[AusNOG] AU Major Banks and SHA-1

Nick Adams nick.adams at reachtel.com.au
Fri Jun 26 09:07:18 EST 2015 

You have to assume that the banks have calculated the likely risk of
compromise and resulting fraud versus the cost of enforcing strong
passwords and the labour cost of dealing with resetting Aunt Beryl's
password every fortnight.

Nick.

On 26/06/2015 8:59 AM, Robert Hudson wrote:
> Once your attacker manages to obtain a copy of the database for offline
> cracking, no floating virtual keyboard in the world will save you...
> 
> On 26 Jun 2015 8:32 am, "Ivan Jukic" <ijukic13 at gmail.com
> <mailto:ijukic13 at gmail.com>> wrote:
> 
>     Granted it uses 6 digits, silly I know in the conventional sense.
>     However, correct me if I am wrong. You need to enter the password
>     using a floating virtual keyboard. So keystroke logging and brute
>     force/dictionary attacks should not be an issue...
> 
>     On 26 June 2015 at 08:23, Scott Howard <scott at doc.net.au
>     <mailto:scott at doc.net.au>> wrote:
> 
>         You forgot to mention :
> 
>         Westpac - maximum 6 digit passwords for Internet Banking. No
>         special characters allowed.  No upper/lower case distinction.
>         (But at least it's better than their 3 digit phone PINs)
> 
>         SSL is pretty much the least of Westpac's problem when it comes
>         to Internet Banking security...
> 
>           Scott
> 
> 
> 
>         On Thu, Jun 25, 2015 at 3:14 PM, Matthew Moyle-Croft
>         <mmc at mmc.com.au <mailto:mmc at mmc.com.au>> wrote:
> 
>             We've all been distracted by the large scale crazy of site
>             blocking, meta data retention and whatever else the
>             Australian Government is doing.
> 
>             But need to focus on some basics:
> 
>             SHA-1 is on it's way out (see
>             http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html).
> 
>             Friend got a warning for his bank (not Australian) from
>             Chrome about bad SSL configs, so I went and had a quick look
>             at the big 4 banks in Australia to see what's up.
> 
>             Commbank - got it right - no SHA-1 for home page or Internet
>             Banking, no TLS 1.0
>             ANZ - no SSL on home page, TLS 1.0 and SHA-1 for internet
>             banking (oh boy!)
>             NAB -  no SSL on home page, TLS 1.2 and SHA-1 for internet
>             banking
>             Westpac - no SSL on home page, TLS 1.2 and SHA-1 for
>             internet banking
> 
>             Anyone here who can influence good internet crypto for the 3
>             that aren't quite there?  
> 
>             MMC
> 
>             _______________________________________________
>             AusNOG mailing list
>             AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>             http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> 
>         _______________________________________________
>         AusNOG mailing list
>         AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>         http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> 
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>

More information about the AusNOG mailing list