In this time of
large
scale
security hacks,
you would think that banks should be taking the lead on security.
They do protect our most valuable assets. They do have teams of
people whose job is to continually assess the security of their
systems, recommend enhancements, and test these systems.
I thought that was the case too, until today...
My sister is overseas, and as part of her trip, I recommended
she doesn't log on to any banking sites from overseas (keyboard
loggers, malware infested cafe computers etc). So she gave me the
details for her
ANZ Travel Card so I could top it up as she needed. Last
week I decided to log on to make sure all the details where
correct. I still haven't had the confidence to log on!
My first step was to go to the website printed on the details
page (www.anzfx.com) and that's
where my security senses started tingling. It redirects you
to https://www.anztravelcard.com/ and
has a pad lock (such a security blanket that padlock hey ;) but the
URL didn't look like a legit ANZ domain. I would have thought a
sub-domain of their corporate domain (anz.com) would be a better
choice and show more legitimacy. So I clicked to see the details of
the SSL certificate:
Riiiiggghhhhttt! Not even issued to a legal entity. OK,
confidence dropping. So I decided to check some more details, and
under the Subject metadata for the certificate, here is who it is
registered to:
CN = www.anztravelcard.com
OU = FIS - Prepaid
O = Fidelity National Information Services
L = Jacksonville
S = Florida
C = US
Doesn't even mention ANZ?!? To compare, here is the details of
the certificate I use for my online banking (Westpac)
CN = online.westpac.com.au
OU = Internet Online Banking
O = Westpac Banking Corporation
STREET = L 20 275 KENT ST
L = SYDNEY
S = New South Wales
PostalCode = 2000
C = AU
It's immediately obvious who the certificate is issued to, and I
trust them. I also compared the certificate to the one used on the
main ANZ site, which does have the organisation details, and they
are issued by different vendors. Even stranger?
So, doubts already cast, I looked at the logon form:
Now, normally to logon, I need an identifier (an ID, email
address etc) and a secret security token of some sort (password,
bio fingerprint etc). Here, I need 3 things. OK. Why? Looking more
closely, I need to provide my card number (identifier in the credit
card world) AND my CVV2 (a quasi secret given it never is printed
on receipts or the old school card impression printers). WTF? A
simple man in
the middle attack, and I can get the 2 pieces of information I
need to use this card online! NO THANKS!!
It looks to me like ANZ has outsourced this service, but it is
their name on the product, and as such, it is their responsibility
to ensure customer data is not compromised. This whole platform
scares me from the 20 minutes I spent looking at it, so I question
how secure the platform as a whole is...