[AusNOG] AU Major Banks and SHA-1

Ivan Jukic ijukic13 at gmail.com
Fri Jun 26 09:04:43 EST 2015 

The same can be said for any database. Look at what happened to Sony
PlayStation. So it doesn't really matter that is uses a 6 digit password
via floating Keyboard..

On 26 June 2015 at 08:59, Robert Hudson <hudrob at gmail.com> wrote:

> Once your attacker manages to obtain a copy of the database for offline
> cracking, no floating virtual keyboard in the world will save you...
> On 26 Jun 2015 8:32 am, "Ivan Jukic" <ijukic13 at gmail.com> wrote:
>
>> Granted it uses 6 digits, silly I know in the conventional sense.
>> However, correct me if I am wrong. You need to enter the password using a
>> floating virtual keyboard. So keystroke logging and brute force/dictionary
>> attacks should not be an issue...
>>
>> On 26 June 2015 at 08:23, Scott Howard <scott at doc.net.au> wrote:
>>
>>> You forgot to mention :
>>>
>>> Westpac - maximum 6 digit passwords for Internet Banking. No special
>>> characters allowed.  No upper/lower case distinction. (But at least it's
>>> better than their 3 digit phone PINs)
>>>
>>> SSL is pretty much the least of Westpac's problem when it comes to
>>> Internet Banking security...
>>>
>>>   Scott
>>>
>>>
>>>
>>> On Thu, Jun 25, 2015 at 3:14 PM, Matthew Moyle-Croft <mmc at mmc.com.au>
>>> wrote:
>>>
>>>> We've all been distracted by the large scale crazy of site blocking,
>>>> meta data retention and whatever else the Australian Government is doing.
>>>>
>>>> But need to focus on some basics:
>>>>
>>>> SHA-1 is on it's way out (see
>>>> http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
>>>> ).
>>>>
>>>> Friend got a warning for his bank (not Australian) from Chrome about
>>>> bad SSL configs, so I went and had a quick look at the big 4 banks in
>>>> Australia to see what's up.
>>>>
>>>> Commbank - got it right - no SHA-1 for home page or Internet Banking,
>>>> no TLS 1.0
>>>> ANZ - no SSL on home page, TLS 1.0 and SHA-1 for internet banking (oh
>>>> boy!)
>>>> NAB -  no SSL on home page, TLS 1.2 and SHA-1 for internet banking
>>>> Westpac - no SSL on home page, TLS 1.2 and SHA-1 for internet banking
>>>>
>>>> Anyone here who can influence good internet crypto for the 3 that
>>>> aren't quite there?
>>>>
>>>> MMC
>>>>
>>>> _______________________________________________
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net
>>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>>
>>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150626/fa64ac55/attachment-0001.html>

More information about the AusNOG mailing list