Westpac's anti-keylogging attempt questioned

Some believe that Westpac's new anti-keylogging sign in page, is a joke and does not go far enough to ensure security.

The bank last week launched a new sign-in page which uses an on-screen keypad designed to prevent the incidence of key-stroke logging fraud by removing the use of a keyboard to enter in passwords. (See story: http://www.computerworld.com.au/index.php?id=756333073)

Andrew Young who has worked in corporate IT for 10 years and has built web sites for three years, uses Westpac for his online banking, because he believes that overall it offers a good service. "But they just do stupid things sometimes, such as this new anti-keylogging sign-in page," he said.

"Many key-loggers can record screen-shots and mouse movements, which totally nullifies this security upgrade, and this new system increases the risk of people being able to get your password especially if you are using the site in an office, Internet cafe or other public space where people can view your monitor."

Another flaw is that the bank forces customers to use a short, fixed-length passwords of six characters, which Young says makes it easier for hackers to guess and remember passwords.

"Westpac won't let customers use longer, more secure passwords. I think they should be talking to their customers and giving them options. They could allow people to use this new login if they want or let them type it in, (as they used to), or better yet them have the option of two-factor authentication via key-fob, SMS or e-mail," he said.

A recent Frost & Sullivan end user survey of 269 respondents from a wide range of industries revealed that 57 percent had found spyware on multiple computers in their organization, while 22 percent of those surveyed had discovered illegitimately installed keyloggers.

Security analyst James Turner said if he had his way, everyone in Australia would move their accounts to a bank that used two-factor internet banking.

"Anything less than this is just not good enough. Little keyboards on the screen are a joke. There's a reason that the serious enterprises use two-factor authentication for their core information and access areas - it's because they provide better security than just a password," he said.

"The banks in Australia are only now waking up from a long slumber of complacency. In Scandinavia, the banks have been using two-factor identification for Internet banking for many years," he said.

Turner said that online banking security comes down to an issue of risk analysis.

"The risk is reasonably high, but the cost to the bank has not reached a critical tipping point yet. A bank can afford to cover the costs of an individual's credit card being abused, but the individual has to go through the most horrible inconvenience of jumping through the hoops of getting the problem sorted out."

PC Tools spokesperson Magida Ezzat, said the advanced types of keyloggers that can read screen shots and mouse strokes are much less common than ones that can read key strokes.

"So the new Westpac system now at least protects against some keyloggers rather than previously, where there was no protection at all," she said.

Ezzat also said that using a two-factor approach would take away the ease and simplicity that Internet banking offers.

"The pure nature of Internet banking and any online transacting means that it will never be one hundred percent foolproof. While online transacting offers the convenience factor it also comes with certain risks that consumers must be aware of. The only real secure way is to go back to basics and physically go into the branch again," she said.

Westpac's head of channels and systems, Paul Jennings, said security is of "the utmost importance to Westpac and the bank has an ongoing program of investments to maintain the highest levels of security," but would not disclose the amount of financial investment from the bank.

Jennings said the new log-in page is sufficient to deal with most keylogging trojans that exist today.

"Trojans that capture screen shots and mouse clicks are significantly more complex than the keystroke logging trojans that are common today. We accept that over time trojans will become more sophisticated and hence the on-screen keypad is a relatively simple tactical initiative aimed at staying one step ahead of the fraudsters," he said.

Although Westpac's password is currently set at six digits, Jennings said the bank may look at changing this in the future.

"Most fraud is committed via keystroke loggers (so the length of the password makes no difference), and we also need to consider the impact on two million customers of communicating any change to password rules," he said.

Jennings said that the two-factor approach is a more complex and expensive change, but that the bank is working with other parties, including other banks, towards an industry solution for two-factor authentication.

"We believe that a shared industry utility is the best outcome for our customers and ourselves. This will avoid duplicated infrastructure investments and allow customers to choose a single security device for all online services they use," he said.

Westpac already uses two-factor authentication for Business Online, its online banking platform for small to medium size businesses, where it has 75,000 SecureID Tokens in active use.

Join the newsletter!

Error: Please check your email address.

More about Frost & Sullivan (Aust)HISPC ToolsVIAWestpacWestpac

Show Comments