Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


:)
2876 posts

Uber Geek
+1 received by user: 85

Subscriber

Topic # 223974 26-Oct-2017 19:20
Send private message

This came up recently as I signed up for a visa debit with BNZ for Apply Pay.
Their internet banking requires you to use a "NetGuard" card which is credit card sized and has a matrix on it (a1 = X, a2 = Y, etc..). Personally I think this is a relic and needs to go away.

 

But it got me thinking, what are other banks doing in NZ?

 

 

 

I know Kiwibank use security questions (arguably not 'true' 2FA) and Rabobank I think use a RSA Token (or similar).... What else is out there??


 

I contacted BNZ about it and they said they didn't have any plans to implement a soft-token, which to me in a bit short sighted.






View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
573 posts

Ultimate Geek
+1 received by user: 216


  Reply # 1890949 26-Oct-2017 19:28
Send private message

ASB has 'netcode' which is where they text you a code.








470 posts

Ultimate Geek
+1 received by user: 107


  Reply # 1890951 26-Oct-2017 19:28
Send private message

My main bank provides:

 

1. RSA token 

 

2. SMS authentication

 

3. Looking to provide Google/MS authentication app support 

 

 

 

Obviously, there are quite a few issues with the latter two, but overall encouraging some form of 2FA is a net positive.

 

 

 

All of the banks I’ve dealt with still have rather antiquated & inconsistent password policies, which is a fundamental issue that needs to be addressed.

 

 


13984 posts

Uber Geek
+1 received by user: 1763


  Reply # 1890952 26-Oct-2017 19:30
Send private message

TSB txts you a code, and you reply with the code, plus the one on the screen.    They also have a token thing that changes based on time, similar to googles authticator. 

 

ANZ also txts. Kiwibanks seems a bit dated these days compared to others. BNZs with the matrix is ok, but doesn't seem as secure as Rabobanks, becuase you need to enter a pin to use rabos. Where with a matrix, you don't have that extra level of security, so anyone with the card can use it. Using txt also has that extra level of security if you have a pin on your phone.


589 posts

Ultimate Geek
+1 received by user: 103
Inactive user


  Reply # 1890954 26-Oct-2017 19:35
Send private message

Is a simple SMS text not good enough for you?


470 posts

Ultimate Geek
+1 received by user: 107


  Reply # 1890961 26-Oct-2017 19:48
One person supports this post
Send private message

Starscream122:

 

Is a simple SMS text not good enough for you?

 

 

It depends upon the level of security you're seeking.

 

The SS7 protocol  is completely vulnerable, and local apps reading the SMS message stack are just two key areas of concern, especially if you're also using the banking app on your smartphone.

 

Most people will probably accept that risk though.

 

I personally wouldn't write Netguard off even if it does seem antiquated.




:)
2876 posts

Uber Geek
+1 received by user: 85

Subscriber

  Reply # 1890962 26-Oct-2017 19:51
Send private message

wsnz:

 

Starscream122:

 

Is a simple SMS text not good enough for you?

 

 

It depends upon the level of security you're seeking.

 

The SS7 protocol  is completely vulnerable, and local apps reading the SMS message stack are just two key areas of concern, especially if you're also using the banking app on your smartphone.

 

Most people will probably accept that risk though.

 

I personally wouldn't write Netguard off even if it does seem antiquated.

 

 

 

 

I would rather they supported something like the Azure authenticator or google authenticator. Something that doesn't require me to carry yet another item is a big plus for me. 

 

With that said, I'm not up to speed on if there are any vulnerabilities with google/Authy 2FA codes, but it just seems to be becoming a norm in a lot of sites now and works really well.






2103 posts

Uber Geek
+1 received by user: 525


  Reply # 1890978 26-Oct-2017 20:07
Send private message

Kiwibank has the KeepSafe thing, But if you use the mobile banking web site you can bypass it


3927 posts

Uber Geek
+1 received by user: 660

Trusted
Subscriber

  Reply # 1890980 26-Oct-2017 20:10
Send private message

I don't have any major objections to Netguard, but they should issue replacement cards more frequently because I have had mine for at least a couple of years and if malware were snooping on your system then it would eventually be able to assemble the entire contents of your Netguard card.

 

I also have a Rabodirect account and find their toggle device really good.

 

SMS doesn't seem like a good idea as it is a very old technology that probably won't be around for much longer, but Google Authenticator seems like a more modern way of achieving the same thing. 


470 posts

Ultimate Geek
+1 received by user: 107


  Reply # 1890984 26-Oct-2017 20:16
Send private message

Aaroona: 

 

I would rather they supported something like the Azure authenticator or google authenticator. Something that doesn't require me to carry yet another item is a big plus for me. 

 

With that said, I'm not up to speed on if there are any vulnerabilities with google/Authy 2FA codes, but it just seems to be becoming a norm in a lot of sites now and works really well.

 

 

The big issue with the authentication apps which are Time-based One-Time Password (TOTP) apps, is that it is relatively easy compared to an RSA token to extract the shared secret between your device and the server to which you're wanting to authenticate to. You probably remember entering the shared secret into your app either by scanning a QR code presented on the screen, or manually entering a long string into your phone.

 

Once an attacker has the shared secret you are a few steps away from being able to generate the TOTP codes for an account on the fly. 

 

There are also server-side vulnerabilities that allow the shared secret to be extracted, but that's a slightly different issue given it's not a direct vulnerability of the device you are using.

 

 


11266 posts

Uber Geek
+1 received by user: 3590

Trusted
Subscriber

  Reply # 1890991 26-Oct-2017 20:22
Send private message

If you have SMS 2FA, use your fingerprint to log in to the banking app itself and use an encrypted VPN, how safe would you be?





2431 posts

Uber Geek
+1 received by user: 143


  Reply # 1891062 26-Oct-2017 23:02
Send private message

See https://ryan.kurte.nz/doesmybank/ for the state of play.

 

 

SMS 2FA hijacking via SS7 does happen, especially in the whole cryptocurrency world.

 

(Plus you can go into any carrier store and SE the staff into porting someone elses number to your SIM)

 

 

Ideally for 2FA it should be TOTP or FIDO U2F now. (You can use a yubikey to store the TOTP secrets, where they can't be extracted and use NFC+android app or USB + desktop app to get the TOTP codes)

 

 


2431 posts

Uber Geek
+1 received by user: 143


  Reply # 1891064 26-Oct-2017 23:03
Send private message

Geektastic: If you have SMS 2FA, use your fingerprint to log in to the banking app itself and use an encrypted VPN, how safe would you be?

 

 

The latter two don't matter. If an attacker has your bank password and can hijack your SMS/Port your number, the latter two don't come into play.

 


2706 posts

Uber Geek
+1 received by user: 1005

Subscriber

  Reply # 1891089 26-Oct-2017 23:55
Send private message

I like the ASB system as it only sends the SMS if you make a payment or do other major actions. Which is a simple means of getting both read only access, and higher privileged access for payments. I agree that something better than SMS is needed now. (Good back when everyone had dumb phones, as alot harder for an attacker to get malicious code onto a dump phone that he doesn't have physical access to).

 

Also the banks would be apprehensive about using RSA tokens. Considering that RSA previously got hacked, and all tokens had to be replaced.

 

The only way I can think of to provide robust security, even if a user's device has been pwned with a MITM attack. Is to have a device like a cheap smartphone, which the user enters the account number, one time code generated by the bank, and payment amount. The device then hashes those values + a counter value that increments every time the hash function is run. And displays a different output value for the user to send back to the bank. So if the MITM attack modifies the payment details, the bank would be able to block the transaction, and investigate the attackers account for fraudulent transactions. Such a device might also need to be designed so it can only be updated by physically taking it into a bank branch.






195 posts

Master Geek
+1 received by user: 10


  Reply # 1891653 28-Oct-2017 08:08
Send private message

 

 

Best system?

 

Well it isn't ANZ that's for sure.

 

My wife and I have/had an old fashioned joint account with them - we can both separately draw upon it.

 

Then they insisted on having a cellphone number registered against the account.

 

But you can only register ONE number - which makes it very difficult for us both to operate the account.

 

This was one (of the many) reasons we have moved our daily banking elsewhere

 

 

 

 


Meow
7447 posts

Uber Geek
+1 received by user: 3586

Moderator
Trusted
Lifetime subscriber

  Reply # 1891656 28-Oct-2017 09:00
Send private message

@jim.cox I work for ANZ so will shed some light on this.

 

1) It is important for you both to have separate IB accounts - this is possible as with a joint account you both have customer numbers. In this case, you were operating the account through one customer number which is also a breach of the internet banking terms regarding protecting your password from third parties.
2) If it was a 2 to sign account the IB platform will refuse to allow a transfer through the interface. Furthermore, it is possible for staff to lock down accounts to "view only" mode where you can transfer money in, but not take it out.

In your case you were not using it properly and if you're still an ANZ customer I advise you to call up their contact centre to get internet banking created for your wife under her own customer number. Once you do this then you have by default a separate Online Code mobile number.

 

Edit: Further clarification was done via PM. In this case it was wanting to set 2x mobile numbers on a single IB login which is not possible for security reasons and what sounds like to be sharing logins.





 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17


Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.