Tuesday, 20 September 2016

Westpac Are A Bunch Of Useless Morons

Sometimes I get a bit steamed up when it comes to computer security.  Usually it's over someone doing stupid things, such as writing their password on a yellow sticky note and putting it under their keyboard, or attaching it to their screens. Sometimes it's about lack of forethought put into product design such as the BlueCoat proxy SSL interception (more about that later).

However occasionally there is a incidence of organisational stupidity that goes beyond the pale.  Westpac Banking Corporation (WBC or Westpac as it's know to us Australians) is one of the "big 4" banks of the Australian banking scene.  So you would think that at some point they would have the funds to hire a security expert to tell them that their recent online banking redesign was a really dumb idea.  Or perhaps they could have hired a 5 year old, because any 5 year old could have spotted this.

Here's a screen shot of the Westpac Online Banking sign-in, or "Westpac Live" as they prefer to call it:

I have "redacted out" (scrubbed over with red paint) a few pertinent details such as my customer ID (account number) and password.  Of course I didn't enter my real password I just clicked on the number "5" a few times.

The customer ID is normally shown in clear text on the screen.  That's no big deal because nobody can access my Westpac accounts without both the customer ID and password.  Nothing beats single factor security, eh?

However the password can also be clearly read by anyone standing behind me.  In fact in the latest redesign the buttons that you click to enter your password have been enlarged, and now the button that you click is highlighted as you click it. That means that anyone in the same room can probably read the password as it's entered.  You can't type it in, you have to click the buttons, for "security reasons" as I've been told by Westpac staff in the past.

I guess "security reasons" are also why the password has to be only 6 characters, letters and numbers, and is all upper case.  I guess "security reasons" is also why they haven't switched to 2 factor authentication yet.

Anyone who still banks at Westpac should probably look to close their accounts and take them elsewhere.  For "security reasons".


  1. RFID authenticators are pretty cheap nowadays. Heck, World of Warcraft provides them for their 6 million or so customers for six bucks each. It's not an impossible bit of infrastructure to support.

  2. On the upside, you do get an sms code when you do a transfer or payment to a new account.

  3. On the upside, you do get an sms code when you do a transfer or payment to a new account.

  4. Yes I was quite surprised to find that they're happy for me to *set* a password that's longer than 6-chars... but it's auto-downgraded to the 6-char password. :(

  5. It also caches your customer id even when you don't tick the box. When your session times out it remembers your id which I find disconcerting.