Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2848 posts

Uber Geek
+1 received by user: 79


Topic # 223974 26-Oct-2017 19:20
Send private message quote this post

This came up recently as I signed up for a visa debit with BNZ for Apply Pay.
Their internet banking requires you to use a "NetGuard" card which is credit card sized and has a matrix on it (a1 = X, a2 = Y, etc..). Personally I think this is a relic and needs to go away.

 

But it got me thinking, what are other banks doing in NZ?

 

 

 

I know Kiwibank use security questions (arguably not 'true' 2FA) and Rabobank I think use a RSA Token (or similar).... What else is out there??


 

I contacted BNZ about it and they said they didn't have any plans to implement a soft-token, which to me in a bit short sighted.






View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
571 posts

Ultimate Geek
+1 received by user: 216


  Reply # 1890949 26-Oct-2017 19:28
Send private message quote this post

ASB has 'netcode' which is where they text you a code.








412 posts

Ultimate Geek
+1 received by user: 77


  Reply # 1890951 26-Oct-2017 19:28
Send private message quote this post

My main bank provides:

 

1. RSA token 

 

2. SMS authentication

 

3. Looking to provide Google/MS authentication app support 

 

 

 

Obviously, there are quite a few issues with the latter two, but overall encouraging some form of 2FA is a net positive.

 

 

 

All of the banks I’ve dealt with still have rather antiquated & inconsistent password policies, which is a fundamental issue that needs to be addressed.

 

 


 
 
 
 


13445 posts

Uber Geek
+1 received by user: 1616


  Reply # 1890952 26-Oct-2017 19:30
Send private message quote this post

TSB txts you a code, and you reply with the code, plus the one on the screen.    They also have a token thing that changes based on time, similar to googles authticator. 

 

ANZ also txts. Kiwibanks seems a bit dated these days compared to others. BNZs with the matrix is ok, but doesn't seem as secure as Rabobanks, becuase you need to enter a pin to use rabos. Where with a matrix, you don't have that extra level of security, so anyone with the card can use it. Using txt also has that extra level of security if you have a pin on your phone.


377 posts

Ultimate Geek
+1 received by user: 57


  Reply # 1890954 26-Oct-2017 19:35
Send private message quote this post

Is a simple SMS text not good enough for you?


412 posts

Ultimate Geek
+1 received by user: 77


  Reply # 1890961 26-Oct-2017 19:48
One person supports this post
Send private message quote this post

Starscream122:

 

Is a simple SMS text not good enough for you?

 

 

It depends upon the level of security you're seeking.

 

The SS7 protocol  is completely vulnerable, and local apps reading the SMS message stack are just two key areas of concern, especially if you're also using the banking app on your smartphone.

 

Most people will probably accept that risk though.

 

I personally wouldn't write Netguard off even if it does seem antiquated.




2848 posts

Uber Geek
+1 received by user: 79


  Reply # 1890962 26-Oct-2017 19:51
Send private message quote this post

wsnz:

 

Starscream122:

 

Is a simple SMS text not good enough for you?

 

 

It depends upon the level of security you're seeking.

 

The SS7 protocol  is completely vulnerable, and local apps reading the SMS message stack are just two key areas of concern, especially if you're also using the banking app on your smartphone.

 

Most people will probably accept that risk though.

 

I personally wouldn't write Netguard off even if it does seem antiquated.

 

 

 

 

I would rather they supported something like the Azure authenticator or google authenticator. Something that doesn't require me to carry yet another item is a big plus for me. 

 

With that said, I'm not up to speed on if there are any vulnerabilities with google/Authy 2FA codes, but it just seems to be becoming a norm in a lot of sites now and works really well.






2074 posts

Uber Geek
+1 received by user: 509


  Reply # 1890978 26-Oct-2017 20:07
Send private message quote this post

Kiwibank has the KeepSafe thing, But if you use the mobile banking web site you can bypass it


3784 posts

Uber Geek
+1 received by user: 592

Trusted
Subscriber

  Reply # 1890980 26-Oct-2017 20:10
Send private message quote this post

I don't have any major objections to Netguard, but they should issue replacement cards more frequently because I have had mine for at least a couple of years and if malware were snooping on your system then it would eventually be able to assemble the entire contents of your Netguard card.

 

I also have a Rabodirect account and find their toggle device really good.

 

SMS doesn't seem like a good idea as it is a very old technology that probably won't be around for much longer, but Google Authenticator seems like a more modern way of achieving the same thing. 


412 posts

Ultimate Geek
+1 received by user: 77


  Reply # 1890984 26-Oct-2017 20:16
Send private message quote this post

Aaroona: 

 

I would rather they supported something like the Azure authenticator or google authenticator. Something that doesn't require me to carry yet another item is a big plus for me. 

 

With that said, I'm not up to speed on if there are any vulnerabilities with google/Authy 2FA codes, but it just seems to be becoming a norm in a lot of sites now and works really well.

 

 

The big issue with the authentication apps which are Time-based One-Time Password (TOTP) apps, is that it is relatively easy compared to an RSA token to extract the shared secret between your device and the server to which you're wanting to authenticate to. You probably remember entering the shared secret into your app either by scanning a QR code presented on the screen, or manually entering a long string into your phone.

 

Once an attacker has the shared secret you are a few steps away from being able to generate the TOTP codes for an account on the fly. 

 

There are also server-side vulnerabilities that allow the shared secret to be extracted, but that's a slightly different issue given it's not a direct vulnerability of the device you are using.

 

 


10284 posts

Uber Geek
+1 received by user: 3173

Trusted
Lifetime subscriber

  Reply # 1890991 26-Oct-2017 20:22
Send private message quote this post

If you have SMS 2FA, use your fingerprint to log in to the banking app itself and use an encrypted VPN, how safe would you be?





2390 posts

Uber Geek
+1 received by user: 107


  Reply # 1891062 26-Oct-2017 23:02
Send private message quote this post

See https://ryan.kurte.nz/doesmybank/ for the state of play.

 

 

SMS 2FA hijacking via SS7 does happen, especially in the whole cryptocurrency world.

 

(Plus you can go into any carrier store and SE the staff into porting someone elses number to your SIM)

 

 

Ideally for 2FA it should be TOTP or FIDO U2F now. (You can use a yubikey to store the TOTP secrets, where they can't be extracted and use NFC+android app or USB + desktop app to get the TOTP codes)

 

 


2390 posts

Uber Geek
+1 received by user: 107


  Reply # 1891064 26-Oct-2017 23:03
Send private message quote this post

Geektastic: If you have SMS 2FA, use your fingerprint to log in to the banking app itself and use an encrypted VPN, how safe would you be?

 

 

The latter two don't matter. If an attacker has your bank password and can hijack your SMS/Port your number, the latter two don't come into play.

 


2125 posts

Uber Geek
+1 received by user: 703

Subscriber

  Reply # 1891089 26-Oct-2017 23:55
Send private message quote this post

I like the ASB system as it only sends the SMS if you make a payment or do other major actions. Which is a simple means of getting both read only access, and higher privileged access for payments. I agree that something better than SMS is needed now. (Good back when everyone had dumb phones, as alot harder for an attacker to get malicious code onto a dump phone that he doesn't have physical access to).

 

Also the banks would be apprehensive about using RSA tokens. Considering that RSA previously got hacked, and all tokens had to be replaced.

 

The only way I can think of to provide robust security, even if a user's device has been pwned with a MITM attack. Is to have a device like a cheap smartphone, which the user enters the account number, one time code generated by the bank, and payment amount. The device then hashes those values + a counter value that increments every time the hash function is run. And displays a different output value for the user to send back to the bank. So if the MITM attack modifies the payment details, the bank would be able to block the transaction, and investigate the attackers account for fraudulent transactions. Such a device might also need to be designed so it can only be updated by physically taking it into a bank branch.






188 posts

Master Geek
+1 received by user: 8


  Reply # 1891653 28-Oct-2017 08:08
Send private message quote this post

 

 

Best system?

 

Well it isn't ANZ that's for sure.

 

My wife and I have/had an old fashioned joint account with them - we can both separately draw upon it.

 

Then they insisted on having a cellphone number registered against the account.

 

But you can only register ONE number - which makes it very difficult for us both to operate the account.

 

This was one (of the many) reasons we have moved our daily banking elsewhere

 

 

 

 


6924 posts

Uber Geek
+1 received by user: 3210

Moderator
Trusted
Lifetime subscriber

  Reply # 1891656 28-Oct-2017 09:00
Send private message quote this post

@jim.cox I work for ANZ so will shed some light on this.

 

1) It is important for you both to have separate IB accounts - this is possible as with a joint account you both have customer numbers. In this case, you were operating the account through one customer number which is also a breach of the internet banking terms regarding protecting your password from third parties.
2) If it was a 2 to sign account the IB platform will refuse to allow a transfer through the interface. Furthermore, it is possible for staff to lock down accounts to "view only" mode where you can transfer money in, but not take it out.

In your case you were not using it properly and if you're still an ANZ customer I advise you to call up their contact centre to get internet banking created for your wife under her own customer number. Once you do this then you have by default a separate Online Code mobile number.

 

Edit: Further clarification was done via PM. In this case it was wanting to set 2x mobile numbers on a single IB login which is not possible for security reasons and what sounds like to be sharing logins.





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

$3.74 million for new electric vehicles in New Zealand
Posted 17-Jan-2018 11:27


Nova 2i: Value, not excitement from Huawei
Posted 17-Jan-2018 09:02


Less news in Facebook News Feed revamp
Posted 15-Jan-2018 13:15


Australian Government contract awarded to Datacom Connect
Posted 11-Jan-2018 08:37


Why New Zealand needs a chief technology officer
Posted 6-Jan-2018 13:59


Amazon release Silk Browser and Firefox for Fire TV
Posted 21-Dec-2017 13:42


New Chief Technology Officer role created
Posted 19-Dec-2017 22:18


All I want for Christmas is a new EV
Posted 19-Dec-2017 19:54


How clever is this: AI will create 2.3 million jobs by 2020
Posted 19-Dec-2017 19:52


NOW to deploy SD-WAN to regional councils
Posted 19-Dec-2017 19:46


Mobile market competition issues ComCom should watch
Posted 18-Dec-2017 10:52


New Zealand government to create digital advisory group
Posted 16-Dec-2017 08:47


Australia datum changes means whole country moving 1.8 metres north-east
Posted 16-Dec-2017 08:39


UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.