NZ: online banking- liability and authentication
There are several stories doing the media rounds today about online banking that have some interesting angles:
1. Back in July this year, with the introduction of the new Code of Banking Practice, banks wanted to make online banking customers liable for not patching their OSs or if their “virus scanning, firewall, anti-spyware, operating system and anti-spam software” was not up to date. At that time, I said that none of this makes business, operational, or technical sense for the banks.
Amongst the majors, Westpac was the first to see the obvious and backed down in August (even more interesting when you consider that it is the only major that doesn’t offer two-factor authentication).
Now, Bank of New Zealand (BNZ) has backed down with ANZ National half way there. It’s likely that the others will follow as both Westpac and BNZ are using explicit assurances of no-liability that is believed to be bringing in new customers.
2. BNZ is going to make two-factor authentication compulsory for its online banking customers. Hmmm… the conventional wisdom is to make it optional or only require it beyond some limit. If the other banks follow, this could be the tipping point for two-factor authentication in New Zealand.
3. Unfortunately, BNZ’s two-factor authentication for personal banking barely makes the grade. The bank uses NetGuard that is a “bingo card” with a 7×7 grid. It is “something you have” but fails the test of “something no one else has.” It is trivial for someone to get a copy of the static grid without the customer’s knowledge.
In fact, one of the actual attacks against the NetGuard bingo card has been to try to get the intended victim to fill in the entire grid in a spoofed page. This demonstrates that the bingo card is much more a shared secret one-factor than true two-factor authentication.
4. BNZ has an example where the time from an account was compromised to actual cash in hand (in Canada) was 15 minutes. That shows how important real-time fraud detection and limits imposed by business rules have become to complement authentication. The credit card companies, such as Visa, are the masters in this area.
5. Two-factor authentication works. In a recent phishing scam against BNZ customers, eight customers had their username and passwords phished. The four who were using NetGuard were still safe. Obviously, even low-grade two-factor authentication is better than passwords alone!