Tuesday, 20 September 2016

Westpac Are A Bunch Of Useless Morons

Sometimes I get a bit steamed up when it comes to computer security.  Usually it's over someone doing stupid things, such as writing their password on a yellow sticky note and putting it under their keyboard, or attaching it to their screens. Sometimes it's about lack of forethought put into product design such as the BlueCoat proxy SSL interception (more about that later).

However occasionally there is a incidence of organisational stupidity that goes beyond the pale.  Westpac Banking Corporation (WBC or Westpac as it's know to us Australians) is one of the "big 4" banks of the Australian banking scene.  So you would think that at some point they would have the funds to hire a security expert to tell them that their recent online banking redesign was a really dumb idea.  Or perhaps they could have hired a 5 year old, because any 5 year old could have spotted this.

Here's a screen shot of the Westpac Online Banking sign-in, or "Westpac Live" as they prefer to call it:

I have "redacted out" (scrubbed over with red paint) a few pertinent details such as my customer ID (account number) and password.  Of course I didn't enter my real password I just clicked on the number "5" a few times.

The customer ID is normally shown in clear text on the screen.  That's no big deal because nobody can access my Westpac accounts without both the customer ID and password.  Nothing beats single factor security, eh?

However the password can also be clearly read by anyone standing behind me.  In fact in the latest redesign the buttons that you click to enter your password have been enlarged, and now the button that you click is highlighted as you click it. That means that anyone in the same room can probably read the password as it's entered.  You can't type it in, you have to click the buttons, for "security reasons" as I've been told by Westpac staff in the past.

I guess "security reasons" are also why the password has to be only 6 characters, letters and numbers, and is all upper case.  I guess "security reasons" is also why they haven't switched to 2 factor authentication yet.

Anyone who still banks at Westpac should probably look to close their accounts and take them elsewhere.  For "security reasons".