Re: [nznog] KiwiBank Security Alert

Kiwibank's second-step validation is easily bypassed by changing your browser agent to something Linuxy and heading to their mobile login page. You can do everything from the mobile site that you can do from the main site. Their security is basically for show. On 21 November 2011 15:28, Phillip Hutchings wrote:

On 21/11/2011, at 3:04 PM, David Robinson wrote:

...

On 20 November 2011 10:17, Don Gould wrote:

...

I don't know if KiwiBank have an active team dealing with this sort of rubbish, though I get hit with them quite often, so clearly someone has KB in their sights. Hi,

I'm not a KB customer but I did email them asking to fix their internet banking security KB Phising outnumbers other banks Phisisng 10 or 20 to 1 (on my email). My email to them was along the lines of seeing you don't have some type of two factor authentication on your internet banking you are a low hanging fruit for Phising compared to the other NZ banks, hence the high number of phishing emails. Their response was we try and make things easy for our customers, so we don't have two factor auth and we rely on anti fraud software to pick this up. (can dig up the email if anyone is interested)

I asked them about their stupid "something you know" and "something else you know, picked from three questions and typed by clicking on buttons" system, apparently "customers don't like the idea of codes". If only there was an opt in to 2-factor.

Also kiwibank passwords aren't case sensitive. At least that's better than another major bank, which only takes the first 8 characters and also isn't case sensitive.

...

Also it would help if Gmail bounced emails at the border before accepting if they are a SPF hardfail as most banks have their SPF set up to hardfail so it would be nice if GMail's inbound server never accepted emails that had a hard SPF fail. Does mean having to do SPF at accept time rather than later.

I would like that. When I used to run my own mail servers receive time SPF and basic spam checking wiped out 90% of my spam. Plus a legit sender would get a bounce and find another way to contact me.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog