[LINK] Bank to offer SMS security option

Karl Schaffarczyk karl at karl.net.au
Thu Feb 8 11:04:29 AEDT 2007 

Hi Linkers, Karl,

>  > > The Age paper today, ('Money' Section p9) notes that the Commonwealth
>>  > Bank will soon offer, "the option of an SMS security-code service .... the
>>  > bank will prompt the customer to request a code number which is then
>  > > delivered via an SMS message .."

Old news to me, as a NAB customer I have enjoyed (as the other Karl 
has not) this product for many months now.....

>
>The SMS solution is close to useless. It is an unreliable, unlogged
>channel. The fact of this delay means that the key has to be valid for a
>very long time (many, many minutes). It puts a random delay between me
>and my banking. It requires me to own a mobile phone. Worse, it requires
>me to bank where I have SMS access. Where I live and work, there is no
>mobile coverage; not GSM, not CDMA, not 3G. The fallback offered by (eg)
>the NAB? No SMS. I.e., fallback to a lower level of security. Or I can
>lock my account when I log out, but then I have to reactivate it by
>phone before I can bank again. Gee, thanks.


As a user of the NAB's SMS system, I am yet to ever experience a 
delay, and the system does not rely on having a mobile phone. Go to a 
telstra shop, or hardly normal, or even order online. Buy a nice 
cordless phone, and make sure it has SMS capability. SMS can then be 
delivered to your landline. Sure - it requires you to do your banking 
from that one phone line, but it means that joe hacker has to sit in 
your house in order to clean out your bank account.

>
>A solution that works, is cheap, is extremely effective, and that has
>been in use by serious banks (as against the toy banks we have in this
>country) is One Time Pads or the electronic (and better) version of
>same, SecureID. Those Oz banks that offer it have the unmitigated
>effrontery to CHARGE for it!

I find the one time pads "click this picture to enter your PIN" 
somewhat offensive. Well, the part I find offensive is that I am not 
offered a choice. If I am at a computer which I am confident is 
secure (eg almost any non-windows machine), and I have others in the 
room with me, a one-time pad is like advertising your PIN to those in 
the room.
The IIA (www.iia.net.au) has some years ago provided some useful 
discussion papers, and somewhere - I can't remember exactly - 
mentioned the use of keyfob authentication devices and suggested it's 
use as an open standard, where you use the keyfob for several banks, 
rather than each reinventing the wheel, and weighing down the punter 
with their own piece of technology. 
http://www.iia.net.au/index.php?option=com_content&task=view&id=118&Itemid=35


>Toy bank story. I needed to transfer a house deposit out of Switzerland
>when we were moving back here. I'd had problems with ridiculously low
>daily transfer limits in Oz. So I rang my Swiss bank to ask if they had
>daily limits too. "Yes sir, I'm afraid we do". Oh dear. My heart sank.
>"Er, what's the limit then?" "Four million franks, sir."
>
>Regards, K.
>
>--
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
>http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)
>


--
Karl Schaffarczyk - for friendly service, cost effective long 
distance calls and VoIP phone systems.
p: +61 2 6233 3333
f: +61 2 6233 3399
e: karl at karl.net.au

More information about the Link mailing list