Internet banking security

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Internet banking security

Rikkitic

Awrrr
19063 posts

Uber Geek
+1 received by user: 16302

Lifetime subscriber

#271948 3-Jun-2020 09:25

I don't have a cell phone and until the lockdown, I didn't have Internet banking. Now that I do, I wonder how secure it really is without 2FA. It seems pretty secure to me, but of course I could be missing something.

With Kiwibank, you have to log in with account number and password. You are then presented with a randomly-selected security question from ones you have previously created. The answer to the question is displayed as blank spaces, and you have to correctly type in two randomly-selected blanks. This is done to prevent key loggers.

So how secure is this, really? The only way I can think of offhand to defeat it would be something in memory that copies the screen until the same answer has appeared enough times to fill in all the blanks, then keeps trying to log in until that question comes up again. Is there a better way to get around this?

Plesse igmore amd axxept applogies in adbance fir anu typos

1 | 2 | 3

119 posts

Master Geek
+1 received by user: 10

ID Verified

Lifetime subscriber

#2497218 3-Jun-2020 09:33

Westpac is pretty bad. No 2FA and password doesn't differentiate between upper case and lowercase

engedib

254 posts

Ultimate Geek
+1 received by user: 93

#2497219 3-Jun-2020 09:34

Lightbulb:

Westpac is pretty bad. No 2FA and password doesn't differentiate between upper case and lowercase

Yeah, they are absolutely hopeless with that password policy, was one of the reasons I switched banks 2 years ago.

wellygary

8810 posts

Uber Geek
+1 received by user: 5287

#2497224 3-Jun-2020 09:40

The "standard" scammer approach is usually to fool you into loading Teamviewer or some other remote access software and then get you to log in "so they can check that the security changes they made are working"

Kiwibank do have 2FA for authorising online payments to accounts that are new to you,( ie not bill pay accounts Kiwibank already know) How do you do this if you have no mobile?, or is it not enabled?

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2497226 3-Jun-2020 09:42

I think Kiwibank is likely to be sufficiently secure. Anything can be defeated given enough time and effort. Run a virus / malware scan of your computer occasionally and you should be fine.

Linux

12181 posts

Uber Geek
+1 received by user: 8475

Trusted

Lifetime subscriber

#2497227 3-Jun-2020 09:44

Lightbulb:

Westpac is pretty bad. No 2FA and password doesn't differentiate between upper case and lowercase

@Lightbulb No way that is mental

knoydart

904 posts

Ultimate Geek
+1 received by user: 154

Trusted

#2497238 3-Jun-2020 09:55

A handy overview from Ryan Kurte on NZ banking two factor use

AliExpress

Shop now on AliExpress (affiliate link).

Wakrak

1748 posts

Uber Geek
+1 received by user: 1126

ID Verified

Lifetime subscriber

#2497262 3-Jun-2020 10:10

With BNZ you have three options as far as I am aware; (1) login with username and password (2) username, password, and authenticate with BNZ mobile app (3) username, password, 2FA with NetGuard card.

Password is case sensitive and must include both letters & numbers.

With NetGuard, it will prompt you to enter the letter/number given for C4 for example = M. Have to do this three times and if one is wrong, start again.

(Image is from google).

networkn

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2497265 3-Jun-2020 10:17

As a Kiwibank customer it's infuriating that they don't have app-based 2FA for their payment confirmation and their password/passphrase thing isn't great either. They are aware and have an app-based auth being worked on, but that was some months ago.

The SMS Text message payment confirmation thing is super annoying esp if you are overseas, and because often times it can take a few minutes to come through.

Linux

12181 posts

Uber Geek
+1 received by user: 8475

Trusted

Lifetime subscriber

#2497271 3-Jun-2020 10:24

BNZ is very good with the App authentication

Rikkitic

Awrrr
19063 posts

Uber Geek
+1 received by user: 16302

Lifetime subscriber

#2497275 3-Jun-2020 10:31

wellygary:

So how secure is this, really? The only way I can think of offhand to defeat it would be something in memory that copies the screen until the same answer has appeared enough times to fill in all the blanks, then keeps trying to log in until that question comes up again. Is there a better way to get around this?

The "standard" scammer approach is usually to fool you into loading Teamviewer or some other remote access software and then get you to log in "so they can check that the security changes they made are working"

Kiwibank do have 2FA for authorising online payments to accounts that are new to you,( ie not bill pay accounts Kiwibank already know) How do you do this if you have no mobile?, or is it not enabled?

Not enabled, I suppose. I am a pensioner and have very simple banking needs and the very few payments I make are either in person or by credit card. This has always worked well for me, which is why I never had Internet banking until the lockdown.

Edited to add: I am fairly immune to phishing. I am very obstinate and never do what anyone tells me to, especially on-line. I don't click on anything that comes via email. I have my email set to text only so HTML attacks are impossible. I get very little spam and it all goes into the rubbish folder.

Plesse igmore amd axxept applogies in adbance fir anu typos

antonknee

1133 posts

Uber Geek
+1 received by user: 1145

#2497276 3-Jun-2020 10:32

So Kiwibank's annoying text message verification is (one reason) why I left them, I often did not receive these text messages... unfortunately I went to Westpac and I did not realise their security was so horrendous. Might be looking for a new bank now...

HP

Shop now for HP laptops and other devices (affiliate link).

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2497280 3-Jun-2020 10:43

To answer your question properly, Internet Banking is as secure as you make it. With Kiwibank, their Keepsafe login is old but it works well provided the answers you've made are unique and not easily guessable. I'm a Foundation customer with Kiwibank and set my answers make no logical sense + I use a password manager.

The biggest security weakness with internet banking are the users. For example, users who are either using weak or compromised passwords. Check https://haveibeenpwned.com to see if you've been compromised in any other accounts along with enter your password into https://haveibeenpwned.com/Passwords (which is secure) to check if the password has been compromised on any lists. Lastly, use a password manager like Lastpass or Dashlane coupled with 2 factor security on your password vault.

Logins are normally vetted by their fraud systems (the same systems used to protect your credit card / visa debit card) and the bank will cover you for any losses provided you didn't contribute to that loss with both. It is also vitally important you don't use systems like POLi as this goes against your internet banking terms of use (as systems like POLi "man in the middle you" and login to your internet banking to make a payment) - banks can detect when such systems are used and whilst they allow them, they may use this against you if you get compromised in the future.

So, the likelihood of getting compromised if you follow the standard steps (using complex, randomly generated passwords from a password manager, not disclosing your login details, using a secure computer with a modern, up-to-date browser) is remarkably low. Banks are a high target and there are often security teams along with security applications working to keep users safe at all times.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

floydbloke

3646 posts

Uber Geek
+1 received by user: 4554

ID Verified

#2497286 3-Jun-2020 10:58

knoydart:

A handy overview from Ryan Kurte on NZ banking two factor use

It might be handy if it was current. It doesn't mention 2FA using the app for BNZ.......makes you wonder what else is missing/out of date.

Would be more useful if it included a 'last updated on __/__/__' and a disclaimer that things may have changed since then.

Sometimes I use big words I don't always fully understand in an effort to make myself sound more photosynthesis.

Lightbulb

119 posts

Master Geek
+1 received by user: 10

ID Verified

Lifetime subscriber

#2497287 3-Jun-2020 11:02

I use LastPass for all my passwords except for internet banking and other important financial sites. I've always been a bit nervous of putting my banking passwords in LastPass - just in case Lastpass gets compromised.

Am I being too cautious for banking / financial sites?

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2497293 3-Jun-2020 11:12

@Lightbulb Honestly, not at all.

I personally use Lastpass for Internet Banking myself (which is protected with 2FA with another app along with a strong master password). All my banks have some type of 2FA on them also and if any attacker got in they'll find the majority of my accounts are useless to them being protected with 2FA and the attackers will be stupid to login to my main bank account anyway as it'll ping me a message + app notification and I also work on this internet banking platform for my job. Lastpass have a good security writeup here: https://www.lastpass.com/security/what-if-lastpass-gets-hacked and disclose if they've been compromised (and how) since it is in their best interest to.

As-long as you're using a secure password not repeated anywhere else then that is fine. But also if you're using a secure password + 2FA for your password vault then using that for your internet banking and generating new passwords on a regular basis is better. I often say, the only secure password are the ones you can't remember.

1 | 2 | 3