forked from ryankurte/doesmybank
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathindex.html
More file actions
200 lines (189 loc) · 13.7 KB
/
index.html
File metadata and controls
200 lines (189 loc) · 13.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->
<title>Does My Bank Support?</title>
<!-- Bootstrap -->
<link href="css/bootstrap.min.css" rel="stylesheet">
<!-- Custom CSS -->
<link href="css/custom.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body>
<div class="container-fluid">
<div class="row">
<div class="col-md-10 col-md-offset-1 col-lg-8 col-lg-offset-2">
<h2>Does my bank support?</h2>
<h4>A look at the security and standards compliance of NZ banks</h4>
<br>
<div class="table-responsive">
<table class="table table-reflow">
<tr>
<th data-label="Bank">Bank</th>
<th>Website</th>
<th>Real Passwords</th>
<th>Two Factor Auth (TOTP)</th>
<th>Two Factor Auth (U2F)</th>
<th>Two Factor Auth (App)</th>
<th>Two Factor Auth (Other)</th>
<th>User accessible APIs</th>
</tr>
<tr>
<td data-label="ANZ">ANZ</td>
<td><a href="https://www.anz.co.nz">www.anz.co.nz</a></td>
<td><span class="glyphicon glyphicon-ok" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-question-sign" aria-hidden="true"></td>
<td>OnlineCode SMS-based</td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
</tr>
<tr>
<td data-label="ASB">ASB</td>
<td><a href="https://www.asb.co.nz">www.asb.co.nz</a></td>
<td><span class="glyphicon glyphicon-ok" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span><sup><a href="#note1">[1]</a></sup></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-ok" aria-hidden="true"></td>
<td>Netcode SMS or RSA physical token</td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
</tr>
<tr>
<td data-label="BNZ">BNZ</td>
<td><a href="https://www.bnz.co.nz">www.bnz.co.nz</a></td>
<td><span class="glyphicon glyphicon-ok" aria-hidden="true"></span><sup><a href="#note2">[2]</a></sup></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-ok" aria-hidden="true"></td>
<td>NetGuard look up table</td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
</tr>
<tr>
<td data-label="Co-operative Bank">Co-operative Bank</td>
<td><a href="https://www.co-operativebank.co.nz">www.co-operativebank.co.nz</a></td>
<td><span class="glyphicon glyphicon-minus" aria-hidden="true"></span><sup><a href="#note9">[9]</a></sup></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-question-sign" aria-hidden="true"></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
</tr>
<tr>
<td data-label="Heartland">Heartland</td>
<td><a href="https://www.heartland.co.nz/">www.heartland.co.nz</a></td>
<td><span class="glyphicon glyphicon-minus" aria-hidden="true"></span><sup><a href="#note10">[10]</a></sup></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-question-sign" aria-hidden="true"></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
</tr>
<tr>
<td data-label="Kiwibank">Kiwibank</td>
<td><a href="https://www.kiwibank.co.nz">www.kiwibank.co.nz</a></td>
<td><span class="glyphicon glyphicon-minus" aria-hidden="true"></span><sup><a href="#note3">[3]</a></sup></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-question-sign" aria-hidden="true"></td>
<td>KeepSafe Question / Answer</td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
</tr>
<tr>
<td data-label=RaboDirect>RaboDirect</td>
<td><a href="https://www.rabodirect.co.nz">www.rabodirect.co.nz</a></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span><sup><a href="#note4">[4]</a></sup></td>
<td><span class="glyphicon glyphicon-minus" aria-hidden="true"></span><sup><a href="#note5">[5]</a></sup></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-question-sign" aria-hidden="true"></td>
<td>Digipass hardware token</td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
</tr>
<tr>
<td data-label="TSB">TSB</td>
<td><a href="https://www.tsbbank.co.nz">www.tsbbank.co.nz</a></td>
<td><span class="glyphicon glyphicon-removen" aria-hidden="true"></span><sup><a href="#note6">[6]</a></sup></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></td>
<td><span class="glyphicon glyphicon-question-sign" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
</tr>
<tr>
<td data-label="Westpac">Westpac</td>
<td><a href="https://www.westpac.co.nz">www.westpac.co.nz</a></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-question-sign" aria-hidden="true"></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
<td><span class="glyphicon glyphicon-remove" aria-hidden="true"></span></td>
</tr>
</table>
</div>
<span class="table-person-helper hidden-sm hidden-md hidden-lg">Swipe left to see more</span>
<div>
<h4>Key</h4>
<p><span class="glyphicon glyphicon-ok" aria-hidden="true"></span> Good support</p>
<p><span class="glyphicon glyphicon-minus" aria-hidden="true"></span> Not supported, though a similar or mitigating option is</p>
<p><span class="glyphicon glyphicon-remove" aria-hidden="true"></span>Not supported at all</p>
<p><span class="glyphicon glyphicon-question-sign" aria-hidden="true"></span> No available information, if you can find out I would love to know</p>
</div>
<hr>
<div>
<h4>FAQs</h4>
<p>Q: What is a "Real Password"?</p>
<p>A: Passwords should be case sensitive, allow special characters, and not artificially limited in length <a href="#note8">[8]</a>. If you have a better term for this, let me know!</p>
<br>
<p>Q: What is two factor authentication?</p>
<p>A: <a href="https://en.wikipedia.org/wiki/Multi-factor_authentication">Two factor authentication</a> (or 2fa) is an additional security feature used when you login to ensure that you are in control of your account. This is commonly accomplished using Time based One Time Password (TOTP) apps like <a href="https://en.wikipedia.org/wiki/Google_Authenticator">Google authenticator</a> or Physical Tokens such as <a href="https://en.wikipedia.org/wiki/YubiKey">Yubikeys</a>. Click <a href="https://www.securenvoy.com/two-factor-authentication/what-is-2fa.shtm">here</a> for a more detailed introduction to multi factor authentication.</p>
<br>
<p>Q: Is some 2fa better than no 2fa?</p>
<p>A: Yes. Definitely yes. Though some methods may be more susceptible to attack than others. New sites should support industry standards such as <a href="https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm">TOTP</a> [<a href="https://tools.ietf.org/html/rfc6238">1</a>] and <a href="https://en.wikipedia.org/wiki/Universal_2nd_Factor">Fido/U2F</a> [<a href="https://fidoalliance.org/specifications/overview/">2</a>]. SMS is <a href="https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/">no longer recommended</a> due to ease of exploitation.</p>
<br>
<p>Q: What is an RSA physical token</p>
<p>A: RSA SecureId tokens are a vendor specific implementation of a Time based One Time Password scheme.</p>
<br>
<p>Q: What do you mean by user accessible APIs?</p>
<p>A: (Read only) APIs that any user or company providing a service to a user can utilize to query account and spending details on behalf of a user for analytics or any other purpose, with authorization provided using a standard user-centric method such as <a href="https://en.wikipedia.org/wiki/OAuth">OAuth</a>. Think, APIs that would let products like Xero be built, to put personal data for financial analysis in the hands of users.</p>
</div>
<hr>
<div>
<h4>Notes</h4>
<p>Not all banks had public information about password requirements.</p>
<p>
The risk of terrible passwords can be mitigated using login analysis which all banks do.
Given your password is complex enough, the probability of brute forcing it prior to your account being locked is negligible.
</p>
<br>
<p id="note1">[1] ASB business accounts support RSA SecureID tokens, these are no longer available for personal accounts</p>
<p id="note2">[2] <a href="https://twitter.com/hipsterjazzbo/status/967546047261110273">BNZ now allow 60 character passwords!</a> and a reasonable character range</p>
<p id="note3">[3] Kiwibank passwords are case insensitive (!!?) and have a maximum password length of 15 characters, with an additional challenge word on login</p>
<p id="note4">[4] RaboDirect appear to use a numeric PIN instead of a password for online logins, which is mitigated by [5]</p>
<p id="note5">[5] RaboDirect require <a href="https://www.rabodirect.co.nz/security/digipass/default.aspx">Digipass</a> challenge based second factor by <a href="https://www.vasco.com/">Vasco</a></p>
<p id="note6">[6] TSB require 8-16 character passwords one letter and one number</p>
<p id="note8">[8] The <a href="http://www.gcsb.govt.nz/publications/the-nz-information-security-manual/">NZ Information Security Manual (NZISM)</a> part 2 section 16.1.21.C.01. requires passwords to be at least 10 characters, allowing lower and upper case, digits, and special characters.</p>
<p id="note9">[9] Co-operative bank's passworld policy requires passwords to be between 8-15 characters, containing at least 1 number and 1 letter. <a href="https://www.co-operativebank.co.nz/terms-and-conditions/terms-and-conditions-digital-services">source</a></p>
<p id="note10">[10] Heartland Bank's passworld policy requires passwords to be between 8-15 characters, containing at least 1 number, 1 upper case letter and 1 lower case letter.</p>
</div>
<br>
<footer class="footer">
<p class="text-muted">For updates, questions or suggestions, contact me <a href="https://twitter.com/ryankurte">@ryankurte</a> or open an issue on <a href="https://github.com/ryankurte/doesmybank">github.com/ryankurte/doesmybank</a></p>
</footer>
</div>
</div>
</div>
<!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
<!-- Include all compiled plugins (below), or include individual files as needed -->
<script src="js/bootstrap.min.js"></script>
<script src="js/analytics.js"></script>
</body>
</html>