Absa Internet banking security concerns

So just because there pentesters couldn't get in, they believe nobody can, even with known weaknesses? Makes sense...

Time to change banks I guess
 
I think their security is some of the best out there.
SSL
then your account no. & pin (using the onscreen keypad negates keyloggers) + a own predefined passphrase (where different parts of the phrase have to be entered in a random fashion) + there is a "secure phrase" that you define that display on top of your session (so spoofing the site is very unlikely)
Oh and then the SMS notification on login.

Thats around 4 levels of security, not bad.
 
raind33r said:
I think their security is some of the best out there.
SSL
then your account no. & pin (using the onscreen keypad negates keyloggers) + a own predefined passphrase (where different parts of the phrase have to be entered in a random fashion) + there is a "secure phrase" that you define that display on top of your session (so spoofing the site is very unlikely)
Oh and then the SMS notification on login.

Thats around 4 levels of security, not bad.
Click to expand...

Capitec's hardware token is the best.
 
raind33r said:
I think their security is some of the best out there.
SSL
then your account no. & pin (using the onscreen keypad negates keyloggers) + a own predefined passphrase (where different parts of the phrase have to be entered in a random fashion) + there is a "secure phrase" that you define that display on top of your session (so spoofing the site is very unlikely)
Oh and then the SMS notification on login.

Thats around 4 levels of security, not bad.
Click to expand...

lol no. The online keypad isn't much, if you have a keylogger it is easy to do mouse click and screen grabs as well.
 
raind33r said:
I think their security is some of the best out there.
SSL
then your account no. & pin (using the onscreen keypad negates keyloggers) + a own predefined passphrase (where different parts of the phrase have to be entered in a random fashion) + there is a "secure phrase" that you define that display on top of your session (so spoofing the site is very unlikely)
Oh and then the SMS notification on login.

Thats around 4 levels of security, not bad.
Click to expand...

Yeah, it's really only one level. Entering an account number, a pin, a predefined passphrase (and random parts of that) is no more secure than just a username and password. Arguably, it's less secure, since the fact that you have to enter random parts of it (and not the whole thing) means that it's not stored hashed (or more properly, with a key derivation function).

Spoofing a token that's displayed is easy, simply make a real request on the one side (with the data the user passed in), and display the results of it on your spoofed page.
 
Expect many more security related articles like this in the year ahead. SARB is taking a HUGE interest in cyber security, cyber crime and cyber risk and how the banks protect AND respond* to events (attack, leakage, loss, theft). In the coming months the financial services (insurance & investments) and Health sector regulators will probably (should) also investigate their respective industries.

*the best stance a company can have is to be prepared WHEN an attack occurs, not IF an attack can occur.

IMO, based on past professional experiences, there's a lot of work that the banking sector community, as a whole, needs to do to minimize cyber risk. I think the financial services sector is years ahead of the banking sector.
 
cb22 said:
Spoofing a token that's displayed is easy, simply make a real request on the one side (with the data the user passed in), and display the results of it on your spoofed page.
Click to expand...

This comes down to user education though and can one really put the onus of the business?

Users need anti-virus and endpoint security - prevent, detect and remove malware
Users need to confirm the legitimacy of the website - spoofed site or email... don't click the link in the email
Users need to be vigilant with their credentials - how often do you change your password credentials? Is it in accordance with best practice standards?

The average Joe does not take these things into account and will always blame the bank for stealing their money, not paying them back or not doing anything about it.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X