This is half-pie.

national bank online code

Posted 15. June 2007, 23:24 in , by Alan Macdougall, received 7 comments.

I quite like the National Bank’s new lo-calorie two factor authentication system. Nothing extra to carry around; no extra passwords. Easy. [Disclaimer: I used to work there, on NBNZ Online Banking. But I left a while back now and was not involved in this project. The following are my own opinions yada yada yada…]

Called Online Code, it will send you a text message (at no charge) containing a short numerical code to your mobile whenever you (or someone else) try to do certain things in Online Banking. You have to enter this code to prove that it’s really you out there at the end of that long piece of string between Online Banking and your PC. The code lasts for the rest of the session; you won’t need another unless you log out or time out.

Interestingly, not only is it voluntary, but they allow you to choose what kinds of activities you’d like to be texted for. There’s little guidance given on this, so in order to set it up some thought needs to be given to the kind of threat the service could forestall. My thoughts on this follow; you should probably think about this yourself before making any similar decisions.

So for me, I’m thinking “What if someone somehow got hold of my Online Banking password – for example, from me using a virus infested PC; or a dodgy internet cafĂ©; to do my online banking on?”

If this happened, there’s a risk that the person doing it wants my money. So in this case, I’d want to be texted if any value was being transferred out of my accounts to somewhere else. There are a few ways this could happen:

  • One-off Payments: an obvious target. Therefore I need a text for any of these. No exceptions.
  • Automatic Payments: well, the ones I have now are OK (unless my kids maliciously increase the AP from my account to their accounts – somewhat unlikely for me I hope but for some people this could be a real scenario: kids; flatmates; spouses) but the fraudster could create a new one to themselves and use that. So I want to be texted if a new AP is created.
  • Bill Payments: again, the existing ones, which are mainly to my utilities, are OK. Who is going to want to overpay my Telecom bill for me? (Some might. But it’s unlikely. And if it did happen I’m sure could go to Telecom and get the money returned.) So I won’t need to be notified if any payments are made on those Bill Payees. But again, I will want to be texted to approve any new Bill Payee setups.
  • Tax Payments: well, I suppose the fraudster could pay their tax bill from my account… or pay some random person’s out of sheer malicious pranksterism. I personally don’t think this is terribly likely, so I won’t require a text for this. On the other hand, I might change it back later. Do I trust the IRD to give me my money back if it did happen? I’m not completely decided as yet.

Here’s my current settings:

NBNZ Online Code

The options for addresses and passwords are also worth considering if you think a wider identity theft threat is credible – and as it costs nothing to tick the boxes I’ve done them too.

The easiest setup solution – down here at the bottom

On the other hand, maybe the easiest solution is just to tick them all. Then, if you get sick of being texted when you make a Bill Payment (the most common transaction in most internet banking systems) just untick that box only.

See? Easy. Although I took a long time getting here.

Comments

  1. Patrick Quinn-Graham
    16 June 2007, 03:01 #

    I certainly like the idea of this more than my UK bank, who insists on asking for 3 random digits of my passwords, followed by 3 random digits of a PIN (that is only used for that). Why not just ask for 6 letters of a password?

    Of course, this is a bank who (for online banking) has customers numbers of the format DDMMYYXXXX (where DD MM YY is the customers DOB).

  2. Mr Reasonable
    16 June 2007, 11:45 #

    Ah, Patrick, that sounds like good old Royal Bank of Scotland who I think simply cut and paste their old telephone banking password system into internet banking.

    [blush] I think OnlineCode is great too and beats crappy old tokens; who in their right mind would would want those handing from their keys? I am biased though so my vote doesn’t count for much….

  3. Stephen Judd
    16 June 2007, 13:28 #

    FWIW, when I did time at Egg, they had a similar scheme, and the alleged reason was to provide some obstacles to replay attacks.

    Personally I would have thought given people’s propensity to pick stupid passwords that you wouldn’t need to capture many sessions to have a good chance at recreating the entire password.

    Kiwibank have experimented with a similar idea recently – asking for random letters from the answer to a question you have set – and it was such a pain in the arse I turned it off again. “What is the 4th letter in your mother’s maiden name and the 7th in your first pet and the 5th digit of pi?” “I can’t work that out, give me my bloody money”.

  4. Alan
    16 June 2007, 13:58 #

    And that’s the other problem: annoying your customers with security barriers costs money too, especially if it drives them to use different banking channels that cost more.

    In many cases too, the cost of providing these security features outweighs the cost of paying out on the fraud, which is why banks haven’t exactly rushed to implement them.

  5. Mary
    16 June 2007, 20:55 #

    Now if only I had a mobile phone….

  6. Alan
    16 June 2007, 21:02 #

    Aaaahhhh, well, I hope they have some way around that… :-)

  7. Mary
    20 June 2007, 14:13 #

    There’s the old thingees to hang from your key ring, ringing them up for large transactions and jumping through some security-related hoops – or buying a mobile phone (which was suggested to me by the bank staff).

    It’s not like I’m a total techno loser. I did have a mobile phone once. Back in 1998 when they were kinda cool.

Comment

Comment form




(Textile Help)