Some NZ financial institutions IT poor?

Forums › IT Pro and developers › Some NZ financial institutions IT poor?

MichaelNZ

1594 posts

Uber Geek
+1 received by user: 485

Trusted

Net Trust Ltd

#177651 10-Aug-2015 15:21

Twice in the past 3 years I have contacted a NZ financial institution to alert them to internet issues. The first was a bank style institution and the latest a registered bank.

First time was a matter which fell under PCIDSS and would have caused a fail if that area had been assessed. The latest issue was not a security matter, but not a good look either (and certainly didn't speak well for the competence of the people running their IT).

On both occasions these were met with brazen denial and a air on invincibility.

With the first issue I contacted the FMA and discovered the IT side of financial institutions in NZ is totally unregulated by them.

It's a bit of a worry...

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers | ZL2NET

wasabi2k

2102 posts

Uber Geek
+1 received by user: 860

#1362206 10-Aug-2015 16:06

Security costs money to be done well, but isn't in your face until it fails. Bad security is often the "easy" way to implement something.

Unless you have a good manager that pushes it it often falls to the wayside.

There are some real horror setups out there.

engedib

254 posts

Ultimate Geek
+1 received by user: 93

#1362224 10-Aug-2015 16:31

For the new flash Westpac One internet banking it does not matter if the password is capitals or not.

It accepts every combination for the following password: "Billygoat345"
BILLYGOAT345
billygoat345
BiLlYgOaT345

etc.

Mentioned this a couple of times when I had a call with them, but they think this is secure enough....

MCSE+M/S, MCITP

Kraven

738 posts

Ultimate Geek
+1 received by user: 190

#1362239 10-Aug-2015 16:51

engedib: For the new flash Westpac One internet banking it does not matter if the password is capitals or not.

ASB is the same...

Behodar

11099 posts

Uber Geek
+1 received by user: 6082

Trusted

Lifetime subscriber

#1362242 10-Aug-2015 16:52

Is ASB still limited to 8 characters?

itxtme

2102 posts

Uber Geek
+1 received by user: 557

#1362254 10-Aug-2015 17:05

It accepts every combination for the following password: "Billygoat345"
BILLYGOAT345
billygoat345
BiLlYgOaT345

Does that not mean they are storing them in plain text???

Example sha1 via PHP ouputs

password
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

PASSWORD
112bb791304791ddcf692e29fd5cf149b35fea37

Password
8be3c943b1609fffbfc51aad666d0a04adf83c9d

Obviously simplified and no salt, but if using 1 way encryption I am stuggling to work out how they can all be equal!!

Behodar

11099 posts

Uber Geek
+1 received by user: 6082

Trusted

Lifetime subscriber

#1362256 10-Aug-2015 17:06

They could be doing a "ToUpper" or similar before encryption.

Lego

Shop now for Lego sets and other gifts (affiliate link).

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#1362292 10-Aug-2015 17:42

I suspect many of them have some ancient crappy backend they don't want to spend money upgrading (Shareholders demand profits after all!). Limited length, or just ignoring length beyond a certain point, limited character set, etc are all signs of insecurity.

Pretty much if you can't handle a 100+byte string of upper, lower, symbols and numeric as my password, you're doing it wrong.

That's without even getting started on the lack of CSPRNG's, key stretching, proper salting, yadda yadda.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

Beccara

1473 posts

Uber Geek
+1 received by user: 517

ID Verified

#1362348 10-Aug-2015 19:25

As with everything it's down to cost benefit, Given there's still cobol code running in NZ the cost of implementing good security is huge and it's risk's are low consdering 6 letters or 6 words for a password doesn't matter if the client accessing IB has a keylogger trojan running.

Until the benefits/fines outweigh the costs nothing will really change, Inertia is a bitch

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

richms

29099 posts

Uber Geek
+1 received by user: 10210

Trusted

Lifetime subscriber

#1362353 10-Aug-2015 19:37

engedib: For the new flash Westpac One internet banking it does not matter if the password is capitals or not.

It accepts every combination for the following password: "Billygoat345"
BILLYGOAT345
billygoat345
BiLlYgOaT345

etc.

Mentioned this a couple of times when I had a call with them, but they think this is secure enough....

And they would be right.

3 goes before locked out makes brute force not practical.

Having customers locked out because they do not understand a capslock key causes huge bad-will towards the place and will have the customers blame the bank for inability to access it.

Richard rich.ms

nathan

5695 posts

Uber Geek
+1 received by user: 1630
Inactive user

#1362391 10-Aug-2015 20:43

my bank web logon doesn't support any characters except a-z 0-9

engedib

254 posts

Ultimate Geek
+1 received by user: 93

#1362399 10-Aug-2015 20:57

richms:
engedib: For the new flash Westpac One internet banking it does not matter if the password is capitals or not.

It accepts every combination for the following password: "Billygoat345"
BILLYGOAT345
billygoat345
BiLlYgOaT345

etc.

Mentioned this a couple of times when I had a call with them, but they think this is secure enough....

And they would be right.

3 goes before locked out makes brute force not practical.

Having customers locked out because they do not understand a capslock key causes huge bad-will towards the place and will have the customers blame the bank for inability to access it.

Maybe set everyone's password to Password1 so they don't need to bother. In 2015, non case sensitive passwords for internet banking sites are just not acceptable security practice.

MCSE+M/S, MCITP

Lego

Shop now for Lego sets and other gifts (affiliate link).

markl

348 posts

Ultimate Geek
+1 received by user: 83

#1362698 11-Aug-2015 11:18

Behodar: Is ASB still limited to 8 characters?

No it's not... I complained about that a few months back and was told that they'd fixed that one some time near the start of the year.

markl

348 posts

Ultimate Geek
+1 received by user: 83

#1362701 11-Aug-2015 11:22

I complained to a couple of financial institutions when Heartbleed came along as they were vulnerable...one still was, a month or so after patches were available.

In general, and having worked (admittedly a little while ago now) both inside, and with, bank and financial institution's IT organisations, I have to say I'm fairly sure that security, and in fact even awareness of HOW THE INTERNET WORKS (you know....http....PUT, GET, POST, DELETE...stateless...request/response) is beyond 90% of their staff. As for mobile? Don't even get me started.

Aaroona

3204 posts

Uber Geek
+1 received by user: 169

#1372052 22-Aug-2015 16:40

engedib: For the new flash Westpac One internet banking it does not matter if the password is capitals or not.

It accepts every combination for the following password: "Billygoat345"
BILLYGOAT345
billygoat345
BiLlYgOaT345

etc.

Mentioned this a couple of times when I had a call with them, but they think this is secure enough....

IRD is the same.