Recently I took the offer of 75$ bonus for friends and opened an ING Everyday account. What bothers me most is the use of a 4 digit access code instead of strong password. Login screenshot- http://i.imgur.com/bxU7Hau.jpg
No matter what combination you choose, it'll be in the range of 0000-9999.
Similar approach is followed by ING Direct Canada, see a post on this here - http://forums.redflagdeals.com/ing-direct-online-banking-sec…
What is the opinion of OzB members on this issue?
3 failed attempts gets a lockout doesn't it, but yes it needs to be longer or alphanumeric.
Then again they could be logging the device details and can match it, just like if you sign in to any other the major sites like FB they track which browser ID you use.
Maybe ING will catch up and bring in two factor authentication such as SMS, but they're a low cost provider and even at a low 12c a txt it all adds up and comes out of profits.
Odd chance of a hack, ING may compensate and get insurance claim, might take a few months but atleast it's returned, so reconsider your allocation of funds, spread thm around. No "all eggs in one basket".
even at a low 12c a txt
Ha, big companies are not sending their SMSes via mobile phones plugged in to servers. They pay much less for SMSes in bulk.
If you can calculate in staff etc.
You have to send millions to get it down to network operator cost of around 0.05cents, it is low but the telcos aren't charities.
It's all automated, there isn't some poor peon typing in warning messages. Some companies are probably big enough to have their own gateways, e.g. Google uses it for account verification. And remember it doesn't have to originate in Australia, SMS is global.
greenpossum is right, a simple SMS gateway costs nothing to a bank.
What they should do -
@greenpossum: Right because ING=Google.
Of course it"s automated, talking about the initial capital, but again ING isn't Google, they would have outsourced it. There aren't any self assembling servers that can cool and program thmselves, that I know of, and even if they exist in 50 years banks would not be early adopters.
Global it can be but it is slower and not reliable, heck Telstra txts to Optus aren't 100% and sometimes can take hours or days, not ideal for ING or teis case is it?
@adamren: Meh, SMS gateways are not rocket science, there are heaps of providers who will provide you with a gateway, and APIs such as REST based. I've written a couple of small scripts that use these APIs, they are not hard to program at all. And there's no advantage in being local for SMS gateways, Telstra of course will try to tell you different.
Citibank uses SMS 2FA and so does Ing. 28deg too for verification of large payments. Maybe you are thinking of the big 4 dinosaurs who crash their ATM systems now and then. On another front, PayPal's app tells you when you have made a payment no matter how small.
ING Direct already have 2FA..
I have an ING account and if I transfer money to a new entity, I have to go through 2FA.
In fact if memory serves me correctly, they were the first of the 4 Financial Institutions I use that offered 2FA!
I don't have a problem with it as it's not written down anywhere, I remember it, it is a 1 in 10 thousand guess if someone wants to try and they use a virtual keyboard to prevent key loggers. If anyone did ever make it in they would need to also have access to my mobile phone to move any money
That's the risk calculation they would have done, much better customer experience when it is easy and seamless. We can't all remember every unique complicated password
I don't really like the 4-digit access code either. I gave them feedback years ago, but obviously they don't want to change it for some reason.
With only the four digit PIN, you can not add new payee / edit existing payee / transfer money out of ING accounts. The most you can do is viewing transaction history, moving money between own ING acounts. You still need SMS to do those high risk activities.
But if your computer is compromised by malwares or SMS is hijacked, however strong password won't help either.
I'm switching my transaction account from citibank to ING because it is so easy to use. I like the PIN. If you get locked out after a few attempts, then it can't get brute forced. If your PIN is known, then it doesnt matter if its 4 digits or 40 digits.
Citibank had too much, SMS code just to view my account transactions after logging in with unique username/password.
But I think Citibank is doing the right thing…
Everyone here has failed to mention that the four digit website PIN is entered on a keypad with rotating number positions. This means it makes the 10,000 possible PINs turn into tens of millions of possible combination. So, in other words, it's virtually impossible to guess. In fact it's more secure than typing a password on your keyboard (like you do with PayPal) because your PIN cannot be key-logged by a phisher (i.e. you use mouse clicks to enter it).
If you've written your PIN down somewhere, then it's no less secure than writing down your password.
"This means it makes the 10,000 possible PINs turn into tens of millions of possible combination."
That seems to assume that it's a bot doing the guessing, but what if it's a human? There are still only 10,000 combinations.
The hacker will also need to know your Client Number which only you should ever know
Frustrating that this thread got only few replies. Bumping this up, experienced and concerned users please share your thoughts.
Tin Foil hat wearers most welcome.
Couldn't care.
With my client ID/code, all you can do is see my transaction history (oh no, you'll see that I spend $99/week at Coles…oh no!), and move money to linked accounts or previously paid external accounts (which are all mine anyway).
For them to pay a new payor, they'll also need to compromise my SMS authorisation. Not saying impossible, but would be tough to do I would have thought.
Uh huh. You could register for two-factor authentication if it bothers you.