Bank security

Online banking is popular, with 81 percent of internet users using it at least weekly. Many banks reward customers with low fees (or no fees) for online transactions because of the huge savings to them in time and productivity.

This must make internet banking a no-brainer – right?

Well, not entirely. Internationally, the e-crime “industry” is estimated to be worth more than US$ 10 billion. And e-crime brings unique policing challenges because of its anonymity, global nature and speed. A recent report by Deloitte's (an international consulting firm) on cyber-crime noted that many institutions underestimated its threat, operating under "reactive" security that left them vulnerable.

Our survey

In March 2011 we surveyed 11 banks about the process customers went through to access their accounts online – ANZ, ASB Bank, BankDirect, BNZ, HSBC Bank, Kiwibank, The National Bank, PSIS, RaboDirect, TSB Bank and Westpac.

Simultaneous logins

One issue that came out of the survey was that just under half the banks allowed you to log in on more than one computer at the same time – which could let someone else access your account without your knowledge, while you were logged in.

The National Bank and ANZ said that if this unauthorised access occurred, it would raise a flag with their detection team. PSIS has recently launched a website on which simultaneous log-ins are no longer possible. On TSB Bank's site this has not been possible since May. Kiwibank stated its IT experts had never found or heard of simultaneous log-ins causing significant security problems and it considered it a non-issue.

Two-factor authentication

10 of the 11 banks use two-factor authentication devices as part of their security set up, some as an optional extra and others as a standard part of the account. (Kiwibank doesn't use it, while BankDirect requires it for online transactions over $500.) 

Two-factor authentication means a constantly changing access number (randomly generated by the bank’s authentication device) used in combination with the customer's username (or number) and password.

This extra level of security is harder to breach than passwords or customer numbers. But it isn’t invincible. This year RSA Security – the US company that provided two-factor authentication to ANZ and ASB – warned that highly sensitive data relating to its authentication devices had been stolen. While both New Zealand banks are satisfied their customers are not threatened by this security breach, it’s a sobering illustration of the growing ingenuity of e-criminals.

Additional protection

All the banks also have strong background-security systems that can't be detected by the customer. Banks also offer reimbursement to victims of internet fraud with the proviso that they have taken the necessary precautions to protect themselves – for example, not disclosing passwords to others and making sure security software is installed on their computer.

Banking Code of Practice
While the Banking Code of Practice covers consumers for most cases of internet banking fraud, the banks don't guarantee to reimburse you – so you should still make sure your computer is secure. However, the Office of the Banking Ombudsman tells us very few cases are brought by scam victims: this suggests that consumers who’ve been caught by scams are settling any issues satisfactorily with their banks.