Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5
Webhead
2306 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1302386 12-May-2015 00:50
One person supports this post
Send private message

dafman: 
For your own piece of mind, fair call - however, not required. For eg. Kiwibank don't offer extra token facility (as far as I am aware). Therefore, provided you abide by their terms and conditions in using internet banking, your funds are safe.


Even if you end up not loosing money, having your bank account emptied out and (possibly) no access to founds for a while will be a major inconvenience.

A system where you only use password will be vulnerable is several ways.

1) Man in the middle. If you are on a network where someone can fake being your site, they will get your login and they are in.
2) Weak passwords. If they can easily guess your password, they are in.
3) Reused password. If they hack another site and find your password, they are in.
4) Phishing. If they trick you to try to log in through their site, they have your password and they are in.

Thats not even good enough security for my email, let alone where I keep my money. If a bank is stupid enough to not secure their customers better than that, then what else kind of stupidity are they up to?






637 posts

Ultimate Geek

Trusted

  # 1302399 12-May-2015 03:00
Send private message

I've been using internet banking for 15 or so years with no problems. I travel extensively, and am regularly on untrusted networks so I only connect to banking services over a trusted VPN, which has the added bonus of ensuring my banks only see connections coming from a single source address (which, when it changed due to a new tunnel, caused one bank to call me). 

2FA is great, although can be frustrating when SMS delivered and dealing with unreliable/slow SMS while roaming. I prefer real tokens.

I will echo that yes, many banks do still send legitimate emails with links in them. ASB sharetrading and investment certainly does this, and so do others within NZ and elsewhere. It's bad practice for sure.

 

Also +1 to the comment about banks that don't deliver the primary site over TLS; leading to potential MITM attacks. Shocking that this is still happening.

 
 
 
 


1149 posts

Uber Geek


# 1302438 12-May-2015 08:12
Send private message

One may be using online banking for years and tell every one else it is OK.
What they will not tell you is that they have mortgage, hire purchased goods, student loan, you name it. They owe tons of money and their account is constantly in debt.
Point is - they have absolutely nothing to loose. Their passwords likely been hacked ages ago and their accounts are monitored from time to time to see if they have earned enough to be a target...
Would be interesting to hear something like: they have $10M in their account, check that it is still there regularly via "secure" online banking and it is still there - all those years!

2054 posts

Uber Geek

Subscriber

  # 1302440 12-May-2015 08:21
3 people support this post
Send private message

That's two now. Guys, 'lose' and 'loose' are not interchangeable. You lose money not loose money.

2892 posts

Uber Geek

Trusted
Subscriber

  # 1302485 12-May-2015 09:21
Send private message

PenultimateHop:
I will echo that yes, many banks do still send legitimate emails with links in them. ASB sharetrading and investment certainly does this, and so do others within NZ and elsewhere. It's bad practice for sure.


Links to services announcements, or adverts, but banks will NEVER send you an email with a direct link to your internet banking logon or account details.

14299 posts

Uber Geek

Trusted
Subscriber

  # 1302489 12-May-2015 09:25
Send private message

linw: That's two now. Guys, 'lose' and 'loose' are not interchangeable. You lose money not loose money.


This is not an English tuition Forum undecided




Mike
Retired IT Manager. 
The views stated in my posts are my personal views and not that of any other organisation.

 

There is no planet B

 

 


14299 posts

Uber Geek

Trusted
Subscriber

  # 1302495 12-May-2015 09:28
Send private message

I probably had more problems with old school banking and transaction methods, e.g cheques that never turn up or bounce. ATM's that for no reason take your card and not return it or the incorrect money given or recorded. Bank Tellers making
entry mistakes or miscounting.




Mike
Retired IT Manager. 
The views stated in my posts are my personal views and not that of any other organisation.

 

There is no planet B

 

 


 
 
 
 


637 posts

Ultimate Geek

Trusted

  # 1302499 12-May-2015 09:32
Send private message

dafman:
PenultimateHop:
I will echo that yes, many banks do still send legitimate emails with links in them. ASB sharetrading and investment certainly does this, and so do others within NZ and elsewhere. It's bad practice for sure.


Links to services announcements, or adverts, but banks will NEVER send you an email with a direct link to your internet banking logon or account details.

The former encourages bad habits for the latter by the consumer. Why is one link worse to click on than another?

And while I don't doubt your global authority on what banks will NEVER do, I can assure you several of my non-NZ banks have done precisely what you say NEVER happens, and I am fairly sure at least one NZ (or possibly Australian) bank has done it too in the past.

572 posts

Ultimate Geek


  # 1302621 12-May-2015 11:13
2 people support this post
Send private message

RUKI: One may be using online banking for years and tell every one else it is OK.
What they will not tell you is that they have mortgage, hire purchased goods, student loan, you name it. They owe tons of money and their account is constantly in debt.
Point is - they have absolutely nothing to loose. Their passwords likely been hacked ages ago and their accounts are monitored from time to time to see if they have earned enough to be a target...
Would be interesting to hear something like: they have $10M in their account, check that it is still there regularly via "secure" online banking and it is still there - all those years!



That's a pretty ignorant comment.

I have a mortgage, HP etc...and our accounts usually have several thousand dollars 'credit' as we pay our bills once per month. We have plenty to lose if someone hacked our account.

Whether its $10K or $10M it matters to the people who's money it is.





mdf

2350 posts

Uber Geek

Trusted
Subscriber

  # 1302676 12-May-2015 12:30
One person supports this post
Send private message

Internet banking is no less safe than any other form of "physically not present" banking transaction (e.g. EFTPOS card, phone banking, cheques). In some cases, it is actually much more safe.

That said, this isn't actually very safe at all from a technical and legal perspective. Practically, you're probably fine, but given it's Geekzone, let's go for the nitty gritty perspective.

Take a simple everyday account that has $1,000 in it. The bank is in debt to you for $1,000. In order for the bank to do anything with your money, it requires your instruction (your "mandate"). So to withdraw $100, you have to provide a mandate to the bank to exchange $100 cash for a reduction in the debt to $900.

Your banking terms and conditions will always include the following (see parts 6-8 of the Code of Banking Practice):

(1)  the bank is entitled to assume that you have provided a mandate in a wide variety of situations, including by way of card plus PIN, or internet banking log on and password (and in some cases, a second factor authentication)
(2) you are obliged to keep pick a good PIN, password etc., keep it secret, and make sure your computer/virus software is up to date etc.

From the banks' perspective, any transaction authorised by your card plus PIN, or internet banking log on and password is either:

(a) made by you (i.e. you've provided the bank mandate)
(b) made by someone else using your PIN and password (i.e. no mandate, so the bank isn't actually entitled to debit your account)

There are two ways (b) can occur:

First, you've told someone else your PIN and password - but the only way for that to happen is if you have breached your obligations under (2) above - e.g. you've told someone, not been careful enough when entering your PIN and been shoulder surfed, clicked on a phishing link etc.

Second, the bank's told someone else your PIN and password. But no, that can't be, because the banks use "secure" systems.

So from the bank's perspective, either you've authorised a transaction or you've been negligent/breached your terms and conditions by not picking or good password or not keeping it secret. So the bank doesn't have to pay you squat. Unless you're a good customer in which case they might make an ex gratia payment. I'm not making this up.

But what are the "secure" systems the bank actually uses? No-one really knows the detail of the back ends ("security reasons"), but you often see reference to things like "secure 256-bit encryption" and "check for the padlock on your browser". This is actually SSH, which uses asymmetric/public key cryptography. SSH is very good at a couple of things:

- knowing that the person on the other end of the internet connection is who they say they are (i.e. the website you are entering your private details into is actually the bank)
- keeping communications secure in transit (though for speed reasons, this is usually downgraded to shared key cryptography once the initial session has been initiated)

SSH does *nothing* to ensure that you are who you say you are. This is just a log on and password.

As for ATMs and PINs, the security is awful

But as I said at the outset, so long as you're careful you're probably fine. And if you do get stung with an unauthorised transaction, raise merry hell until the bank agrees to pay out.

--//--

Letters, numbers and bullets. All in one post. That has to be a bad thing.

1256 posts

Uber Geek


  # 1304621 13-May-2015 15:59
Send private message

mdf: (1)  the bank is entitled to assume that you have provided a mandate in a wide variety of situations, including by way of card plus PIN, or internet banking log on and password (and in some cases, a second factor authentication)
(2) you are obliged to keep pick a good PIN, password etc., keep it secret, and make sure your computer/virus software is up to date etc.

From the banks' perspective, any transaction authorised by your card plus PIN, or internet banking log on and password is either:

(a) made by you (i.e. you've provided the bank mandate)
(b) made by someone else using your PIN and password (i.e. no mandate, so the bank isn't actually entitled to debit your account)

There are two ways (b) can occur:

First, you've told someone else your PIN and password - but the only way for that to happen is if you have breached your obligations under (2) above - e.g. you've told someone, not been careful enough when entering your PIN and been shoulder surfed, clicked on a phishing link etc.

Second, the bank's told someone else your PIN and password. But no, that can't be, because the banks use "secure" systems.

Or your card was skimmed, which is sometimes very difficult for the card holder to detect.

2996 posts

Uber Geek

Lifetime subscriber

  # 1304635 13-May-2015 16:31
Send private message

mdf: Internet banking is no less safe than any other form of "physically not present" banking transaction (e.g. EFTPOS card, phone banking, cheques). In some cases, it is actually much more safe.


Agreed... Banks are *much* more concerned about fraud done by bank employees than by third parties. That is where the big risk is.


235 posts

Master Geek


  # 1304681 13-May-2015 17:29
Send private message

johnr: and don't fall for emails saying ' click here to reset your banking password '


I allways do, if it is an American bank I tell them my login is JohnDillinger and if an Australian bank I tell them NedKelly.




Obsequious hypocrite

22591 posts

Uber Geek

Trusted
Subscriber

  # 1304710 13-May-2015 17:59
One person supports this post
Send private message

Excerpt those links are also good places to put any zero day exploits they know about as well. So no, clicking them and putting BS details isnt a good idea.




Richard rich.ms

1149 posts

Uber Geek


  # 1304919 14-May-2015 09:31
Send private message

.... Here are some tips that I like to share with you:...

 

  • Make a strong password with special characters
  • Change password after some time period
  • Don't share your password


 

Well, online banking only starts at your fingertips. Transaction is undertaking a long journey.

 

How confident are your about what you plug in your laptop does not have exploits already? - e.g. USB flash card, USB cooler pad, external hard drive, web cam, etc.

 

It is behind firewall already and any of your anti-whatever tool treats that with less scrutiny if looks at it at all ....

Your smart phone has few free apps you've downloaded – how confident are you that the only reason they are free is that the fishing has already started and you are on the hook? You don’t have access to the source code, right?

 

What you are suggesting about password is like "when start your car - make sure you've fastened your seat belt and you'll be safe".

Yeah right, you can't see what is happening around the corner or inside the gearbox or perhaps there is a nail already in the tyre or the road conditions along your journey are about to get nasty or the airbag is one of those dodgy ones which can explode and kill.

Do not be naive of thinking password is your solution. It is no safer than using your seatbelt if I may use that analogy.

 

Password is like the tie on the hotel room door – it is the polite message for honest people – “do not disturb, please”

 

100% to avoid a car accident is not to drive the car at all.

 

100% to avoid money being stolen (when you have enough for crooks to be bothered) is to not use online banking.

1 | 2 | 3 | 4 | 5
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07


LG Electronics begins distributing the G8X THINQ
Posted 24-Oct-2019 10:58


Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27


New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.