Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2837 posts

Uber Geek
+1 received by user: 72


Topic # 223974 26-Oct-2017 19:20
Send private message quote this post

This came up recently as I signed up for a visa debit with BNZ for Apply Pay.
Their internet banking requires you to use a "NetGuard" card which is credit card sized and has a matrix on it (a1 = X, a2 = Y, etc..). Personally I think this is a relic and needs to go away.

 

But it got me thinking, what are other banks doing in NZ?

 

 

 

I know Kiwibank use security questions (arguably not 'true' 2FA) and Rabobank I think use a RSA Token (or similar).... What else is out there??


 

I contacted BNZ about it and they said they didn't have any plans to implement a soft-token, which to me in a bit short sighted.






View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
570 posts

Ultimate Geek
+1 received by user: 216


  Reply # 1890949 26-Oct-2017 19:28
Send private message quote this post

ASB has 'netcode' which is where they text you a code.








396 posts

Ultimate Geek
+1 received by user: 73


  Reply # 1890951 26-Oct-2017 19:28
Send private message quote this post

My main bank provides:

 

1. RSA token 

 

2. SMS authentication

 

3. Looking to provide Google/MS authentication app support 

 

 

 

Obviously, there are quite a few issues with the latter two, but overall encouraging some form of 2FA is a net positive.

 

 

 

All of the banks I’ve dealt with still have rather antiquated & inconsistent password policies, which is a fundamental issue that needs to be addressed.

 

 


 
 
 
 


13318 posts

Uber Geek
+1 received by user: 1586


  Reply # 1890952 26-Oct-2017 19:30
Send private message quote this post

TSB txts you a code, and you reply with the code, plus the one on the screen.    They also have a token thing that changes based on time, similar to googles authticator. 

 

ANZ also txts. Kiwibanks seems a bit dated these days compared to others. BNZs with the matrix is ok, but doesn't seem as secure as Rabobanks, becuase you need to enter a pin to use rabos. Where with a matrix, you don't have that extra level of security, so anyone with the card can use it. Using txt also has that extra level of security if you have a pin on your phone.


118 posts

Master Geek
+1 received by user: 23


  Reply # 1890954 26-Oct-2017 19:35
Send private message quote this post

Is a simple SMS text not good enough for you?


396 posts

Ultimate Geek
+1 received by user: 73


  Reply # 1890961 26-Oct-2017 19:48
One person supports this post
Send private message quote this post

Starscream122:

 

Is a simple SMS text not good enough for you?

 

 

It depends upon the level of security you're seeking.

 

The SS7 protocol  is completely vulnerable, and local apps reading the SMS message stack are just two key areas of concern, especially if you're also using the banking app on your smartphone.

 

Most people will probably accept that risk though.

 

I personally wouldn't write Netguard off even if it does seem antiquated.




2837 posts

Uber Geek
+1 received by user: 72


  Reply # 1890962 26-Oct-2017 19:51
Send private message quote this post

wsnz:

 

Starscream122:

 

Is a simple SMS text not good enough for you?

 

 

It depends upon the level of security you're seeking.

 

The SS7 protocol  is completely vulnerable, and local apps reading the SMS message stack are just two key areas of concern, especially if you're also using the banking app on your smartphone.

 

Most people will probably accept that risk though.

 

I personally wouldn't write Netguard off even if it does seem antiquated.

 

 

 

 

I would rather they supported something like the Azure authenticator or google authenticator. Something that doesn't require me to carry yet another item is a big plus for me. 

 

With that said, I'm not up to speed on if there are any vulnerabilities with google/Authy 2FA codes, but it just seems to be becoming a norm in a lot of sites now and works really well.






2057 posts

Uber Geek
+1 received by user: 501


  Reply # 1890978 26-Oct-2017 20:07
Send private message quote this post

Kiwibank has the KeepSafe thing, But if you use the mobile banking web site you can bypass it


3722 posts

Uber Geek
+1 received by user: 563

Trusted
Subscriber

  Reply # 1890980 26-Oct-2017 20:10
Send private message quote this post

I don't have any major objections to Netguard, but they should issue replacement cards more frequently because I have had mine for at least a couple of years and if malware were snooping on your system then it would eventually be able to assemble the entire contents of your Netguard card.

 

I also have a Rabodirect account and find their toggle device really good.

 

SMS doesn't seem like a good idea as it is a very old technology that probably won't be around for much longer, but Google Authenticator seems like a more modern way of achieving the same thing. 


396 posts

Ultimate Geek
+1 received by user: 73


  Reply # 1890984 26-Oct-2017 20:16
Send private message quote this post

Aaroona: 

 

I would rather they supported something like the Azure authenticator or google authenticator. Something that doesn't require me to carry yet another item is a big plus for me. 

 

With that said, I'm not up to speed on if there are any vulnerabilities with google/Authy 2FA codes, but it just seems to be becoming a norm in a lot of sites now and works really well.

 

 

The big issue with the authentication apps which are Time-based One-Time Password (TOTP) apps, is that it is relatively easy compared to an RSA token to extract the shared secret between your device and the server to which you're wanting to authenticate to. You probably remember entering the shared secret into your app either by scanning a QR code presented on the screen, or manually entering a long string into your phone.

 

Once an attacker has the shared secret you are a few steps away from being able to generate the TOTP codes for an account on the fly. 

 

There are also server-side vulnerabilities that allow the shared secret to be extracted, but that's a slightly different issue given it's not a direct vulnerability of the device you are using.

 

 


9887 posts

Uber Geek
+1 received by user: 3011

Trusted
Subscriber

  Reply # 1890991 26-Oct-2017 20:22
Send private message quote this post

If you have SMS 2FA, use your fingerprint to log in to the banking app itself and use an encrypted VPN, how safe would you be?





2374 posts

Uber Geek
+1 received by user: 104


  Reply # 1891062 26-Oct-2017 23:02
Send private message quote this post

See https://ryan.kurte.nz/doesmybank/ for the state of play.

 

 

SMS 2FA hijacking via SS7 does happen, especially in the whole cryptocurrency world.

 

(Plus you can go into any carrier store and SE the staff into porting someone elses number to your SIM)

 

 

Ideally for 2FA it should be TOTP or FIDO U2F now. (You can use a yubikey to store the TOTP secrets, where they can't be extracted and use NFC+android app or USB + desktop app to get the TOTP codes)

 

 


2374 posts

Uber Geek
+1 received by user: 104


  Reply # 1891064 26-Oct-2017 23:03
Send private message quote this post

Geektastic: If you have SMS 2FA, use your fingerprint to log in to the banking app itself and use an encrypted VPN, how safe would you be?

 

 

The latter two don't matter. If an attacker has your bank password and can hijack your SMS/Port your number, the latter two don't come into play.

 


1965 posts

Uber Geek
+1 received by user: 628

Subscriber

  Reply # 1891089 26-Oct-2017 23:55
Send private message quote this post

I like the ASB system as it only sends the SMS if you make a payment or do other major actions. Which is a simple means of getting both read only access, and higher privileged access for payments. I agree that something better than SMS is needed now. (Good back when everyone had dumb phones, as alot harder for an attacker to get malicious code onto a dump phone that he doesn't have physical access to).

 

Also the banks would be apprehensive about using RSA tokens. Considering that RSA previously got hacked, and all tokens had to be replaced.

 

The only way I can think of to provide robust security, even if a user's device has been pwned with a MITM attack. Is to have a device like a cheap smartphone, which the user enters the account number, one time code generated by the bank, and payment amount. The device then hashes those values + a counter value that increments every time the hash function is run. And displays a different output value for the user to send back to the bank. So if the MITM attack modifies the payment details, the bank would be able to block the transaction, and investigate the attackers account for fraudulent transactions. Such a device might also need to be designed so it can only be updated by physically taking it into a bank branch.






188 posts

Master Geek
+1 received by user: 8


  Reply # 1891653 28-Oct-2017 08:08
Send private message quote this post

 

 

Best system?

 

Well it isn't ANZ that's for sure.

 

My wife and I have/had an old fashioned joint account with them - we can both separately draw upon it.

 

Then they insisted on having a cellphone number registered against the account.

 

But you can only register ONE number - which makes it very difficult for us both to operate the account.

 

This was one (of the many) reasons we have moved our daily banking elsewhere

 

 

 

 


6798 posts

Uber Geek
+1 received by user: 3130

Moderator
Trusted
Subscriber

  Reply # 1891656 28-Oct-2017 09:00
Send private message quote this post

@jim.cox I work for ANZ so will shed some light on this.

 

1) It is important for you both to have separate IB accounts - this is possible as with a joint account you both have customer numbers. In this case, you were operating the account through one customer number which is also a breach of the internet banking terms regarding protecting your password from third parties.
2) If it was a 2 to sign account the IB platform will refuse to allow a transfer through the interface. Furthermore, it is possible for staff to lock down accounts to "view only" mode where you can transfer money in, but not take it out.

In your case you were not using it properly and if you're still an ANZ customer I advise you to call up their contact centre to get internet banking created for your wife under her own customer number. Once you do this then you have by default a separate Online Code mobile number.

 

Edit: Further clarification was done via PM. In this case it was wanting to set 2x mobile numbers on a single IB login which is not possible for security reasons and what sounds like to be sharing logins.





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UFB killer app: Speed
Posted 17-Nov-2017 17:01


The case for RSS — MacSparky
Posted 13-Nov-2017 14:35


WordPress and Indieweb: Take control of your online presence — 6:30 GridAKL Nov 30
Posted 11-Nov-2017 13:43


Chorus reveals technology upgrade for schools, students
Posted 10-Nov-2017 10:28


Vodafone says Internet of Things (IoT) crucial for digital transformation
Posted 10-Nov-2017 10:06


Police and Facebook launch AMBER Alerts system in NZ
Posted 9-Nov-2017 10:49


Amazon debuts Fire TV Stick Basic Edition in over 100 new countries
Posted 8-Nov-2017 05:34


Vodafone VoIP transition to start this month
Posted 7-Nov-2017 12:33


Spark enhances IoT network capability
Posted 7-Nov-2017 11:33


Vocus NZ sale and broadband competition
Posted 6-Nov-2017 14:36


Hawaiki reaches key milestone in landmark deep-sea fibre project
Posted 4-Nov-2017 13:53


Countdown launches new proximity online shopping app
Posted 4-Nov-2017 13:50


Nokia 3310 to be available through Spark New Zealand
Posted 4-Nov-2017 13:31


Nest launches in New Zealand
Posted 4-Nov-2017 12:31


Active wholesale as Chorus tackles wireless challenge
Posted 3-Nov-2017 10:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.