
Ask HN: No major Australian bank even offers an option of 2FA for web, why? - andrewstuart
Weirdly, none of the major Australian banks give any sort of 2FA to sign in to their websites. I&#x27;m talking Commonwealth Bank, Westpac, ANZ and NAB.<p>Hard to imagine how this gets past any security audit.<p>Does anyone know why this is?
======
jpmoral
Maybe because they have 2FA on other stuff? E.g. ANZ have it on adding BPay
and Pay Anyone recipients, changing contact details, and some (apparently
randomly selected) fund transfers. Not saying it's secure, just that it may
explain their thinking.

~~~
thisrod
I've always thought this was a smart choice. Australian banks authenticate
their transactions: "The code to transfer $100 to Joe Bloggs is 4321. If
you're surprised to hear about that transfer, call the cops now." This makes a
lot more sense than authenticating a login, which doesn't give you access to
especially valuable information on its own.

Historically, there was a period of 10-15 years when these banks had websites,
but you couldn't make arbitrary transfers through them. You could read your
statements, and you could pay utility bills where the bank trusted the biller.
Logins and passwords were appropriate then. The SMS authentication was only
introduced later, when the websites could do things that required it. No doubt
it made sense to save the SMSes for when they were needed, which was rare
before people got used to paying by internet transfer.

~~~
stephenr
... What is the 10-15 year period you're referring to where online banking in
Australia meant "you can see transactions but you can't transfer money"?

By most people's standard the web has only existed since the early 90s' \-
Mosaic came out in 1993.

I was using online banking for transfers with CommBank and Westpac around the
year 2000, IIRC, and I've never been in a situation where I could view but not
make transfers using an Australian bank.

~~~
thisrod
Maybe it was only 5 years. I think some of the banks were early adopters, and
got online by the mid 90s.

------
slau
Here in Denmark, banks typically use NemID; a government issued 2FA system.
The basic version uses an OTP sheet of ~140 passwords. People can opt in to
use phone-based validation (push notifications to an app and confirmation with
a slider). As far as I know (I don’t speak much Danish so I can’t look it up),
this is a requirement to offer banking services in Denmark.

I used to work in infosec for governments and banks. Typically, the only way
to have these kind of things implemented is by having regulation that enforces
it. Banks don’t want to have to foot the bill for 2FA, and they can (as
another poster pointed out) claim the user was careless with their password to
not have to cover phishing attacks. Most of the time, banks will claim that
their user base is in remote locations and SMS-based 2FA is unreliable
(believable in Oz), or that they don’t want to “inconvenience their
customers”.

The other issue is with choosing a tech. What if the bank picks wrong? What if
it has an enormous cost?

A bank in the UK decided to use smartcard/credit card based OTP, and it
resulted in the torture and death of one or two foreign students. It’s quite
simply safer to wait until you’re regulated to use a specific tech, just so
that you can’t be blamed if it backfires.

------
RileyJames
Unclear about this, I have commbank and Citibank accounts and both require 2FA
to login to web banking.

What exactly are you referring to when you say “website”?

CommBanks 2FA can be disabled tho.

------
Dicey84
I think it's just the banks 'she'll be right' attitude.

ING still uses a client code, which is written on your card plus a 4+ digit
pin code on both Web and app to login.

It will take one decent breech for them to wake up..

~~~
tcbasche
not to mention the code for the online app is the same as your card pin ...

------
nocubicles
I remember when I was working in Australia in 2008-2009. When I wanted to
deposit cash to my bank account I had to put that cash into an envelope and
write my name on the envelope and then push the envelope inside a hole in the
wall at the bank. Then they would count the money and it would appear on my
account in couple of days. I remember it was really funny because we had had
ATM deposit machines for long time back home.

~~~
stephenr
_write_ your name on an envelope?

Are you sure that was a bank, and not some shady business?

Or do you mean a night deposit box for businesses?

~~~
nocubicles
If I remember correctly it was Commonwealth bank in Perth.

------
jazoom
BOQ forces me to use a specific non-standard (Symantec) app on my phone as
2FA, which I also find stupid, especially since I can just call them on the
phone and they'll reset it for me. What's even the point?

------
christopher8827
It's because of "Not Invented Here" policies. I have seen some banks use 2FA
for internal logins - Westpac uses RSA SecurID tokens.

------
tcbasche
As an aside, I once had the misfortune of being with CommBank, and their
password policy for the app was case insensitive

------
aurizon
If they implemented 2FA, there would be a huge drop in frauds. Since the banks
rely on denying blame by blaming customer carelessness and making the client
bear this loss, often with high credit interest rates or loan fees, they would
lose a lot of $$ by closing off this profitable aspect of their business.
Doubt me? They are banks - never forget that.

~~~
schappim
>> rely on denying blame by blaming customer carelessness and making the
client bear this loss

This very much depends on the type of customer.

Consumers pretty much can have their banking password tattooed to their
forehead and suffer no repercussions.

If you're an online merchant, it will nearly always be your fault.

~~~
aurizon
In the USA the scammers are mature and the banks wary and use obsolete gear =
lots of skimmers. Canada is wary, better tech, harder for skimmers

