my own and do not reflect the views of my employer in any way..

michaelmurfy

meow
13255 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2497364 3-Jun-2020 13:45

zespri:

This is something I find very puzzling. POLi should not exist the way it is and has been, yet, it's allowed. I'm a technical person, so I know how bad it is, but to convince a non-techie, that POLi is much worse than, say paying via a credit card, or internet banking is very difficult, because it's all the same to them. When POLi first appeared on my radar I was hoping that it would be closed down soon, so apparently it is insecure. Yet it keeps being around a year after year.

The problem is, if a bank blocks it (and talking about this from a point of view of me looking after an internet banking platform for a large bank) then customers will be unhappy it is blocked, think the bank is trying to make money from Visa Debit / Credit Card transactions etc. It does inadvertently break sometimes when an Internet Banking release goes out and when this happens I see an influx of incidents logged to our queue from the contact centre telling us to fix it.

Despite it being insecure customers will still use it anyway since the likes of PB-Tech, AirNZ etc charge their customers extra for using credit cards. Personally, I'd rather pay this as I am then covered by the Visa zero-liability guarantee vs doing an internet banking payment that can't be reversed. I've never used POLi and never will.

I've seen customers attempting to get a refund from Jetstar for example after they've made a payment via POLi and their flights being cancelled. If they used their credit card then a dispute can be placed on the transaction and they normally get the money reversed where with POLi once it is done, it is done and you're at the complete mercy of the company for getting a refund. With Jetstar, you could imagine how difficult this is and trust me when I say when a customer goes through that particular refund flow they never use POLi again.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

chevrolux

4962 posts

Uber Geek
Inactive user

#2497372 3-Jun-2020 13:53

So why can't POLi just get vetted and certified for use with the banks? And until that point, the banks block it.

Because you are dead right, paying a surcharge just for the "privilege" of using a credit card is bollocks.

Either that, or the banks/card companies pull their heads our of their asses in term of their transaction fees.

michaelmurfy

meow
13255 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#2497376 3-Jun-2020 14:02

chevrolux:

So why can't POLi just get vetted and certified for use with the banks? And until that point, the banks block it.

Since they're using man in the middle to login to customers internet banking this won't be possible either. Also nearly impossible to block since they go via a well known cloud computing company that customers also use and attempt to emulate an actual customer.

But also, this is way off topic now. Back on topic folks!

Rikkitic

Awrrr
18663 posts

Uber Geek

Lifetime subscriber

#2497403 3-Jun-2020 14:26

Great. I just tried to access my account and my login was blocked. I had to ring Kiwibank to get it unblocked again. I asked why this happened and was told it was a glitch(!) and others had been experiencing the same thing. It doesn't exactly fill me with confidence since I am already fairly leery of anything to do with money and automation, or maybe just automation in general.

Plesse igmore amd axxept applogies in adbance fir anu typos

1024kb

1167 posts

Uber Geek

ID Verified

Lifetime subscriber

#2497416 3-Jun-2020 14:43

Co-operative Bank received a serve from me regarding their account security. My initial complaint was that they limit passwords (stop right there!) to 10 characters, a stupidity which has not changed. The more concerning issue - one that was corrected - had the app refusing special character input when creating a password. It would allow specials as input when confirming an existing password but not when creating. This issue was addressed by the developer.

I told them that due to the nature of their business, banks should be at the forefront of IT security implementation, and have pride in their app as it represents their brand. I further told them that because of that artificial limit on password complexity (which is totally unnecessary), Co-operative shouldn't be proud of their app.

They're not alone in NZ business. I refused to setup a Spark account due to their frankly primitive password policy at the time (12 months ago) completely disallowing special characters. Their policy approves Pass0123 as a strong password (yeah, right) yet will not allow $;/86Sg$(. My efforts at getting this changed were ignored, & as I'd told them I wouldn't sign up for an account with any organization that imposed such a cavalier password policy, I guess they found it easier to bin my protest.

Megabyte - so geek it megahertz