NZ: online banking- liability and authentication

December 17, 2007 at 11:12 pm 3 comments

There are several stories doing the media rounds today about online banking that have some interesting angles:

1. Back in July this year, with the introduction of the new Code of Banking Practice, banks wanted to make online banking customers liable for not patching their OSs or if their “virus scanning, firewall, anti-spyware, operating system and anti-spam software” was not up to date. At that time, I said that none of this makes business, operational, or technical sense for the banks.

Amongst the majors, Westpac was the first to see the obvious and backed down in August (even more interesting when you consider that it is the only major that doesn’t offer two-factor authentication).

Now, Bank of New Zealand (BNZ) has backed down with ANZ National half way there. It’s likely that the others will follow as both Westpac and BNZ are using explicit assurances of no-liability that is believed to be bringing in new customers.

2. BNZ is going to make two-factor authentication compulsory for its online banking customers. Hmmm… the conventional wisdom is to make it optional or only require it beyond some limit. If the other banks follow, this could be the tipping point for two-factor authentication in New Zealand.

3. Unfortunately, BNZ’s two-factor authentication for personal banking barely makes the grade. The bank uses NetGuard that is a “bingo card” with a 7×7 grid. It is “something you have” but fails the test of “something no one else has.” It is trivial for someone to get a copy of the static grid without the customer’s knowledge.

In fact, one of the actual attacks against the NetGuard bingo card has been to try to get the intended victim to fill in the entire grid in a spoofed page. This demonstrates that the bingo card is much more a shared secret one-factor than true two-factor authentication.

4. BNZ has an example where the time from an account was compromised to actual cash in hand (in Canada) was 15 minutes. That shows how important real-time fraud detection and limits imposed by business rules have become to complement authentication. The credit card companies, such as Visa, are the masters in this area.

5. Two-factor authentication works. In a recent phishing scam against BNZ customers, eight customers had their username and passwords phished. The four who were using NetGuard were still safe. Obviously, even low-grade two-factor authentication is better than passwords alone!


Entry filed under: 2FA, authentication, fraud, NZ, security, strategy.

NZ: use of Web 2.0 in government Openness and Kerckhoffs’ principle

3 Comments Add your own

  • 1. John Edwards  |  December 18, 2007 at 10:07 am

    An anecdote about visa’s realtime fraud detection. I had an uncharacteristic spending spree a while ago, doing about a year’s clothes shopping in an hour or so at two or three different shops. About 20 minutes after the last purchase I had a call from Visa on my cell to check that I was in control of my card, as their software had picked up a pattern of use consistent with a stolen card. I agree with Vikram – if its good enough & easy enough for visa, it should also be good enough for the banks.

    As a matter of law, the visa example sets a benchmark for “security safeguards it is reasonable in the circumstances to take”. Failure to take those steps, and a consequent loss to a customer might well constitute an interference with privacy, under the Privacy Act, as a breach of information privacy principle 5- so not only were the banks’ earlier attempts to shift liability ill-conceived from a business point of view, it could well have been ill fated as a mechanism for dodging legal liability for loss.

  • 2. vikram sareen  |  March 23, 2008 at 7:32 pm

    2fa is good. but recent attacks thru trojan’s like slientbanker needs different level of protection. it is no longer about authentication 1Fa or 2FA. there is a need for transaction level protection.

    ????? any thoughts on that….

  • 3. Vikram  |  March 23, 2008 at 9:44 pm

    Yeah, Silentbanker’s a nasty thing. I had another post about that. Have a look. Some types of 2FA can defeat Silentbanker but I think 2FA plus transaction checking is required.

    However, despite these big threats, online banking still remains relatively secure, at least in NZ. Have a look at what Stu Woollett from Westpac Bank said.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: