Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 

gjm

747 posts

Ultimate Geek
+1 received by user: 91


  Reply # 836261 13-Jun-2013 12:13
Send private message

You're right...wtf is that?




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

gjm

747 posts

Ultimate Geek
+1 received by user: 91


  Reply # 836268 13-Jun-2013 12:24
Send private message

Friend just tried ANZ and it is case sensitive but ASB isnt at all




[Amstrad CPC 6128: 128k Memory: 3 inch floppy drive: Colour Screen]

1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 836307 13-Jun-2013 13:26
Send private message

ajobbins:
1080p: I think Kiwibank's system is the best. You can set it to ask you a question only you know the answer to and it will request a couple of letters from each answer every time you log in.

It really is an ingenious method of extra security without requiring you to carry a piece of plastic about or a dongle.

Obviously, if you answer their questions with information that others already know about you then it is not effective but that would be on you rather than Kiwibank.


It's just a bit cumbersome, and isn't true 2FA. 2FA is supposed to be something you know (a password) and something you have (A token). Kiwibank's is a something you know and something you know - or possibly a something you know and something others might know too.

And the fact you need it even to log in and check a balance or move money between your own accounts is just painful.


Given that two factor authentication was broken before it was even used widely does not inspire me with confidence.

What is more cumbersome is having to fish out a card/dongle every time you want to log in or receiving an SMS/e-mail. Kiwibank's security schema is much more intuitive, secure (keyloggers), and convenient (simply a password and two letters from a phrase only you know) than any other system in New Zealand.


Kyanar: Could be worse - Westpac's security is something you know (your password), something WE know (blackbox analysis of login to determine if trustworthy or not) and something everyone knows (your birthplace or one of 7 other stupid questions 5 seconds of searching on Google or Facebook can tell you - and even then only if Westpac determined that your login didn't match their pattern analysis).

Random factoid you probably didn't know - your password is case insensitive if you are with ASB, Westpac, and I believe Kiwibank and ANZ. TSB and BNZ your password is definitely case sensitive. Try it yourself sometime - enter the case of your password incorrectly and marvel as your bank happily logs you into your accounts!


I've just confirmed this with a Kiwibank and Westpac account. ANZ are case sensitive. An interesting find! I wonder who thought this was a good idea?

1997 posts

Uber Geek
+1 received by user: 331

Trusted

  Reply # 836313 13-Jun-2013 13:38
Send private message

I can see the other side the case sensitive issue:
- Internet banking is used by normal people, not geeks, so complications in password entry will lead to more calls to customer service (which are expensive for the bank). IMHO phrases like 'case sensitive' or even 'is your cap lock on?' would confuse plenty of people (whether those sorts of people should be using internet banking is a different story...)
- I presume that with most banks, repeated attempts to login would be blocked, so brute force and educated guesses aren't as big a problem

Doesn't necessarily make it okay, but just other things to consider. Banks aren't stupid, so presumably this passed an internal cost/benefit, and they do cover the direct cost of fraud

3031 posts

Uber Geek
+1 received by user: 466

Trusted
Subscriber

  Reply # 836438 13-Jun-2013 16:37
Send private message

But the question that has tp be asked is - is this because the bank normalises your password to a specific case prior to checking it against the stored hash in the database, or is that password stored in plain text instead? Good luck getting an answer to this question, of course.

(Note, I and a friend have already challenged Westpac and ASB about this already. ASB responded by pointing out that your communications with them are protected by "128 bit encrypitation" - yes spelt like that - and Westpac responded by mumbling something about Online Guardian and Zero Liability).

To those pointing out that banks cover the direct cost of fraud... well, no, they don't. In the case of credit cards they claw the money back from the merchants (meaning you the customer cover the cost of fraud) and in the case of online banking they bake these costs into their margins (meaning you the customer cover the cost of fraud).

Awesome
4810 posts

Uber Geek
+1 received by user: 1062

Trusted
Subscriber

  Reply # 836449 13-Jun-2013 16:54
Send private message

1080p:
Given that two factor authentication was broken before it was even used widely does not inspire me with confidence.


Ummm, substantiate please? There may be particular implementations that have been compromised - but as far as I am aware the vast majority of proper 2FA implementations in use are not broken.

What is more cumbersome is having to fish out a card/dongle every time you want to log in or receiving an SMS/e-mail. Kiwibank's security schema is much more intuitive, secure (keyloggers), and convenient (simply a password and two letters from a phrase only you know) than any other system in New Zealand.


Two parts to this. Firstly, you shouldn't need to use any kind of secondary authentication just to log in. This is my biggest beef with the Kiwibank system. Secondly, I absolutely disagree that it's more secure - it is easily the least secure of the bunch.

With most 2FA systems, keylogging is not an issue. The secondary authentication credential is forever changing. They generally expire after a number of seconds regardless of use, and usually are only good for one use. Even if you did log it, it would be useless. The kiwibank challenge questions are not only static, but often easily guessed. Someone could obtain the answers covertly through a number of mechanism (VNC/Remote screen access, hidden cameras with a view of your screen etc). If that was done with other 2FA methods it wouldn't matter as the credential would be expired.

In balancing intuitiveness and convenience with security, the other banks solutions are far superior in terms of security but only a tiny bit less convenient or intuitive. Being that the point of 2FA is enhanced security, I feel that the Kiwibank solution is both inferior and inadequate.




Twitter: ajobbins


Awesome
4810 posts

Uber Geek
+1 received by user: 1062

Trusted
Subscriber

  Reply # 836454 13-Jun-2013 16:58
Send private message

Kyanar: To those pointing out that banks cover the direct cost of fraud... well, no, they don't. In the case of credit cards they claw the money back from the merchants (meaning you the customer cover the cost of fraud) and in the case of online banking they bake these costs into their margins (meaning you the customer cover the cost of fraud).


Not quite true. Banks and merchants each have agreed responsibilities when it comes to protecting against fraud. In cases where the merchant did nothing wrong, they are not liable. If they didn't take reasonable steps to ensure that the card use was genuine and authorised however, they could be hit with a charge back.




Twitter: ajobbins


3031 posts

Uber Geek
+1 received by user: 466

Trusted
Subscriber

  Reply # 836643 14-Jun-2013 07:12
Send private message

ajobbins: Not quite true. Banks and merchants each have agreed responsibilities when it comes to protecting against fraud. In cases where the merchant did nothing wrong, they are not liable. If they didn't take reasonable steps to ensure that the card use was genuine and authorised however, they could be hit with a charge back.


That's for a card present transaction.  For a card not present transaction, you are pretty much boned unless you attempted 3DS authentication.  Then and only then are you insulated against "it wasn't me" chargebacks.  (It's in the merchant agreement.  And yes I have one).

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.