Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Linux Systems Admin
1118 posts

Uber Geek

Trusted
Integrity Tech Solutions
Subscriber

# 177651 10-Aug-2015 15:21
Send private message

Twice in the past 3 years I have contacted a NZ financial institution to alert them to internet issues. The first was a bank style institution and the latest a registered bank.

First time was a matter which fell under PCIDSS and would have caused a fail if that area had been assessed. The latest issue was not a security matter, but not a good look either (and certainly didn't speak well for the competence of the people running their IT).

On both occasions these were met with brazen denial and a air on invincibility.

With the first issue I contacted the FMA and discovered the IT side of financial institutions in NZ is totally unregulated by them.

It's a bit of a worry...




Integrity Tech Solutions @ Norsewood, New Zealand


Create new topic
2091 posts

Uber Geek


  # 1362206 10-Aug-2015 16:06
Send private message

Security costs money to be done well, but isn't in your face until it fails. Bad security is often the "easy" way to implement something.

Unless you have a good manager that pushes it it often falls to the wayside.

There are some real horror setups out there.

154 posts

Master Geek


  # 1362224 10-Aug-2015 16:31
Send private message

For the new flash Westpac One internet banking it does not matter if the password is capitals or not.

It accepts every combination for the following password: "Billygoat345"
BILLYGOAT345
billygoat345
BiLlYgOaT345

etc.

Mentioned this a couple of times when I had a call with them, but they think this is secure enough....

 
 
 
 


611 posts

Ultimate Geek


  # 1362239 10-Aug-2015 16:51
Send private message

engedib: For the new flash Westpac One internet banking it does not matter if the password is capitals or not.


ASB is the same...

6696 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1362242 10-Aug-2015 16:52
Send private message

Is ASB still limited to 8 characters?

1686 posts

Uber Geek

Subscriber

  # 1362254 10-Aug-2015 17:05
Send private message


It accepts every combination for the following password: "Billygoat345"
BILLYGOAT345
billygoat345
BiLlYgOaT345


Does that not mean they are storing them in plain text???

Example sha1 via PHP ouputs


password
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

PASSWORD
112bb791304791ddcf692e29fd5cf149b35fea37

Password
8be3c943b1609fffbfc51aad666d0a04adf83c9d


Obviously simplified and no salt, but if using 1 way encryption I am stuggling to work out how they can all be equal!!

6696 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1362256 10-Aug-2015 17:06
2 people support this post
Send private message

They could be doing a "ToUpper" or similar before encryption.

3839 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1362292 10-Aug-2015 17:42
Send private message

I suspect many of them have some ancient crappy backend they don't want to spend money upgrading (Shareholders demand profits after all!). Limited length, or just ignoring length beyond a certain point, limited character set, etc are all signs of insecurity.

Pretty much if you can't handle a 100+byte string of upper, lower, symbols and numeric as my password, you're doing it wrong.

That's without even getting started on the lack of CSPRNG's, key stretching, proper salting, yadda yadda.





Information wants to be free. The Net interprets censorship as damage and routes around it.


 
 
 
 


1096 posts

Uber Geek


  # 1362348 10-Aug-2015 19:25
Send private message

As with everything it's down to cost benefit, Given there's still cobol code running in NZ the cost of implementing good security is huge and it's risk's are low consdering 6 letters or 6 words for a password doesn't matter if the client accessing IB has a keylogger trojan running.

Until the benefits/fines outweigh the costs nothing will really change, Inertia is a bitch




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

22414 posts

Uber Geek

Trusted
Subscriber

  # 1362353 10-Aug-2015 19:37
Send private message

engedib: For the new flash Westpac One internet banking it does not matter if the password is capitals or not.

It accepts every combination for the following password: "Billygoat345"
BILLYGOAT345
billygoat345
BiLlYgOaT345

etc.

Mentioned this a couple of times when I had a call with them, but they think this is secure enough....


And they would be right.

3 goes before locked out makes brute force not practical.

Having customers locked out because they do not understand a capslock key causes huge bad-will towards the place and will have the customers blame the bank for inability to access it.






Richard rich.ms

5147 posts

Uber Geek

Trusted
Microsoft

  # 1362391 10-Aug-2015 20:43
Send private message

my bank web logon doesn't support any characters except a-z 0-9

154 posts

Master Geek


  # 1362399 10-Aug-2015 20:57
Send private message

richms:
engedib: For the new flash Westpac One internet banking it does not matter if the password is capitals or not.

It accepts every combination for the following password: "Billygoat345"
BILLYGOAT345
billygoat345
BiLlYgOaT345

etc.

Mentioned this a couple of times when I had a call with them, but they think this is secure enough....


And they would be right.

3 goes before locked out makes brute force not practical.

Having customers locked out because they do not understand a capslock key causes huge bad-will towards the place and will have the customers blame the bank for inability to access it.



Maybe set everyone's password to Password1 so they don't need to bother. In 2015, non case sensitive passwords for internet banking sites are just not acceptable security practice.

348 posts

Ultimate Geek


  # 1362698 11-Aug-2015 11:18
Send private message

Behodar: Is ASB still limited to 8 characters?


No it's not... I complained about that a few months back and was told that they'd fixed that one some time near the start of the year.

348 posts

Ultimate Geek


  # 1362701 11-Aug-2015 11:22
Send private message

I complained to a couple of financial institutions when Heartbleed came along as they were vulnerable...one still was, a month or so after patches were available. 

In general, and having worked (admittedly a little while ago now) both inside, and with, bank and financial institution's IT organisations, I have to say I'm fairly sure that security, and in fact even awareness of HOW THE INTERNET WORKS (you know....http....PUT, GET, POST, DELETE...stateless...request/response) is beyond 90% of their staff. As for mobile? Don't even get me started.

Human
2915 posts

Uber Geek

Subscriber

  # 1372052 22-Aug-2015 16:40
Send private message

engedib: For the new flash Westpac One internet banking it does not matter if the password is capitals or not.

It accepts every combination for the following password: "Billygoat345"
BILLYGOAT345
billygoat345
BiLlYgOaT345

etc.

Mentioned this a couple of times when I had a call with them, but they think this is secure enough....


IRD is the same.





Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Bitcoin.com announces partnership with smartphone manufacturer HTC
Posted 16-Sep-2019 21:30


Finalists Announced for Microsoft NZ Partner Awards
Posted 16-Sep-2019 19:37


OPPO Showcases New CameraX Capabilities at Google Developer Days China 2019
Posted 15-Sep-2019 12:42


New Zealand PC Market returns to growth
Posted 15-Sep-2019 12:24


Home sensor charity director speaks about the preventable death which drives her to push for healthy homes
Posted 11-Sep-2019 08:46


Te ao Maori Minecraft world set to inspire Kiwi students
Posted 11-Sep-2019 08:43


Research reveals The Power of Games in New Zealand
Posted 11-Sep-2019 08:40


Ring Door View Cam now available in New Zealand
Posted 11-Sep-2019 08:38


Vodafone NZ to create X Squad
Posted 10-Sep-2019 10:25


Huawei nova 5T to be available 20th September
Posted 5-Sep-2019 11:55


Kogan.com launches prepay challenger brand Kogan Mobile in New Zealand
Posted 3-Sep-2019 11:42


Pagan Online available now
Posted 27-Aug-2019 20:22


Starship hopes new app will help combat antibiotic resistance challenges
Posted 27-Aug-2019 19:43


Intel expands 10th Gen Intel Core Mobile processor family
Posted 23-Aug-2019 10:22


Digital innovation drives new investment provider
Posted 23-Aug-2019 08:29



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.