[AusNOG] AU Major Banks and SHA-1

Damian Guppy the.damo at gmail.com
Thu Jul 2 18:53:20 EST 2015


A tool like the Steps Recorder built into windows since Vista would defeat
this - it takes a screen shot with time stamp and pointer location, and
some other details, every time there is a mouse click event.

--Damian

On Thu, Jul 2, 2015 at 1:05 AM, Tom Storey <tom at snnap.net> wrote:

> It also moves around the screen* so you cant even record macros to
> repeat mouse input later on.
>
> * either per "key press" or when it first appears, been a while since
> I used it, but I did notice that.
>
> On 25 June 2015 at 23:30, Ivan Jukic <ijukic13 at gmail.com> wrote:
> > Granted it uses 6 digits, silly I know in the conventional sense.
> However,
> > correct me if I am wrong. You need to enter the password using a floating
> > virtual keyboard. So keystroke logging and brute force/dictionary attacks
> > should not be an issue...
> >
> > On 26 June 2015 at 08:23, Scott Howard <scott at doc.net.au> wrote:
> >>
> >> You forgot to mention :
> >>
> >> Westpac - maximum 6 digit passwords for Internet Banking. No special
> >> characters allowed.  No upper/lower case distinction. (But at least it's
> >> better than their 3 digit phone PINs)
> >>
> >> SSL is pretty much the least of Westpac's problem when it comes to
> >> Internet Banking security...
> >>
> >>   Scott
> >>
> >>
> >>
> >> On Thu, Jun 25, 2015 at 3:14 PM, Matthew Moyle-Croft <mmc at mmc.com.au>
> >> wrote:
> >>>
> >>> We've all been distracted by the large scale crazy of site blocking,
> meta
> >>> data retention and whatever else the Australian Government is doing.
> >>>
> >>> But need to focus on some basics:
> >>>
> >>> SHA-1 is on it's way out (see
> >>>
> http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
> ).
> >>>
> >>> Friend got a warning for his bank (not Australian) from Chrome about
> bad
> >>> SSL configs, so I went and had a quick look at the big 4 banks in
> Australia
> >>> to see what's up.
> >>>
> >>> Commbank - got it right - no SHA-1 for home page or Internet Banking,
> no
> >>> TLS 1.0
> >>> ANZ - no SSL on home page, TLS 1.0 and SHA-1 for internet banking (oh
> >>> boy!)
> >>> NAB -  no SSL on home page, TLS 1.2 and SHA-1 for internet banking
> >>> Westpac - no SSL on home page, TLS 1.2 and SHA-1 for internet banking
> >>>
> >>> Anyone here who can influence good internet crypto for the 3 that
> aren't
> >>> quite there?
> >>>
> >>> MMC
> >>>
> >>> _______________________________________________
> >>> AusNOG mailing list
> >>> AusNOG at lists.ausnog.net
> >>> http://lists.ausnog.net/mailman/listinfo/ausnog
> >>>
> >>
> >>
> >> _______________________________________________
> >> AusNOG mailing list
> >> AusNOG at lists.ausnog.net
> >> http://lists.ausnog.net/mailman/listinfo/ausnog
> >>
> >
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150702/bda4454a/attachment.html>


More information about the AusNOG mailing list