I’m talking about the new Westpac internet banking sign in screen.
Westpac say they have professionals who advise them on issues such as this, but if these are security professionals, then I personally think they’re short sighted.
The sign in for Westpac’s online banking service has recently been replaced by an on screen virtual keyboard. Instead of entering both your customer ID and password by typing with the keyboard, you now enter the password by clicking on these keyboard buttons on the screen.
It looks like this:
So, this is more secure, as Westpac says, because it effectively means that key loggers won’t work. True, but it also opens up the possibility of other security problems – and this is where the short sightedness comes into it.
- Screen shot grabbers can steal your password, whereas they would have had no luck before. With the new system, the keys you click on stay highlighted giving the screen shot grabbers even more chance to take a snap.
- Someone can watch you from behind, or even from the other side of the room. You can now only log in when you’re the only one in the room.
- Mouse movement macro recorders will work without a hitch because the keyboard letters don’t move around or change order randomly.
- Computer savvy people can no longer protect themselves from key loggers by typing their password in random order and masquerading it with arrow key movements, or by copying and pasting letters from random places on web pages (I often did this at insecure locations just in case – I now no longer have any way of protecting myself).
Westpac also continue to employ another insecure measure: forcing all customers to use passwords exactly six characters long, made up of numbers and upper case letters only.
That seriously limits the number of possible passwords someone would need to guess.
They block account account access after four incorrect attempts, but if someone catches you entering your password using the new sign in screen and is keeping a close eye on it, it’s not very hard to get in with one or two tries. Plus, if you get locked out, all you need to do is call Westpac, give them the same customer ID you’re using to log in to online banking, as well as your three digit phone access code, and it’s unlocked for you.
Aside from all this, I can type relatively fast (and can, by the way, shield the keyboard from prying eyes by leaning over it as I type), so using this new online keypad just plain takes longer – considering I usually log in at least twice a day.
I called and wrote in to Westpac about all this, explaining everything as I saw it. It seems, however, that they have no intention of doing anything about it – even making the old sign in screen available to people who ask for it, but having the new screen as the default. I got a written response from them, in part saying “Software has been developed by fraudsters to track keystrokes made on your computer’s keyboard. This software is called a ‘keylogging Trojan’ and can be installed onto your computer without your knowledge”. It seems like they never really read what I was telling them, or else they would have figured out that I knew very well what a ‘keylogging Trojan’ is, and that they don’t need to speak to me like I know nothing…
I also read here that Westpac’s head of channels and systems has said: “Most fraud is committed via keystroke loggers (so the length of the password makes no difference)”. It seems that they are also interested in putting all their effort into protecting the areas where “most fraud is committed”, and neglecting every single other way passwords can be compromised.
So, as a result of this change, I’m going to change banks if I can find a similar fee structure elsewhere. It’s not just the fact that they’ve short sightedly made things more secure, but because of the fact that they have no intention of listening to and responding to their customer’s concerns, even by making an exception for those customers that ask for it.
What do you think?
Other sources:
