Sponsored by Keepnet Labs

Australian Banking Security (!)

Online Security is getting every day more and more important. It’s so common these days to implement secure password policies, which is at least 8 characters, with minimum 1 special character like @$# …. More and more cooperation’s taking care of Passwords  as nearly every day a new “hack incidents “ happens…

We all expect at least banks take care of secure password policies, beside SSL logins or Virtual keyboards. As I said “we expect” but its sad too see some of the banks are not meeting the minimum security requirements or at least our expectaions or even the  ISO 27001 or PCI standards in terms of passwords.

This post is a  proof on how weak passwords polices are used in some of the Australian Online banking web sites. Yes , they do have SSL but knowing that these days SSL hacking is not “rocket science” , some of the PKI were compromised few times…

Sad smile

I have done a simple Pen testing via login to the SSL protected sites and entered manual passwords, and the result was shocking, at least for me 

My first example  is National Australia bank (NAB)

1) Only 8 characters of Password is allowed

2) No special characters are allowed

image

Here is one more example from Westpac

They force users to use the “virtual Keyboard” but only 6 character’s of password is allowed!

image

My recommendation is do not trust your SSL too much and encourage your customers to use complex passwords, please

A special thanks for the Commonwealth and ANZ banks who has not just SSL, virtual keyboard but also 15 characters password selection choice.

This test will be continued, keep an eye more to come…

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *