[AusNOG] AU Major Banks and SHA-1

Ross Annetts ross.annetts at digitalpacific.com.au
Fri Jun 26 09:29:16 EST 2015 

ING is worse, 4 digit pin floating keyboard.

Regards,
Ross

On 26/06/2015 8:30 am, Ivan Jukic wrote:
> Granted it uses 6 digits, silly I know in the conventional sense. 
> However, correct me if I am wrong. You need to enter the password 
> using a floating virtual keyboard. So keystroke logging and brute 
> force/dictionary attacks should not be an issue...
>
> On 26 June 2015 at 08:23, Scott Howard <scott at doc.net.au 
> <mailto:scott at doc.net.au>> wrote:
>
>     You forgot to mention :
>
>     Westpac - maximum 6 digit passwords for Internet Banking. No
>     special characters allowed.  No upper/lower case distinction. (But
>     at least it's better than their 3 digit phone PINs)
>
>     SSL is pretty much the least of Westpac's problem when it comes to
>     Internet Banking security...
>
>       Scott
>
>
>
>     On Thu, Jun 25, 2015 at 3:14 PM, Matthew Moyle-Croft
>     <mmc at mmc.com.au <mailto:mmc at mmc.com.au>> wrote:
>
>         We've all been distracted by the large scale crazy of site
>         blocking, meta data retention and whatever else the Australian
>         Government is doing.
>
>         But need to focus on some basics:
>
>         SHA-1 is on it's way out (see
>         http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html).
>
>         Friend got a warning for his bank (not Australian) from Chrome
>         about bad SSL configs, so I went and had a quick look at the
>         big 4 banks in Australia to see what's up.
>
>         Commbank - got it right - no SHA-1 for home page or Internet
>         Banking, no TLS 1.0
>         ANZ - no SSL on home page, TLS 1.0 and SHA-1 for internet
>         banking (oh boy!)
>         NAB -  no SSL on home page, TLS 1.2 and SHA-1 for internet banking
>         Westpac - no SSL on home page, TLS 1.2 and SHA-1 for internet
>         banking
>
>         Anyone here who can influence good internet crypto for the 3
>         that aren't quite there?
>
>         MMC
>
>         _______________________________________________
>         AusNOG mailing list
>         AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>         http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-- 
Regards,
Ross Annetts

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150626/0326522b/attachment.html>

More information about the AusNOG mailing list