Mar 17

Adventures with NAB Internet Banking

For the most part I’m usually happy with NAB Internet Banking. They have a reasonably nice web interface and it also scales down reasonably well onto a mobile device. Functionality wise it has a lot of capabilities including some I wished Wells Fargo had (international transfer being the primary one) and I’m yet to find myself wanting from it. However there are some quirks and it seems just recently, I hit all of them.

This all started in San Jose while I was riding the VTA home. I was wanting to look at my NAB bank account and see where it was at. I wasn’t thinking properly and ended up typing in my Wells Fargo password which is similar but more complex by implementing symbols. I accidentally typed this password into the NAB app and hit submit. As the page reloaded the last digit of the password looked wrong on my iPhone. iOS, like many mobile devices, will show you the last character you typed in a password field before obscuring it so that you can see if you made a mistake. So the character changed and I thought I’d made a typo since the character it changed to was similar to where I typed. So it told me the password was wrong, I thought I knew why it was wrong and I put in the password again. Same thing happens and I curse myself for typing the password wrong twice and then type the same wrong password a third time very carefully noting that this time the character changed to something on the other side of the keyboard and was also capitalised when my last character wasn’t. Ok! At that point I realised what had been happening and that I had indeed been putting the wrong password in however at that point it was too late. My account was locked.

So I tried to unlock the account and went through that cycle. It notified me that I couldn’t reset my password to what it is right now. So, if my account is locked, and I’m trying to reset my password to my current password and presuming my internet banking password is correct surely we can just unlock the account. Apparently not. At that point I figure it’s easier to handle this while I’m in Australia instead of trying to get it sorted in the less than two hours of time I had before I needed to head to the airport. There are more pressing matters to attend to handling.

I travel to Australia on a reasonably pleasant QANTAS flight and land then as I’m heading home I start working on getting access again. I give NAB a call and get to a human, start explaining my issue and then BAM! Hung up upon. Ok. That wasn’t quite what I was after. I ring back and have fun with the phone system asking me what I’m calling about. It asks me if I’ve forgotten my password, I say no. It seems to confuse it. I know what my password is, I’d just like you to reset it. The first person this time is nice enough but can’t really help me and transfers me to internet banking who tell me they can’t just unlock my account and only reset my password. I give up on humans at this point and then decide that instead I’ll give the computers another shot from my phone. While ringing in it asks me for my phone banking password which I think I enter but was probably incorrect.

At this point I discover something important. In attempting to reset my password, it tells me I can’t have my password the same. It then tells me that the password I’m entering is invalid because password can only contain numbers and letters – no symbols. The password I was entering in San Jose had symbols in it. The NAB didn’t deign to inform me that the password I was entering was invalid not only because the password is WRONG but because it contains characters that can NEVER be in a password. You’re locking me out of my account and not informing me that my password is incorrectly formed for your system. Don’t even get me started on how insecure and unsafe it is that you limit me to various characters. So I type in a new password however this time it tells me that my telephone banking password has been locked out.

This frightens me even more. I can brute force GUESS someones password through the NAB’s password reset system and it doesn’t appear to validate the phone banking password until AFTER it’s validated the new internet banking password is valid. Alternatively, it’s secretly in the background trying the telephone banking password and failing but not displaying that notification. At this point I give up and figure I’ll visit a branch to get the situation resolved on Monday (this happening on a Sunday). Fortuitously I ventured into a shopping center that had a NAB outpost in it, got an internet banking password reset code and was then able to reset my account.

This highlights another annoyance of mine with internet banking that I’ve complained about for a while but NAB seem indifferent to fixing. If you type your NAB ID and start typing your password quick enough, the UI will helpfully reset your cursor from the password box to the NAB ID box. This means anyone standing behind you stands a chance of seeing some portion of your password as well your NAB ID. This has happened to me many times where the first two characters I type end up in the password box and I see the rest of my password plain text in front of me on screen – in fact it happened just after this situation I’ve described so I know it’s still there. Convenience is more important than security.

But let’s review things here. They’ve got a confusing process where in they change your password quicker than the UI hides those characters on iOS. This is a usability problem because in this particular case I was confused that I made a typo when I hadn’t. Their password system will lock out an account for entering a password that isn’t valid within their system but doesn’t tell you that the password you entered contains characters that aren’t valid. Their password system won’t let you set arbitrarily complex password which tends to mean they’re probably not hashing it somewhere and likely it’s stored plain text for someone in the bank to be able to read as they will. Their password reset system either tests your telephone banking password, doesn’t tell you it’s wrong and locks you out due to issues with your internet banking password OR much worse it doesn’t test it at all meaning you can use it to verify what someone’s password is without having to try to login as the person. Potentially that isn’t protected against multiple bad attacks either which means there is potentially an entry point for a brute force attack. And finally the situation where you can be typing your password in a password box and NAB Internet Banking will expose your password to anyone potentially looking at your screen.

Seems I hit the jackpot of issues all at once. Lucky me.

1 comment

1 Comment so far

  1. vincent July 5th, 2015 7:47 pm

    yes, NAB’s password does not allow non alphanumeric characters but NAB bangs on about online security.

    I find their UI clumsy and non-intuitive, and yes, i use a lot of different web sites without the UI ‘getting in the way’

Leave a comment

%d bloggers like this: