Westpac Passwords

The latest cybersecurity advice is not to change it regularly but to have a long complex one saved in password managers.

1 Like

I am puzzled by all these posters giving their opinion on various lengths and complexity of passwords used for logins when I would think most are quite used to doing financial transactions using tap and go cards (no knowledge of userid or password required) or typically a four digit PIN if over a limit or using ATMs.

For some there is far more at risk in enabling direct access to your bank account than just the cash balance. There is a wealth of personal information and financial(credit) info that can be put to many other uses.

Even if in my instance the greatest cash risk is that any unauthorised access will soon realise there is little cash to be found. Perhaps they might take pity and pay some of the larger debts in return. :joy:

It also if briefly might open a pathway for misuse to serve another purpose. I’ve noticed some providers/services do not display personal details they hold in full hashing out the larger portion of each stored entry. I hope that if it ever comes to that I offer too little to be worth the trouble in the first place.

1 Like

Plus the more fundamental issue that internet banking may get access to accounts that can’t be accessed at all via a card.

2 Likes

There are several answers that one could contemplate:

  • No matter how insecure one mechanism is, that isn’t an excuse to accept insecurity in another mechanism.
  • There are of course several known attacks against cards but, again, that isn’t a reason not to think about how we should make internet banking secure.
  • A person could choose to use internet banking and not use things like tap-and-go or ATMs.

I believe that tap-and-go has become acceptable because cloning a chip card is much more difficult than cloning a magnetic stripe card. So effectively tap-and-go is considered to be one-factor-authentication (something you have) and can’t readily be misused by someone who is not in possession of the card. Of course, cards get stolen all the time and hence there have to be limits and there have to be procedures to limit losses.

A chip card with a PIN then is two-factor-authentication - and the question becomes: why is a 4 digit PIN acceptable when it is so obviously weak as a password? I would give two answers to that:

  • Cards tend to be used in environments where someone isn’t going to be able to try all 10,000 PINs.
  • When you use a card in an ATM, the ATM will swallow the card after 3 incorrect PINs. So there is hard enforcement on the number of attempts allowed.

You can have a PIN that is longer than 4 digits. However I don’t recommend doing that if going overseas because not all foreign equipment will necessarily work if you have a longer PIN.

3 Likes

18 posts were split to a new topic: Password ‘Science’

There was a discussion in the topic about passwords that might be worthy of a primer, but not directly related to the banking issue that began this topic. I carved out most of that discussion into a new topic at Password ‘Science’.

Please continue explicit banking issues here, and ‘all about passwords’ there.

3 Likes

A post was merged into an existing topic: Password ‘Science’

A couple of years ago I questioned Westpac about their rather short and seemingly insecure password rule.
Their response to me was that they are happy and confident that their 6 digit password is safe and secure.
I don’t understand how their system works, but when I log into my westpac account using my password manager, after it has logged in, the password manager asks me if I want to save the
“new password”.
From this I assume some kind of keystroke encoding is taking place.
BB

1 Like

My NAB banking login causes the same effect. The browser asks if I want to save the password. If I click yes, what is saved is not the password, just blank. So I always click no.
Not sure what is going on behind the login exchange, but it seems that my bank is helping me avoid doing a silly thing.
That is store my password in the browser. Or for that matter a password manager.
The password has to be manually entered each time.
So I know I have to remember what it is, rather than let a password manager do it for me.

2 Likes

I tested this out yesterday with my Westpac login using my password manager.
After logging in, the password manager asked me if I want to save the new password, so I said YES, and then I checked what it had saved as the new password - not blank but a completely different 6 digit code. I had to change it back to the original code so the password manager login would work again next time.

Maybe somebody knows what’s going on here?
BB

1 Like

Could be a bug in the password manager where it is having difficulty reading the user id and password…when logging in it thinks it is different to that stored as a result causing the request to save to pop up.

Westpac have changed their login coding which confuses the password manager.

Also check the URL in the password manager is exactly the same as the Westpac login page. We find our own password manager makes a save request when it is slightly different, such as

mybank.com.au/login.html
mybank.com.au/en/login.html

It appears to be set to recognise slight changes in website folder which triggers the request.

Does the user id and password automatically populate/autofill the login page or do you cut and paste these in manually? If you paste manual, either the Westpac login page is coded to prevent autofill or the password manager can’t autofill for some reason. This might indicate a conflict of some sort, a bug or Westpac trying to prevent bot password breakers/crackers.

Is the browser password manager turned off? It could also be conflict between the browser password manager/storer and you own third party password manager.

1 Like

I don’t use the browser password manager as I don’t trust it.
Neither do I cut and paste from my password manager.
I open the password manager and tell it to go to westpac, then it opens the login page and enters my customer number and password and logs in successfully.

Then my password manager asks me if I want to update the password, and I say NO!!

I will check the URL stored in my password manager against the URL for westpac login and see if there be a difference.

Thanx
BB

3 Likes

Something I didn’t think of earlier - if you also use two factor authentication, the password manager may be reading the two step authentication code entry as the password - identifies difference to that stored and then requests to change the password to match. This will be a password manager issue and if the case, let the password manager developer know so that they might be able to sort it out for future versions.

1 Like

Your bank does not want you to store your password and use autofill from a browser or other password manager. After all, your computer could be in a shared environment at home, or work.
There are many techniques used on the login server side to block or confuse password managers.
Some are given here: https://stackoverflow.com/questions/41217019/how-to-prevent-a-browser-from-storing-passwords

3 Likes

Westpac’s Two Factor Authentication is a bit different from most. It doesn’t ask for a code when you log in, but whenever you attempt to view or change personal details, make a payment to a new payee, add or delete an account, etc. Then you’re asked to enter the code - either SMS code or from an RSA key (supplied by the bank, for a fee, if you ask for one) - before it will actually do whatever it is. So even if someone got hold of your customer number and password, they wouldn’t be able to do much, even view your personal details, without the code.

If you’re using the bank’s app, it can be configured to notify you of all transactions, both credits and debits, as they happen. So if someone (say) got hold of your credit card details and charged something to it, you’d know about that as soon as it happened.

They do also track your normal behaviour and contact you if there are any anomalies. Years ago I discovered this by accident. I made a substantial payment to an online shop outside Australia (to order a computer for my daughter who was studying overseas at the time), and less than 24 hours later I had a call from Westpac bringing this transaction to my attention and asking if it was valid, because it was unusual for me.

I would prefer a longer and more restrictive password, but on the whole I think their system is pretty secure.

4 Likes

Welcome @isopeda to the community.

Your post reminds me of an almost endless loop I got into with a service provider when I went to change my profile to a new mobile number for 2FA via SMS.
In order to change the mobile number, a code was sent to the original phone number, which I no longer had, and that was why I was trying to set the new number.
The call center solution was pretty convoluted, time consuming, and involved emails and a third phone number with keywords I had repeat by voice.
But lesson learned.
2FA by phone can have issues.

4 Likes

Ditto, caught myself out the same way. Not only an issue with banking.

On banking using 2FA to verify certain transactions, ANZ follows a similar path to Westpac. 2FA is not required to login and most transactions proceed without it. Some transactions trigger 2FA, some being exceptions to the norm, and some others more regular.

3 Likes

At least you had a phone to work with. Some insist on a mobile (not landline or VOIP) and will not budge.

2 Likes

SMS isn’t secure in the first place, and to cap it off it can be difficult for the real owner of the account to fix the situation @Gregr described, if SMS is the only 2FA option.

It must be very easy to implement, because every system that offers 2FA does it with SMS (even if they offer other options as well). Including MyGov! :frowning: - which (last I looked) doesn’t have any option other than SMS.

But neither Westpac nor MyGov offers the option to use an authenticator app, which is potentially a much more secure approach than SMS. [‘Potentially’, because like every other security measure it still depends on the end user - eg to choose a trustworthy app, secure it effectively, and have an escape plan for when the phone’s lost or stolen.]

2 Likes