CommBank issues NetBank tokens

CommBank issues NetBank tokens

Summary: The Commonwealth Bank will issue free two-factor authentication tokens to some 30,000 "highly active" customers of its Internet banking service as part of a drive to improve security. The tokens produce a one-time, unique code that can be used by customers to log into the bank's NetBank system.

SHARE:
TOPICS: Security, Banking
11

The Commonwealth Bank will issue free two-factor authentication tokens to some 30,000 "highly active" customers of its Internet banking service as part of a drive to improve security.

The tokens produce a one-time, unique code that can be used by customers to log into the bank's NetBank system. The code is unique to each customer's token and changes every 30 seconds.

"This is the first phase of the bank's two-factor authentication program; the next wave will be to introduce SMS authentication codes for other NetBank customers," the bank said in a statement issued yesterday announcing the plans.

The SMS authentication scheme will allow customers to receive a similar code via text message to their mobile phone.

"With these solutions in place, customers can carry out their online banking activities with greater peace of mind," said the bank's group executive of Retail Banking Services, Michael Cameron.

Second-factor authentication tokens have long been used by large organisations such as banks and welfare agency Centrelink internally, but their provision to consumers is only now starting to gain in popularity.

The use of SMS messages to secure online banking transactions is a little more popular, with several other banks such as the National Australia Bank already offering the service.

Topics: Security, Banking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • What a pointless exercise!

    This sort of lame 2 factor process has already been discredited as easy to crack. Why do they bother?

    /Jiim&
    anonymous
  • Why?

    - To be seen to be doing something
    - Its got to be harder to crack than their current system

    You've got me interested enough in the how-to details to google it now, curse ya! :)
    anonymous
  • Two factor easy to crack

    Jiim - Given your unfounded statement around two factor auth...Perhaps youre referring to a potential attack of a OTP in combination with a username and password. Its by no means "easy". It requires a practically instant authN from the phisher to logon in time before the OTP expires.
    Take a look at online banking at present. Currently its trivial and has no time basis for phishers to capture identity information and replay the credentials. I commend Commbank for taking a more active stance around authN. Single factor AuthN such as password based authN is the worst form of authN around and is a legacy that must be removed.
    That said - Id prefer a PKI method for authN which while still two factor is cryptographic in nature.
    anonymous
  • Two-factor

    These are not unfounded comments. Citibank (Singapore) has already been a victim of attacks on two-factor tokens. They are completely obsolete and this is common knowledge in the marketplace.
    anonymous
  • Two factor

    Crap. Two factor around PKI is not cracked. Youre talking about a form of two factor around one time passwords which have no cryptographic proof of key ownership. There is no public/private keying in it. Lets be very clear here which form of two factor we are talking about. Show me proof if you think PKI is cracked otherwise!
    anonymous
  • Two Factor

    Read it again Numpty. It says tokens. The only confusion appears to be with you.
    anonymous
  • 2 factor life expectancy makes it worthless!

    What is the point of going through a more complex (ie. 2 factor) approach to authenticate an already compromised PC. They don't need to crack anything except rooting your system. As soon as the baddies detect the payment conduit is open they will push their transactions through...hey presto, ur gooorne!

    What is required is a independently delivered approval mechanism to allow settlement of proposed transactions (from the PC session) to occur. This could be done with bidirectional SMS (and other methods).
    anonymous
  • understand tokens first

    The tokens as used by Bendigo (first Bank in australia) and Com bank could only be used by an attacker once, and only if they were able to hijack the current session.

    The token is a physical device separate from the pin, that has a new number generated every 30 seconds so you would need to have the system so well compromised that it would alert you the the fact they the user was about to run another session. Also it would rely on the user and the bank not noticing the fraud occuring. You could not monitor the password and number and use it later at your leisure.

    If 2FA is so bad why would these institutions be using it? It is not perfect but the market cannot go the 3FA. Are you suggesting they should? or just do nothing?
    anonymous
  • Help - Can't Log In to NetBank

    Can anyone help me? I can access everything on the net, including NetBank home page, but after I enter my Customer Number and Password, nothing happens when I hit the "Enter" button.
    I can navigate anywhere on the site except to access my banking details. I have checked browser settings - O/K, deleted Cookies etc -O/K, disabled PopUp block, but nothing seems to work - Can anyone offer some advice. Tried 132828, but nothing they suggested worked.
    anonymous
  • yet another 2 factor device

    soon ill have to carry around at least 2, maybe even 3 of these devices! my key ring is going to full of keys, usb device, and now a 2 factor device for each bank and computer network i access

    how about software that runs on your mobile or mp3 player? or a 2 factor authentication middle man?
    anonymous
  • 2 factor

    2 factor has only been "Cracked" by preying on stuped people who enter there detail into a fake website.
    anonymous