Banks Don't Do Enough to Enable Consumers to Secure Logins

Soldier on 25/08/2025 - 09:44

For the commentary about scams, protect your self etc, banks don't even provide the simplest of additional security layers to their apps and web login.
I regularly use two of the 'big 4' banks, so I hope my generalisation is wrong.

ANZ / Commbank.
Neither one of which can add a third-party MFA token app (ie google authenticator or similar). They rely on SMS, which is ok, but known to be susceptible to sim fraud and interceptions.
Neither enforce changing of your password regularly.

ANZ app has this silly pin code feature, where you can't re-use your last 5 pins, and can only be 4 digits long. The PIN seems to be their first and highest layer of security, meaning that if you know the PIN you can basically do anything. No real need for a password.
They also use a "voice fingerprint" to which they claim "my voice confirms my identity" - ah no it doesn't. people with the right tools can bypass this, even a decent impersonator or voice recording could trick your little phone mic into believing it's someone else. They think that because they block audio input via bluetooth mics that they have magically protected against bad actors?

Both of these banks also identify customers via the customer number / Netbank number. Granted this is probably a good way to obfuscate your real email / phone number to prevent brute force, but I'd like to know how many times has someone been locked out due to another person accidentally proving the wrong client number, just something simple like an inverting two numbers or a double key-press.

Give me more power and options, and I will be able to protect my accounts better than they claim they will and potentially save them having to resort to payouts.
Let me fudge my email (Apple hide my email, or google's [email protected]),
Let me use time-based one-time passcode.

I know this wont necessarily be for everyone. Your average nan/pop won't be looking to add OTP apps, but for those that do - open it up.

Financial

Comments

  • Wiadro on 25/08/2025 - 09:45
    +16

    great AI post but its wrong

    Commbank.
    Neither one of which can add a third-party MFA token app (ie google authenticator or similar). They rely on SMS, which is ok, but known to be susceptible to sim fraud and interceptions.
    Neither enforce changing of your password regularly.

    has MFA via the app when logging in on a desktop, its annoying as all hell.

      • Wiadro on 25/08/2025 - 10:02
        +8

        it doesnt push a code either so youre wrong again.
        its just a "yes its me" notifcation

        • Soldier on 25/08/2025 - 10:06
          -8

          I just tried it, you're correct. My point is the same though.
          "Press yes to confirm its you", doesnt help in the above situations. I also couldn't change the method as a backup, it was the app or nothing.

          Also signing into a new app on a device, just lets your through with the client/pw combination if Im not mistaken.
          This is the point where using the added layer would help.

          I guess my issue with the commbank is that as long as you're in the app, that app has the power. But logging into the app doesn't get the tough scrutiny you need.

          • gromit on 25/08/2025 - 17:12
            +6

            @Soldier: The app itself is secured with pin or bio. This is in addition to your phone auth.

    • Pigey on 25/08/2025 - 10:59
      +11

      Hope they get rid of this Desktop MFA.

      It is MFA overload. Hate needing to touch my phone if I don't need to.

      • Wiadro on 25/08/2025 - 11:35

        ive already asked ceba 100 times, its still wiating to connect me to a human

      • pharkurnell on 25/08/2025 - 12:46

        Its such a chore touching your f one.

        • flagger on 25/08/2025 - 15:47
          +1

          Username checks out.

    • Zondor on 25/08/2025 - 18:23
      +4

      Annoying, Yes.
      Necessary, Also Yes.

    • bamzero on 26/08/2025 - 09:36
      +1

      Agreed, while its a good step.. every single time is a PITA..
      Macquarie does the same but at least you can remember the browser.

      and sort of on the subject of using the app to authenticate, HSBC is annoyingly over the top by only allowing the app to be set up on one device.

    • idonotknowwhy on 26/08/2025 - 12:45
      +3

      its annoying as all hell

      I hate this so much, it's also got a good 15 second delay from clicking the button -> having the page load on the desktop!

      That being said, OP's post is not written by AI.

    • Dr Phil on 26/08/2025 - 14:38

      Besides if OP is so concerned they can change thier password as regularly as they like.
      There is no limit to password changes.

      So stop complaining OP

      Nobody is stopping you from changing your password.

    • mccarthyp64 on 26/08/2025 - 16:39

      The problem is that it falls back to SMS, having separate OTP with recovery codes instead of SMS fallback would be more secure as would be passkeys or hardware keys.

    • CalmLemons on 27/08/2025 - 09:18

      Yes just had this happen recently and annoying af.

      You can't transfer money out without mfa/sms anyway so who cares if somebody manages to login at the inconvenience of dual factor phone login when you have to check 3-4 different accounts

  • dtc on 25/08/2025 - 09:47
    +6

    CBA has authentication through its netbank app if you want to use it and set it up. You can block or require authentication for different sorts of payments or even every payment if you want. It no longer uses SMS unless that it is your choice.

    • Soldier on 25/08/2025 - 10:01
      -2

      which you then access via a pin to get into the app though, round-a-bouts? And if someone is logged into the app you're stuck.
      I'd rather have a code that I can physically see change every 30 seconds.

      • workhappens on 25/08/2025 - 10:15
        +8

        If someone else is already logged into your app then you are already in trouble. If they have app access nobody is going to then login to your NetBank to steal your money, they can do everything already.

        • Soldier on 25/08/2025 - 11:05
          -3

          yet they ask for a PIN code before finalising a transaction (above a threshold which I'm not sure what it is)
          Could be a SMS instead here, or the timed OTP from an authenticator app

          • dtc on 25/08/2025 - 13:14
            +1

            @Soldier: Not really sure what you are after. CBA app is as secure as an authenticator. If someone has your phone and unlocked your phone, they can get onto the authenticator just as easily (or perhaps even more so) than logging into the CBA app. Unless you have a second phone with another authenticator which provides you with a code to log into your first authenticator to get a code to log into your banking app.

  • Hellfire on 25/08/2025 - 10:00
    +28

    Neither enforce changing of your password regularly.

    This is now considered best practice. Forcing users to change password regularly led to decrease in password security as they would invariably use something easy to remember. They should only be forced to reset if suspected of a security breach.

      • Hellfire on 25/08/2025 - 10:45
        +4

        Old passwords should be forced to update if they no longer meet security requirements or if they are found in a data breach.

        I work in corporate and we no longer need to update our main login password. Some systems still require password changed but they are slowly changing.

        • cooni on 27/08/2025 - 18:50

          If a company knows your password "no longer meets security requirements" then you've got much, much bigger problems.

      • ThithLord on 25/08/2025 - 10:56
        +1

        Corporates force their employees to change passwords regularly, with the added layer of MFA,

        No, they don't.

        • Soldier on 25/08/2025 - 10:59
          +2

          really? everywhere I've worked and contracted for in the past 10 years do.

          • Hellfire on 25/08/2025 - 11:09
            +3

            @Soldier: It's a recent change. NIST started recommending it around a year ago (and was suggesting it for longer).

          • ThithLord on 25/08/2025 - 11:11
            -2

            @Soldier: Oh, your anecdotal evidence must be universal

            • Soldier on 25/08/2025 - 12:54
              +1

              @ThithLord: I never said it was universal, I guess your anecdotal evidence is truth?
              Just because your experience doesn't match what I've seen across 20+ clients doesn't make your experience more true.

              • ThithLord on 25/08/2025 - 13:06

                @Soldier:

                Corporates force their employees to change passwords regularly,

                You're the one whom stated this with conviction, not me.

              • b4rg41nz on 26/08/2025 - 07:53
                +1

                @Soldier: From the latest Digital Identity Guidelines Authentication and Authenticator Management from NIST. Page 14:

                Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically.
                However, verifiers SHALL force a change if there is evidence that the authenticator
                has been compromised.

                OWASP's Authentication Cheat Sheet also back this up (although they defer to NIST):

                Avoid requiring periodic password changes; instead, encourage users to pick strong passwords and enable Multifactor Authentication Cheat Sheet (MFA). According to NIST guidelines, verifiers should not mandate arbitrary password changes (e.g., periodically).

          • tenpercent on 25/08/2025 - 11:13
            +1

            @Soldier: Also my experience.

            • ThithLord on 25/08/2025 - 11:54

              @tenpercent: I work in IT, previously for a blue-chip company. 12 Month expiry since implementing MFA, and the same for my current place of employment.

          • gromit on 25/08/2025 - 17:15
            +3

            @Soldier: Not anynore, password changes are considered poor practise except where you know of a risk. Ideally you should be moving towards passwordless, even acsc has updated there guidance on this.

      • idonotknowwhy on 26/08/2025 - 12:36

        We all know that most people use the same passwords for all their services

        No, what the fuсk?!

        Nobody I know does this!

        or they go under and sell the data to someone else as they collapse.

        These days; most of those systems shouldn't be storing your password that way either, so they wouldn't be "selling your passwords" lol

  • GordonD on 25/08/2025 - 10:22
    +1

    I'm in the process of changing banks because my last one "secured" my account so well that I couldn't do a transaction I wanted to. To pay a bill I had to go to my branch, ask for cash, and, after driving to the business's clamed address and finding they weren't there, establish where they banked and take it there.

    What the heck's the use of internet banking if they "secure" it so well that you can't use it.

    Their web site didn't even let me send them a message to say their security was over the top, and was stopping me doing what I wanted, because sending them a message required going through that same security process.

    This is what the pains in the arse who want more and more and more and more security on everything don't seem to understand. That a lot of us don't want it. For example I don't need Microsoft to tell me I need to secure my PC. It is in my study, in my house, behind a locked front door. I want to just be able to walk in, wake it up, and do what I want to do. If you want more, great, you buy the professional version of the operating system with disk encryption and secure boot and enforced password for access. And let me buy the home version, and stop trying to force me to use the level of security you think you need.

    I'm not interested in "best practice". I don't need it. I just want enough for what I need. And I need convenience too. That's the whole damn point of internet banking. Convenience.

    If you prefer security to convenience there are plenty of banks that'll give you that. Switch to one of them. Me, I'm switching to a bank that gives me more convenience.

    • Gareth on 25/08/2025 - 14:28
      +2

      I don't disagree with (most of) what you are saying. The problem is that scammers like convenience too.

      And governments, and well-meaning groups, and stupid people (who got scammed) want to blame banks when scammers take your mother's life savings.

    • IcySpicyStew on 25/08/2025 - 20:57
      +1

      That's the whole damn point of internet banking. Convenience.

      Convenience for who? To reduce cost of running a bank with less branches, tellers and atms would be at the cost of consumer convenience for the sake of the banks.

    • Randolph Duke on 26/08/2025 - 08:16

      I'm in the process of changing banks because my last one

      Who was your old bank?

    • Brianqpr on 26/08/2025 - 16:24

      If you knew the amount of fraud and scamming that goes on you might see it differently.

      Convenience is great, but comes at a cost in that once a scammer gets hold of funds, they are gone before the bank is made aware and can do anything to stop it.

      Most people think it will never happen to them, but many are wrong.

      Also if banks are being held liable by the likes of AFCA then extra security will be forced on people, like it or not.

  • tenpercent on 25/08/2025 - 10:36
    -1

    Thank you for your concerns, Citizen #88842069 aka @Soldier. Your account has been debited 33 SCP (Social Credit Points) for your attempts at riling the masses. Please present your "not compulsory" Biometric Digital ID to proceed with your next log in or transaction. This is for your safety and The Greater Good.

  • KangaDrew on 25/08/2025 - 10:44
    +8

    I'd take an OTP via SMS over a voice print any day of the week. If movies (and now AI) has taught us anything, a voice print these days is worthless.

    • idonotknowwhy on 26/08/2025 - 12:40
      +1

      Voice print is already 100% defeated at 16khz (ie, over the phone).
      Zero-shot cloning off a 5 second reference sample (no fine-tuning needed) is enough to fool all these systems.

      • KangaDrew on 26/08/2025 - 12:54
        +1

        Exactly Any organisation using voice prints as a form of security is an automatic red flag in my book.

  • Cheaplikethebird on 25/08/2025 - 10:44
    +3

    And they will still cold call you and ask you to provide POI, that should just never happen.

    • theguyrules on 25/08/2025 - 11:32
      +1

      Yeah - always tell them you'll call back when they do that.

  • jjj123 on 25/08/2025 - 12:34

    they would like to block you as well, name it, ubank, Macquarie Bank

  • Clickbait on 25/08/2025 - 12:44
    -3

    I don't do any banking on my phone. Banking is only on my PC. When I am asked to provde my mobile number to impove security. my simple question is "how does provifing more of my personal informatio to you improve my security"
    After I got rtansomwared a few years back I completely abandoned virus software, and PC updates.I run malware bytes occasionally and have no had a problems since. Microsoft is doing their best ro force me to upgrade. It is getting hard but I waould rather move operating system when push moves to shove

    • KangaDrew on 25/08/2025 - 16:19
      +2

      You know, banking on your phone (via their app) is likely to be considered safer than on your PC these days. Unless you're banking via a dedicated private/incognito browser without any extensions added, which most people probably aren't doing.

    • moph on 26/08/2025 - 12:54
      +2

      Uses a less secure device to do banking
      Uses the most malware-targeted OS on that device
      Refuses to update the OS on that device
      Refuses to do 2FA

      The bank should just debank you at this point, you're obviously a high risk customer

      • Meeb on 26/08/2025 - 15:31
        +1

        I also don't get the logic of: I had a security breach, so now I just don't bother with security altogether. Like wtf lol

        • moph on 26/08/2025 - 23:03
          +1

          Reading it again I feel like maybe he's trolling, it's too much… and then there's the username

  • adam on 25/08/2025 - 13:53
    +2

    They all should just use Passkeys. The fact that Commbank proceeded to rollout their current awkward "open the app on your mobile" MFA when Passkeys are so superior shows how long of a development window they have.

    • kiitos on 26/08/2025 - 11:53

      I haven't tried passkeys, but do you still authenticate on the app in order to open it? So the advantage is that the app password or pin is local only?

      • moph on 26/08/2025 - 12:59

        They could do it so that you authenticate on the app, but they could also enable providing a passkey directly through the browser on a PC. MyGov has done that, and it works well. It's more secure than a password on its own because it also provides a second layer of authentication based on your ownership of the secure device that generates the passkey. You should use a passkey whenever they are available, especially in MyGov which could have serious consequences if someone hacks it.

        • kiitos on 01/09/2025 - 17:21

          Thanks, will have a closer look

    • ferry594 on 27/08/2025 - 07:46
      +1

      Agreed. Its baffling that I get higher security on a YouTube account than my bank.

    • MeesusEff on 29/08/2025 - 00:38

      I farking haaaate passkeys, especially with Ubank. It just rolls in circles til i press back and do it again, then it blanks out and i have to force close it. I want to go back to using biometrics. And paypal passkeys never work.

  • foursaken on 25/08/2025 - 14:23

    I dunno what kind of phone you have, but I'm guessing you're not running a passcode or any kind of security on it, because you've left that out of your in-depth discussion on app security.

    • Soldier on 25/08/2025 - 15:19

      the thing isn't about the apps alone. its the whole thing.
      I use passphrase on my iPhone, not a 6 or 4 digit passcode.

      I log onto Netbank on the web, they send a push notification to the signed in app.
      I log onto ANZ banking app on a new phone, it was the previous app pin. A 4 digit pin.

      I just think that having the one-time passcode that changes every 30 seconds is a great option that neither of the banks I use have implemented, instead im forced to use their dated techniques.
      Even SMS id prefer over the app pin / app push notification.

      My phone or computer can pre-fill those codes for me (as well as the OTP authenticator codes)

      • gromit on 25/08/2025 - 17:18
        +1

        Otp authicator codes are considered unsafe nowadays as they are not phishing resistant, though still better than sms or nothing.

        • tenpercent on 25/08/2025 - 20:00

          So you agree with the OP that "Banks Don't Do Enough to Enable Consumers to Secure Logins"?

          • gromit on 25/08/2025 - 22:13

            @tenpercent: They dont, but funnily enough he is advocatjng for less security not more.

  • Poor Ass on 25/08/2025 - 16:47

    Suncorp has an authenticator app separate to the main app that you you need put in a pin before you get the codes which changes every 60 seconds like google authenticator

    required for desktop logins and also approve transactions over a certain amount

  • IcySpicyStew on 25/08/2025 - 18:53
    +2

    Lets add more third party points of failure.

    Enable Consumers to Secure Logins

    By consumers you mean google, apple..etc
    "you" the consumer isn't providing any additional security

    Make it make sense.

    • Soldier on 26/08/2025 - 00:46

      I mean consumer can choose to add more or different layers to their logins. As opposed to voice recognition or a 4 digit pin that gets you right in

  • WXYZ on 25/08/2025 - 21:21
    +1

    I raised non existent of MFA on web log in with ANZ couple of days back, this their response:

    Thank you for your feedback — I completely understand your concern. Multi-Factor Authentication (MFA) at the login stage would add an important layer of protection, especially in cases where login credentials like CRN and password are compromised. While it's reassuring that there is a second layer of security for transactions, your point about strengthening the initial login process is valid and valuable. I’ll make sure to pass this along to our technical and security teams for further review and consideration.

    Your experience matters to us and we value your feedback about our service. I’ve raised this as feedback on your behalf and marked it as closed.

    Your complaint reference number is xxxx. This will be included in our regular internal review that helps improve our service.

    Let me know if I can assist you with anything else.

    • kraigg on 26/08/2025 - 08:28

      I wouldn't hold my breath on this one. I brought up the exact same issue around 5 years ago, and nothing has been done to this day. When lamenting that there is zero MFA or even an SMS or email code at a bare minimum, they just told me "Oh it's okay, you can use ANZ Shield to protect your account". But it does nothing to stop anyone from logging into your account in the first place.

  • nicois on 26/08/2025 - 07:00
    +1

    The good standard in preventing phishing is hardware tokens, like yubikeys. Auth apps are better than SMS but it's still quite easy to fool someone into reading out their code, letting someone else enter it and take over their account. Hardware tokens make this literally impossible without stealing their key or infecting their computer with malware:

    https://krebsonsecurity.com/2018/07/google-security-keys-neu…

    • gromit on 26/08/2025 - 07:54
      +1

      Yep hardware tokens like FIDO2 Yubi's (not time based OTP generators) are definitely the best, followed by device bound passkeys. Personally I use Yubi keys wherever possible then passkeys, finally if no other options the authenticator app/OTP. CBA exists in that fuzzy ground between the authenticator app and OTP. Not as bad as OTP but could be better.

  • Pufff on 26/08/2025 - 08:44
    +1

    Sure let's add 1000 layers of 'security' even though all the 'failures' we ever see are people being tricked into giving out their codes or adding the scammers accounts.

  • SlickMick on 26/08/2025 - 08:54
    +2

    I hate banks with excessive security just to view.
    Mine tend to have minimal security for view, then do additional checks to transact, add vendors etc.

    I'm happy with ANZ V2 Plus security.

  • MahjongKing on 26/08/2025 - 09:13
    +1

    I absolutely hate SMS codes. I've been caught up in fraudulent transactions before. Citibank reinstated the charges after their investigation. They claimed I had authorised codes via SMS. Which I've never received and were intercepted by scammers. The stupid part from Citi was they believed SMS was most secure and no way in hell the transactions were fraudulent. Eventually got my money back going thru right channels. It's also happened before. Looking at Medibank and Optus for cause. Now I have to lock and unlock card everytime I use it.

  • haemolysis on 26/08/2025 - 12:04
    +1

    I personally prefer to have water-tight security with a handful of layers, however, there are a few considerations.

    1) If they do indeed get hacked through no fault of your own, then many times they are going to be liable to insure your cash anyway. Many cases are more the concern of the bank, and not yourself.

    2) Banks aren't naive about security. They are fully aware of security compromises they've chosen. They're also factoring in customer service costs (eg: boomers requesting password resets 2-3 times a week). Keeping friction low enables banks to maintain low-fee accounts. Most customers are not technically competent. Customer service is a huge cost.

    3) Contrary to what you might think, banks actually need to be pretty frictionless and easy to get into. You can lock your neopets up with 6 factor authentication and if you lose it - well, whatever, tough luck, who cares. Make a new one! But people need their bank, they need it daily, and they need it quickly. Someone who locked themselves out with a token that they left at home could suffer massive financial penalties.

    4) Many banks have hidden factors you are not aware of, like device fingerprinting and cookies. It looks like "1 factor" but it is actually multiple.

    5) Many security holes are overstated. SMS may not be "gold standard", but it's hardly like a totally open back door. You are worrying about miniscule risks which have limited financial impact.

    6) True tokenized security is extremely rare. There are few services that offer it without a fallback option, which makes it security theater. If I can click "forgot my password" and bypass your token, then the whole point is defeated.

    • gromit on 26/08/2025 - 12:36
      +1

      1) If they do indeed get hacked through no fault of your own, then many times they are going to be liable to insure your cash anyway. Many cases are more the concern of the bank, and not yourself.

      Even when the bank is liable it is still a massive inconvenience so it isn't just their concern.

      5) Many security holes are overstated. SMS may not be "gold standard", but it's hardly like a totally open back door. You are worrying about miniscule risks which have limited financial impact.

      SMS while not a totally open backdoor is an extremely weak 2nd factor and when it comes to bank accounts the risks are not miniscule, SMS has been exploited through phishing, sim cloning and social engineering so often that in just about any modern environment the default is it is completely turned off. this is something only existing in legacy systems now.

      6) True tokenized security is extremely rare. There are few services that offer it without a fallback option, which makes it security theater. If I can click "forgot my password" and bypass your token, then the whole point is defeated.

      it is not rare, it is extremely common now and getting more so. passkeys, Yubi Keys, MFA authenticators all make tokenized security far safer and "forgot my password" is not an issue as you move away from passwords.

  • drfuzzy on 26/08/2025 - 12:22
    +3

    Bank with Westpac and get a RSA key if you are concerned about SMS

  • Fizzydrink on 26/08/2025 - 14:52
    +3

    I'm locked out of ANZ, to reset it, i need to enter my credit card number and Pin.

    Dont think so…

    • whitepuma on 27/08/2025 - 08:20
      -3

      similar thing happened with me! I got an ANZ credit card free with a mortgage. I said i didn't want it, they said i have to, it comes complimentary with the mortgage (which i found ironic as during the application process they made it clear multiple times that every credit card is going to impact my borrowing capacity).

      When I received the credit card I shredded it then incinerated it…..Then when I got locked out they asked for my credit card details.

    • DangerNoodle on 27/08/2025 - 14:32
      +1

      ANZ aren't very secure. When validating my identity, they always ask me if I am 'first name, last name, date of birth and still living at residential address'. I'm pretty sure if they're validating ID they're supposed to ask me for those details, not recite them from my profile.

  • whitepuma on 27/08/2025 - 08:16

    I'm surprised this post has been online for as long as it has and still hasn't been rammed by @jv

  • Banks on 27/08/2025 - 08:38

    I love how people mention passkeys and OTP are important but then I read about people autofilling their OTP which is ironically similar to how passkeys actually work. Passkeys are very weak because of the generalised methods of implementation on the end-user's device. It is one step better than saving your password in a password manager, that is all.

    Essentially when it comes down to the user experience or bank's implementation, you will find people are doing is basically the equivalent of saving your password to be auto-filled. The same risks exists for authentication to be intercepted. All these notions about additional security are are dressed up as important when it is trivial to break.

    For example, if you are inside your phone and the malware is inside there too, it can see everything you can see and thus in that scenario it is not really phishing resistant. Now if you are typing your OTP in manually then it much more difficult for the adversary to gain access as the requests need to match to the transaction which you have executed, or which the adversary needs to execute. The benefit of an offline OTP which expires every 30 seconds, is that it is almost impossible to fall victim unless the original seed/QR code was phished too. Remember, auto-filling just removes that step where you open the authentication app.

    If you are auto-filling your OTP, you need to stop right now. It should be isolated on an additional device.

    How do I explain it? It is like User X asking for bars to be installed on your windows, crim-safe protection on your door, roller shutters, and so on; but to enter your house more easily, you decide to leave the garage door open which has immediate access to your lounge room.

    When you do research about why passkeys are relevant, you will find information about public keys but realistically that part of the cryptographic "benefit" is irrelevant because SSL is so widely implemented. If you look at the implementation you'll see what I mean, but sadly most researchers still believe passkeys are beneficial because the password is never sent to the server. Um yeah, but don't forget in normal circumstances, you never send the password to the server anyway, it's the password in encrypted form that is sent over. Then the real professionals laugh.

    If you understood this far, you now know why passkeys are inherently more dangerous to the average end-user that would never have saved their passwords onto a system. Essentially by enforcing passkeys, you have effectively removed a barrier of protection for a subset of users by forcing them undertake the equivalent of saving their password onto their desktop/app.

    Let's also analyse a common attack vector scenario - Elderly person gets scammed with a remote control tool/software whilst in contact via telephone. Normally the person may write their password down and it might be across the room, or better it's in their head; but whilst under pressure from the scammers they might not be able to remember it, or whilst they are moving across the room, there is a small amount of time where the person can start thinking about whether this is a transaction they want to complete. Whereas now since a passkey is saved onto their device, with one push the scammer gets access.

    How do I put it simply? When you run through what happens realistically, you will find that passkeys have no real benefit; and I can only think of that rare odd case that SSL is downgraded where it has any benefit at all. In any event, I do not believe downgrading of SSL is an issue anymore since it should be properly implemented by a bank, right? Who knows? That would be Gross Negligence in this modern age, if it was not.

    *Fixed typo

    • Chandler on 27/08/2025 - 16:07

      Isn't SSL not considered that great now, with TLS being considered the superior replacement? I'm sure I read that somewhere…

    • Gareth on 27/08/2025 - 17:56
      +2

      Normally the person may write their password down and it might be across the room, or better it's in their head

      …or more likely, the password is saved in Chrome.

      passkeys have no real benefit

      Other than they can't be phished, are automatically long random content (high entropy), and key-logging resistant…

      Elderly person gets scammed with a remote control tool/software

      Once they are under remote control, the scammers can quickly install a RAT (ie. including keylogger). The next time they enter their super secret memorised password the scammers have it anyway.

      Once you've given someone remote control, there is nothing you can trust about the device until it is completely wiped and reinstalled.

  • payless69 on 27/08/2025 - 16:51

    omg ANZ, who even cares when they buy Suncorp because nobody else wanted a bad service bank.

  • maelstrom on 27/08/2025 - 18:39
    +1

    St George doesn't even allow special characters in pw for their online banking logon - only alphanumeric. No MFA either. Insanity.

  • neverlate on 02/09/2025 - 04:57

    i had delayed sms problem, most banks let me hit resend code and i have never hit a limit until st george, it will lock internet banking with 3 x code sends.
    i don't like phone security code app, they have android version requirement, will drop support if you phone is too old. then you have to call to get app disabled.

Login or Join to leave a comment
Login Join