Secure Passwords for Banking

Would this create an issue when travelling overseas and needing access to your home account? EG to top up a travel type card, or pay your CC, or ….

We use a VPN and prefer to use mobile data for any financial connections rather than go through the local hotel or public internet connections. All now commonly using wifi.

It could do. Just like for credit cards, one should contact their financial institution to let them know of their travel plans and intention to do online banking when overseas.

As a cyber security expert friend said to us, never do any financial connections or connections one wants to be secure over public open Wifi networks… irrespective of whether ones uses a VPN. Their own organisation has policies that their staff aren’t to use open/public wifi using any work devices. The main reason is there are gaps in timing between connections and VPN initiation which can be exploited. While risks are low, I prefer to ensure there are no risks rather than take a gamble.

We have also adopted this practice. It is easy to be prepared before going out.

One has to also consider convenience over security, and what is one’s own priority.

The VPN endpoint may or may not be overseas.

Almost all VPN service providers give you a choice of VPN endpoint. So a workaround for @pljudd may be to change VPN endpoint to an Australian endpoint right before using the banking app.

In other words, is RAB blocking all overseas IP addresses or is RAB blocking traffic that originates from a VPN (whether Australian or not)? [The latter might be incompletely implemented by blacklisting all known IP addresses of all VPN service providers.] Or they might be doing both?

This is of course misguided security (depending on exactly what is happening) because any criminal worth his salt can route traffic through an Australian IP address (including potentially through the service of the victim from which the credentials were originally copied i.e. if that computer was completely compromised).

You can never have too many layers in your defences :slight_smile: but that seems excessive to me. Providing that all your communication is using TLS (“SSL”) … even with an open WiFi, or an untrusted WiFi, or a dodgy VPN provider, or with a timing problem with getting the VPN going … your exposure is limited to revealing the fact that you connected to a certain hostname.

So if you bookmarked your bank’s web site then just make sure you bookmarked it as https: and make sure you see the lock icon in the browser. Without those, the entire internet is like an open WiFi (including when you are at home).

“Gaps in timing”, if they concern you, can be plugged by using firewall software on the device and blocking unprotected outbound traffic.

Regardless, everyone has to adopt only those measures that they personally find acceptable.

I would assume that your local manager will have NFI. So please allow enough time for the manager to escalate to the network security team within the bank and get a response from that team.

Regardless though, moving your custom elsewhere is sometimes the only language that a business understands. In that case, you would ideally tell them explicitly why you left, once you have done so.

I think there are some web sites that actively attempt to defeat autofill i.e. where the password manager is integrated within the browser.

It may still work just to copy-and-paste the password from the password manager to the web site login form, just not as convenient.

2 Likes

This has been posted to the wrong comment. Sorry - first time reply.

Continuing the discussion from Secure Passwords for Banking:

I agree. Also, all financial institutions should have two- factor identification for logging into accounts. Westpac does not, nor does NAB.

Thank you so much for your post. I’m not able to help but you have provided me information about the password vault and generator that I didn’t know existed. I’m now checking Choice for the best ones :pray::pray:.

You’re not only relying on the phone network to deliver the 2FA but also your phone. I recently found I suddenly couldn’t receive 2FAs from my bank and assumed it was their fault as I could receive them from other sites. After a lengthy online chat with the bank they suggested I remove the SIM card from my phone and replace it. I was extremely dubious about this but in desperation I tried it anyway. It worked.

3 Likes

Most times rebooting (restarting) the phone will fix problems. I can imagine a SIM getting a bit ‘off’ if any corrosion or surface scum built up on its contacts; it would be rare but if that contributed to the problem removing and reinserting it might be enough to clean up the contacts.

1 Like

I was only dubious because multiple reboots of the phone hadn’t helped, and I could receive 2FAs from every other site I used. It merely sounded like a dismissive ‘have you tried turning it off and on again’ suggestion :smiley:

2 Likes

On the SIM card is a microprocessor, and the phone communicates with it using a serial interface and supplies power. One of the pins is also a reset.

Removing the SIM and reinserting it would reboot it. Maybe for some reason some data stored on the SIM and only used by the one sender of 2FA message was affected in some way. The reboot cleared up the problem.

It is also possible that the phone had a problem. Reinserting the SIM would trigger some rerecognizing routine to be run on the phone which cleared the problem.

1 Like

My point exactly - receiving 2FAs relies not only on the phone network but on your phone. Even if your phone appears to be working fine, it may not be.

1 Like

9 posts were split to a new topic: Security of Web Connections used for Banking

I’m impressed by the responses in this community.

@person You make a great point about the physical (RSA?) tokens that some banks give out to people to do 2FA. Yes those are pretty great. As I understand it you press a button and you get a number that you must enter on the screen to proceed. I was talking about SMS and email-based 2FA which are not secure in my opinion.

LOL. Don’t knock it. So much in IT can be fixed with that … :wink:

Well, mine is RSA but any token doing TOTP (or less preferably HOTP or even less preferably some proprietary algorithm that is functionally equivalent) will do the job.

On mine there is no need to press a button. It displays a number all the time and the number changes every 30 seconds and it gives a visual indicator of how close to a 30-second change of number it is.

Well, SMS definitely isn’t secure - but it is better than not doing 2FA at all. (Criminals have already successfully hijacked a phone number in order to intercept the SMS in various cases. However in the arms race that is IT security, telcos are in the process of making it harder to hijack a phone number.)

Email could be secure but almost always isn’t.

Always worth bearing in mind that the weakest link is often the human being. In various cases, the human has been tricked into simply telling a bogus caller what the code is i.e. “social engineering”. That will work whether the code arrives via SMS or email or via any other delivery mechanism (even a mechanism that is secure).

1 Like

I think a very important consideration when talking about 2FA delivery methods, is how long the one time password is valid for.

Neferious actors are going to have to act very quickly if the password is only valid for 30 seconds, or maybe 5 minutes.

3 Likes