Slightly unrelated, but i'm fishing for suggestions.
I have a beef with my local Australian bank, the ING (of Dutch fame). Their login system consists of your "customer number" (printed on the back of your debit card) and a 4 digit numeric PIN. Yes, 4 digits. In 2019. To add a payee to your address book the only auth that happens is over SMS; to actually transfer money out of the account you can select any existing address book contact with no further verification.
I like their product offering (cheapest / best in class locally) but this is such a worry to me. I've repeatedly talked to their customer support about this issue (and their Twitter is full of complaints about this) but they keep giving canned responses and redirecting to their "Online Security Guarantee" https://www.ing.com.au/security.html. Any ideas how to get through to someone who understands what's going on, before I grudgingly take my business elsewhere?
This seems pretty common with a lot of banks. I've got accounts with several high street UK banks and almost all of them have some kind of reliance on SMS, maximum password requirements (like 10 letters with no symbols) or 'secret words' where you have to pick a few choice letters from an word which is presumably kept in plain text.
I can only assume they are relying more on legal recourse and insurance than data security experts and I assume that if a hack did happen I would be reimbursed but it's a bit of a worry.
With Barclays you can rely soley on the card reader and disable login using "memorable data". Lots of other banks in the UK offer card readers (of the top of my head, Barclays, Nationwide, Natwest).
You should ask them about controls for call center based fraud.
Write a nice letter and send it to them.
Also, you could try contacting journalists, who then might try to contact the bank, or some white hat security group, and ask them about how easy it is to socially engineer their way into your account.
However, I think it's not that easy. 4 digit PIN, one account, I guess it gets flagged fast if someone tries to brute force it. You should try it, hm?
This is a good suggestion, thanks. I'll consider giving it a try.
> However, I think it's not that easy. 4 digit PIN, one account, I guess it gets flagged fast if someone tries to brute force it. You should try it, hm?
Their security page says 3 incorrect attempts means you need to call up their call centre. But as you point out, how hard would it be to socially engineer your way in.
That's really weird. Over here, the ING has quite stringent password demands, and require a password change every 6 months. Furthermore, 2 factor authentication via phone is required for every transaction.
I have a beef with my local Australian bank, the ING (of Dutch fame). Their login system consists of your "customer number" (printed on the back of your debit card) and a 4 digit numeric PIN. Yes, 4 digits. In 2019. To add a payee to your address book the only auth that happens is over SMS; to actually transfer money out of the account you can select any existing address book contact with no further verification.
I like their product offering (cheapest / best in class locally) but this is such a worry to me. I've repeatedly talked to their customer support about this issue (and their Twitter is full of complaints about this) but they keep giving canned responses and redirecting to their "Online Security Guarantee" https://www.ing.com.au/security.html. Any ideas how to get through to someone who understands what's going on, before I grudgingly take my business elsewhere?