Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5
Webhead
2222 posts

Uber Geek
+1 received by user: 768

Moderator
Trusted
Lifetime subscriber

  Reply # 1302386 12-May-2015 00:50
One person supports this post
Send private message

dafman: 
For your own piece of mind, fair call - however, not required. For eg. Kiwibank don't offer extra token facility (as far as I am aware). Therefore, provided you abide by their terms and conditions in using internet banking, your funds are safe.


Even if you end up not loosing money, having your bank account emptied out and (possibly) no access to founds for a while will be a major inconvenience.

A system where you only use password will be vulnerable is several ways.

1) Man in the middle. If you are on a network where someone can fake being your site, they will get your login and they are in.
2) Weak passwords. If they can easily guess your password, they are in.
3) Reused password. If they hack another site and find your password, they are in.
4) Phishing. If they trick you to try to log in through their site, they have your password and they are in.

Thats not even good enough security for my email, let alone where I keep my money. If a bank is stupid enough to not secure their customers better than that, then what else kind of stupidity are they up to?






637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  Reply # 1302399 12-May-2015 03:00
Send private message

I've been using internet banking for 15 or so years with no problems. I travel extensively, and am regularly on untrusted networks so I only connect to banking services over a trusted VPN, which has the added bonus of ensuring my banks only see connections coming from a single source address (which, when it changed due to a new tunnel, caused one bank to call me). 

2FA is great, although can be frustrating when SMS delivered and dealing with unreliable/slow SMS while roaming. I prefer real tokens.

I will echo that yes, many banks do still send legitimate emails with links in them. ASB sharetrading and investment certainly does this, and so do others within NZ and elsewhere. It's bad practice for sure.

 

Also +1 to the comment about banks that don't deliver the primary site over TLS; leading to potential MITM attacks. Shocking that this is still happening.

 
 
 
 


1138 posts

Uber Geek
+1 received by user: 256


Reply # 1302438 12-May-2015 08:12
Send private message

One may be using online banking for years and tell every one else it is OK.
What they will not tell you is that they have mortgage, hire purchased goods, student loan, you name it. They owe tons of money and their account is constantly in debt.
Point is - they have absolutely nothing to loose. Their passwords likely been hacked ages ago and their accounts are monitored from time to time to see if they have earned enough to be a target...
Would be interesting to hear something like: they have $10M in their account, check that it is still there regularly via "secure" online banking and it is still there - all those years!

1982 posts

Uber Geek
+1 received by user: 403

Subscriber

  Reply # 1302440 12-May-2015 08:21
3 people support this post
Send private message

That's two now. Guys, 'lose' and 'loose' are not interchangeable. You lose money not loose money.

2682 posts

Uber Geek
+1 received by user: 1277

Trusted
Subscriber

  Reply # 1302485 12-May-2015 09:21
Send private message

PenultimateHop:
I will echo that yes, many banks do still send legitimate emails with links in them. ASB sharetrading and investment certainly does this, and so do others within NZ and elsewhere. It's bad practice for sure.


Links to services announcements, or adverts, but banks will NEVER send you an email with a direct link to your internet banking logon or account details.

13873 posts

Uber Geek
+1 received by user: 6631

Trusted
Subscriber

  Reply # 1302489 12-May-2015 09:25
Send private message

linw: That's two now. Guys, 'lose' and 'loose' are not interchangeable. You lose money not loose money.


This is not an English tuition Forum undecided




Mike
Retired IT Manager. 
The views stated in my posts are my personal views and not that of any other organisation.

 

Using empathy takes no energy and can gain so much. Try it.

 

 


13873 posts

Uber Geek
+1 received by user: 6631

Trusted
Subscriber

  Reply # 1302495 12-May-2015 09:28
Send private message

I probably had more problems with old school banking and transaction methods, e.g cheques that never turn up or bounce. ATM's that for no reason take your card and not return it or the incorrect money given or recorded. Bank Tellers making
entry mistakes or miscounting.




Mike
Retired IT Manager. 
The views stated in my posts are my personal views and not that of any other organisation.

 

Using empathy takes no energy and can gain so much. Try it.

 

 


637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  Reply # 1302499 12-May-2015 09:32
Send private message

dafman:
PenultimateHop:
I will echo that yes, many banks do still send legitimate emails with links in them. ASB sharetrading and investment certainly does this, and so do others within NZ and elsewhere. It's bad practice for sure.


Links to services announcements, or adverts, but banks will NEVER send you an email with a direct link to your internet banking logon or account details.

The former encourages bad habits for the latter by the consumer. Why is one link worse to click on than another?

And while I don't doubt your global authority on what banks will NEVER do, I can assure you several of my non-NZ banks have done precisely what you say NEVER happens, and I am fairly sure at least one NZ (or possibly Australian) bank has done it too in the past.

508 posts

Ultimate Geek
+1 received by user: 276


  Reply # 1302621 12-May-2015 11:13
2 people support this post
Send private message

RUKI: One may be using online banking for years and tell every one else it is OK.
What they will not tell you is that they have mortgage, hire purchased goods, student loan, you name it. They owe tons of money and their account is constantly in debt.
Point is - they have absolutely nothing to loose. Their passwords likely been hacked ages ago and their accounts are monitored from time to time to see if they have earned enough to be a target...
Would be interesting to hear something like: they have $10M in their account, check that it is still there regularly via "secure" online banking and it is still there - all those years!



That's a pretty ignorant comment.

I have a mortgage, HP etc...and our accounts usually have several thousand dollars 'credit' as we pay our bills once per month. We have plenty to lose if someone hacked our account.

Whether its $10K or $10M it matters to the people who's money it is.





mdf

2191 posts

Uber Geek
+1 received by user: 671

Trusted
Subscriber

  Reply # 1302676 12-May-2015 12:30
One person supports this post
Send private message

Internet banking is no less safe than any other form of "physically not present" banking transaction (e.g. EFTPOS card, phone banking, cheques). In some cases, it is actually much more safe.

That said, this isn't actually very safe at all from a technical and legal perspective. Practically, you're probably fine, but given it's Geekzone, let's go for the nitty gritty perspective.

Take a simple everyday account that has $1,000 in it. The bank is in debt to you for $1,000. In order for the bank to do anything with your money, it requires your instruction (your "mandate"). So to withdraw $100, you have to provide a mandate to the bank to exchange $100 cash for a reduction in the debt to $900.

Your banking terms and conditions will always include the following (see parts 6-8 of the Code of Banking Practice):

(1)  the bank is entitled to assume that you have provided a mandate in a wide variety of situations, including by way of card plus PIN, or internet banking log on and password (and in some cases, a second factor authentication)
(2) you are obliged to keep pick a good PIN, password etc., keep it secret, and make sure your computer/virus software is up to date etc.

From the banks' perspective, any transaction authorised by your card plus PIN, or internet banking log on and password is either:

(a) made by you (i.e. you've provided the bank mandate)
(b) made by someone else using your PIN and password (i.e. no mandate, so the bank isn't actually entitled to debit your account)

There are two ways (b) can occur:

First, you've told someone else your PIN and password - but the only way for that to happen is if you have breached your obligations under (2) above - e.g. you've told someone, not been careful enough when entering your PIN and been shoulder surfed, clicked on a phishing link etc.

Second, the bank's told someone else your PIN and password. But no, that can't be, because the banks use "secure" systems.

So from the bank's perspective, either you've authorised a transaction or you've been negligent/breached your terms and conditions by not picking or good password or not keeping it secret. So the bank doesn't have to pay you squat. Unless you're a good customer in which case they might make an ex gratia payment. I'm not making this up.

But what are the "secure" systems the bank actually uses? No-one really knows the detail of the back ends ("security reasons"), but you often see reference to things like "secure 256-bit encryption" and "check for the padlock on your browser". This is actually SSH, which uses asymmetric/public key cryptography. SSH is very good at a couple of things:

- knowing that the person on the other end of the internet connection is who they say they are (i.e. the website you are entering your private details into is actually the bank)
- keeping communications secure in transit (though for speed reasons, this is usually downgraded to shared key cryptography once the initial session has been initiated)

SSH does *nothing* to ensure that you are who you say you are. This is just a log on and password.

As for ATMs and PINs, the security is awful

But as I said at the outset, so long as you're careful you're probably fine. And if you do get stung with an unauthorised transaction, raise merry hell until the bank agrees to pay out.

--//--

Letters, numbers and bullets. All in one post. That has to be a bad thing.

1244 posts

Uber Geek
+1 received by user: 530


  Reply # 1304621 13-May-2015 15:59
Send private message

mdf: (1)  the bank is entitled to assume that you have provided a mandate in a wide variety of situations, including by way of card plus PIN, or internet banking log on and password (and in some cases, a second factor authentication)
(2) you are obliged to keep pick a good PIN, password etc., keep it secret, and make sure your computer/virus software is up to date etc.

From the banks' perspective, any transaction authorised by your card plus PIN, or internet banking log on and password is either:

(a) made by you (i.e. you've provided the bank mandate)
(b) made by someone else using your PIN and password (i.e. no mandate, so the bank isn't actually entitled to debit your account)

There are two ways (b) can occur:

First, you've told someone else your PIN and password - but the only way for that to happen is if you have breached your obligations under (2) above - e.g. you've told someone, not been careful enough when entering your PIN and been shoulder surfed, clicked on a phishing link etc.

Second, the bank's told someone else your PIN and password. But no, that can't be, because the banks use "secure" systems.

Or your card was skimmed, which is sometimes very difficult for the card holder to detect.

2706 posts

Uber Geek
+1 received by user: 1307

Lifetime subscriber

  Reply # 1304635 13-May-2015 16:31
Send private message

mdf: Internet banking is no less safe than any other form of "physically not present" banking transaction (e.g. EFTPOS card, phone banking, cheques). In some cases, it is actually much more safe.


Agreed... Banks are *much* more concerned about fraud done by bank employees than by third parties. That is where the big risk is.


218 posts

Master Geek
+1 received by user: 35


  Reply # 1304681 13-May-2015 17:29
Send private message

johnr: and don't fall for emails saying ' click here to reset your banking password '


I allways do, if it is an American bank I tell them my login is JohnDillinger and if an Australian bank I tell them NedKelly.




Obsequious hypocrite

21983 posts

Uber Geek
+1 received by user: 4645

Trusted
Subscriber

  Reply # 1304710 13-May-2015 17:59
One person supports this post
Send private message

Excerpt those links are also good places to put any zero day exploits they know about as well. So no, clicking them and putting BS details isnt a good idea.




Richard rich.ms

1138 posts

Uber Geek
+1 received by user: 256


  Reply # 1304919 14-May-2015 09:31
Send private message

.... Here are some tips that I like to share with you:...

 

  • Make a strong password with special characters
  • Change password after some time period
  • Don't share your password


 

Well, online banking only starts at your fingertips. Transaction is undertaking a long journey.

 

How confident are your about what you plug in your laptop does not have exploits already? - e.g. USB flash card, USB cooler pad, external hard drive, web cam, etc.

 

It is behind firewall already and any of your anti-whatever tool treats that with less scrutiny if looks at it at all ....

Your smart phone has few free apps you've downloaded – how confident are you that the only reason they are free is that the fishing has already started and you are on the hook? You don’t have access to the source code, right?

 

What you are suggesting about password is like "when start your car - make sure you've fastened your seat belt and you'll be safe".

Yeah right, you can't see what is happening around the corner or inside the gearbox or perhaps there is a nail already in the tyre or the road conditions along your journey are about to get nasty or the airbag is one of those dodgy ones which can explode and kill.

Do not be naive of thinking password is your solution. It is no safer than using your seatbelt if I may use that analogy.

 

Password is like the tie on the hotel room door – it is the polite message for honest people – “do not disturb, please”

 

100% to avoid a car accident is not to drive the car at all.

 

100% to avoid money being stolen (when you have enough for crooks to be bothered) is to not use online banking.

1 | 2 | 3 | 4 | 5
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Orcon announces new always-on internet service for Small Business
Posted 18-Apr-2019 10:19


Spark Sport prices for Rugby World Cup 2019 announced
Posted 16-Apr-2019 07:58


2degrees launches new unlimited mobile plan
Posted 15-Apr-2019 09:35


Redgate brings together major industry speakers for SQL in the City Summits
Posted 13-Apr-2019 12:35


Exported honey authenticated on Blockchain
Posted 10-Apr-2019 21:19


HPE and Nutanix partner to deliver hybrid cloud as a service
Posted 10-Apr-2019 21:12


Southern Cross and ASN sign contract for Southern Cross NEXT
Posted 10-Apr-2019 21:09


Data security top New Zealand consumer priority when choosing a bank
Posted 10-Apr-2019 21:07


Samsung announces first 8K screens to hit New Zealand
Posted 10-Apr-2019 21:03


New cyber-protection and insurance product for businesses launched in APAC
Posted 10-Apr-2019 20:59


Kiwis ensure streaming is never interrupted by opting for uncapped broadband plans
Posted 7-Apr-2019 09:05


DHL Express introduces new MyDHL+ online portal to make shipping easier
Posted 7-Apr-2019 08:51


RackWare hybrid cloud platform removes barriers to enterprise cloud adoption
Posted 7-Apr-2019 08:50


Top partner named at MYOB High Achievers Awards
Posted 7-Apr-2019 08:48


Great ideas start in Gisborne with hackathon event back for another round
Posted 7-Apr-2019 08:42



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.