The ICT sector has been under considerable scrutiny lately in the face of a number of very public security and general execution mistakes. First there was the failed launch of online auction sites like Wheedle and ListSellTrade, then the Ministry for Social Development was caught with its pants down when public-facing self-service kiosks were shown to be connected to the main corporate network with only minimal efforts to lock them down.
The merger of ANZ Bank with New Zealand’s National Bank brand has been on the cards for at least three years. There has been a huge amount of work put into integrating the systems of both brands into one and the fact that the entire thing didn’t come crashing down in a flaming heap over the weekend as the merger went ahead is a credit to the huge numbers of staff who put in a lot of overtime and a lot of planning during that project.
But this success isn’t without its problems. There were the predictable deserters who wanted nothing to do with the blue brand, feeling that the huge corporate was now too impersonal and reservations over its low customer satisfaction rating only exacerbated this. Personally, I’m a little more pragmatic. I’ve had no complaints over the National Bank’s service and I saw no reason to leave just because the colour of the brand was changing. That was until tonight.
Tonight I wanted to check my business bank accounts to confirm that all was well, but was thwarted by an incorrect password. I was 90% certain I’d committed that password to memory correctly, but perhaps I’d changed it recently and forgotten. Now I’m 60% certain. Perhaps I should change it again now to be absolutely sure. Away I went to my KeePass client and generated a new password. This is set to create passwords that are long, secure and extremely hard to attack. As an example:
Uppercase, lowercase, numbers and special characters. Very safe.
The system allowed me to go through the motions and finally arrive on a screen that required me to quote a security phrase back to the call centre staff member whom I’d need to speak to in order to finalise the change. Ok, fair enough. Let’s call them. Half an hour of being on hold later (they’re obviously very busy as they’ve only just come out the other side of this standardisation project) and the pleasant, calm voice of the staff member talks me through the process. Asking me to log in now that she’s confirmed my password change, we’re both puzzled when I’m greeted with an “invalid password” message. We try again. Same result. Third time’s the charm – still no good. Finally I relent and dumb it down. A lot. I’m feeling a bit uncomfortable now because this is my business account and I really don’t want the drama that would result if I ever got hacked. This time it works. The difference? I am only allowed to use alphanumeric passwords and I kept it between 8 and 16 characters.
But wait a minute. The ANZ communications page on Better Internet Banking says:
Changing your Internet Banking password on a regular basis. We allow special characters and your password can be up to 32 characters in length so you can enter stronger passwords. You can check the strength of your new password with our password strength meter in Internet Banking.
So which is it? I asked the call centre staff member directly, “Does your Internet Banking system allow special characters?”. I then spelled out the specific example of the password I was trying to use. Her response (after putting me on hold again for 5 minutes) was, “I’ve just asked our technical managers and they say they’re 99% certain you can’t use special characters”. So this is a problem right away. If bank staff don’t know what the security standards are, how can customers be expected to get good guidance on best practice? More often than not, simpler easy-to-remember passwords will be selected which are also the most vulnerable to dictionary and brute-force attacks. Research has shown plenty of times that people tend to reuse the same passwords in multiple locations.
If even a few accounts were to be compromised the reputational risk alone would be enough that any investment in upgrading would seem like small change compared to the mass exodus of customers that would result. We’re seeing more and more that computer users are (finally) beginning to appreciate the importance of good, diligent security practices online and businesses need to take that into account. Small businesses are usually very well-positioned to adapt to technology changes, medium business are too but with perhaps a bit more of a strategic outlook. Large organisations need to work extra hard to accommodate shifts in the business landscape or in customer expectations. It’s understood that a vehicle the size of ANZ will not be capable of making a turn on the proverbial dime, but we need to see that there is some clear, deliberate acknowlegement of the need to adopt a serious security policy. Right now we should not be feeling 100% confident.
Troy Hunt recognises that there are often common reasons why weak passwords might be forced on customers, but banks and government institutions should hold themselves to a much higher standard. Troy’s article touches on the “just the way we do it” excuse. There’s possibly a fourth reason that he may have overlooked, which is, “because it’s a huge effort to fix the problem and we’re too big to change quickly”.
Here’s where I offer some back-story into what I learned while working at the National Bank. The National Bank core financial software is actually a suite of products called Systematics. This software has been around for longer than the Internet. No, really! Over 40 years in the business banking software industry. The National Bank’s implementation was obviously more modern than that but upgrading a system of this size is no small undertaking and costs during the global credit crisis needed to be managed judiciously. Speculation on the coal face was that the system would be patched, tuned and generally kept alive for the time being but would not see a full upgrade because aside from the cost, there was a lot of uncertainty about which bank’s core system would be used when the two brands ultimately merged: National’s Systematics or ANZ’s Finzsoft.
No matter which system was adopted, it meant the other one would be discontinued and that in turn meant a massive number of integration points, services and dependencies would need to be either upgraded, reconfigured or somehow worked around in order to have both brands’ systems continuing to function properly. You can begin to see why the senior executive were cautious about how they proceeded. Banks are extremely cost and risk averse. This decision had both in spades.
The decision appears to have been made that the National Bank’s Systematics implementation would be the successor and it seems they’ve managed to get it working. But what about the security? In adopting this system – complete with its limitations – there is an implicit risk in the vulnerability of customer accounts. The constraints around the passwords used for Internet Banking are such that it practically forces users to dumb it down and pick passwords that are likely related to words or small phrases that are highly susceptible to brute force dictionary attacks. There is a good policy at least of a maximum failed attempts count but even so, it’s been proven often enough that if someone uses a password in one place, they likely use it in a lot of places.
If I had to guess, I’d pick that now the financial core has been committed to, the bank is in a position to make the necessary improvements to its online banking offering, which will likely include improvements to the UI but will hopefully have an easier to use, more robust security process. As it stands I think ANZ’s offering is adequate, but barely. Either their written security policy needs to be updated or their internet banking system needs major user experience improvements. The simple reality is there are competitors in the marketplace who are doing this better and ANZ needs to lift their game.