On 7/05/2014 7:38 PM, Erik Christiansen wrote:
On 07.05.14 00:34, Andrew McGlashan wrote:
Apparently the Commonwealth Bank was effected, but they claim that only the main website was vulnerable, not Netbank -- can you trust them? I think NOT! Banks do NOT care about security as much as they need to; why do you think tap-and-pay systems are so good for them ... it's because the RETAILER takes ALL the risk whilst the bank takes NO RISK at all.
Is there any evidence for any of those assertions?
That bank cared enough about security to _insist_ on sending a security dongle when a substantial netbank account was opened - they did not wish to accept liability for loss of that amount of funds without the extra security provision.
Given the one-time access provided by each long-cycle pseudorandom code produced by the dongle, a strong password on the account becomes mere back-up protection.
AIUI anyone can ask for a dongle. It's worth knowing that even if account ID and password were intercepted, they would avail a crim nothing at all.
They've had other methods too, certs on a USB stick for one, multi-person auth too. Still, from what I've seen and what I understand, I still don't trust them as much as I would like -- heck my NetBank with a dongle doesn't even work properly with Firefox [NetBank, not the login auth], I have to use Chrome and that's something I would otherwise like to avoid too. What's the best banking alternative? I'm not sure any are going to satisfy me, just knowing what can go wrong and how they manage security risk based on a dollar value, rather than on it's own merit. It's a commercial world we live in, same problem when fuel tanks were exploding on Ford cars in the US way back.... they assessed the cost of /fixing/ the rare occurrence with the cost of doing a proper recall .. the cost of people's lives was less, so they didn't do a recall. [1] http://auto.howstuffworks.com/1971-1980-ford-pinto12.htm Cheers A.