Westpac's anti-keylogging attempt questioned

Some believe that Westpac's new anti-keylogging sign in page, is a joke and does not go far enough to ensure security.

The bank last week launched a new sign-in page which uses an on-screen keypad designed to prevent the incidence of key-stroke logging fraud by removing the use of a keyboard to enter in passwords. (See story: http://www.computerworld.com.au/index.php?id=756333073)

Andrew Young who has worked in corporate IT for 10 years and has built web sites for three years, uses Westpac for his online banking, because he believes that overall it offers a good service. "But they just do stupid things sometimes, such as this new anti-keylogging sign-in page," he said.

"Many key-loggers can record screen-shots and mouse movements, which totally nullifies this security upgrade, and this new system increases the risk of people being able to get your password especially if you are using the site in an office, Internet cafe or other public space where people can view your monitor."

Another flaw is that the bank forces customers to use a short, fixed-length passwords of six characters, which Young says makes it easier for hackers to guess and remember passwords.

"Westpac won't let customers use longer, more secure passwords. I think they should be talking to their customers and giving them options. They could allow people to use this new login if they want or let them type it in, (as they used to), or better yet them have the option of two-factor authentication via key-fob, SMS or e-mail," he said.

A recent Frost & Sullivan end user survey of 269 respondents from a wide range of industries revealed that 57 percent had found spyware on multiple computers in their organization, while 22 percent of those surveyed had discovered illegitimately installed keyloggers.

Security analyst James Turner said if he had his way, everyone in Australia would move their accounts to a bank that used two-factor internet banking.

"Anything less than this is just not good enough. Little keyboards on the screen are a joke. There's a reason that the serious enterprises use two-factor authentication for their core information and access areas - it's because they provide better security than just a password," he said.

"The banks in Australia are only now waking up from a long slumber of complacency. In Scandinavia, the banks have been using two-factor identification for Internet banking for many years," he said.

Turner said that online banking security comes down to an issue of risk analysis.

"The risk is reasonably high, but the cost to the bank has not reached a critical tipping point yet. A bank can afford to cover the costs of an individual's credit card being abused, but the individual has to go through the most horrible inconvenience of jumping through the hoops of getting the problem sorted out."

PC Tools spokesperson Magida Ezzat, said the advanced types of keyloggers that can read screen shots and mouse strokes are much less common than ones that can read key strokes.

"So the new Westpac system now at least protects against some keyloggers rather than previously, where there was no protection at all," she said.

Ezzat also said that using a two-factor approach would take away the ease and simplicity that Internet banking offers.

"The pure nature of Internet banking and any online transacting means that it will never be one hundred percent foolproof. While online transacting offers the convenience factor it also comes with certain risks that consumers must be aware of. The only real secure way is to go back to basics and physically go into the branch again," she said.

Westpac's head of channels and systems, Paul Jennings, said security is of "the utmost importance to Westpac and the bank has an ongoing program of investments to maintain the highest levels of security," but would not disclose the amount of financial investment from the bank.

Jennings said the new log-in page is sufficient to deal with most keylogging trojans that exist today.

"Trojans that capture screen shots and mouse clicks are significantly more complex than the keystroke logging trojans that are common today. We accept that over time trojans will become more sophisticated and hence the on-screen keypad is a relatively simple tactical initiative aimed at staying one step ahead of the fraudsters," he said.

Although Westpac's password is currently set at six digits, Jennings said the bank may look at changing this in the future.

"Most fraud is committed via keystroke loggers (so the length of the password makes no difference), and we also need to consider the impact on two million customers of communicating any change to password rules," he said.

Jennings said that the two-factor approach is a more complex and expensive change, but that the bank is working with other parties, including other banks, towards an industry solution for two-factor authentication.

"We believe that a shared industry utility is the best outcome for our customers and ourselves. This will avoid duplicated infrastructure investments and allow customers to choose a single security device for all online services they use," he said.

Westpac already uses two-factor authentication for Business Online, its online banking platform for small to medium size businesses, where it has 75,000 SecureID Tokens in active use.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Dahna McConnachie

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?