ryankurte / doesmybank

A review of NZ Banking Security (and features)
MIT License
7 stars 7 forks source link

ASB still supports RSA tokens for personal accounts #21

Closed calt1 closed 1 year ago

calt1 commented 2 years ago

I was told twice in-person at ASB branches that the physical tokens were only available for business accounts.

Today I spoke with them on the phone and was told that they could order one for me, no problem.

At least for personal accounts, I was told there are no charges associated with the token other than getting it replaced.

They didn't charge me when I ordered it, they just checked my address and security questions.

I was told it may take 15 business days to arrive, and that upon its arrival I'll need to call them and answer my security questions again to activate it.

Apparently, once it's activated I'll be able to disable SMS MFA and fully replace it with the physical token.

They said that there are two types of token available for business accounts, but only one for personal accounts.

I'll post an update verifying that SMS can be completely replaced with the physical token, once it arrives.

ryankurte commented 2 years ago

oh interesting, i also spoke to them on the phone and was told they're only for business accounts... having a business account i can confirm it completely replaces SMS. would be a nice footnote perhaps if you fancy a PR?

calt1 commented 2 years ago

My token has arrived for my personal account (I do not have a business account). I've confirmed that it doesn't work until you call them to enable it. By default, SMS is still an option even when your token is registered, and bruteforcing the token code will cause it to fall back to SMS.

image "It looks like someone is trying to break into your account. To prevent this, we're reducing the security of your account." Haha.

Thankfully, if you call them they can disable SMS completely. In the case shown above, having SMS required will mean you probably have to call them or go into the branch to have the token re-enabled.