# Online banking security & privacy



## Malbec (Jan 2, 2014)

I find it pretty awkward that Emirates NBD allows you to log in using your login & password details only to see full details of accounts, holder names, balance and even make some transactions without further authorisation.

Do other banks work in the same way? From what I have noticed, NBAD requires you to enter OTP from the token device before you can log in. That make sense. How about other banks, ADCB etc?

I would not mind seeing some details using log in and pass only, like shorten account numbers, balances, no names displayed to who the account belongs, while all details & transactions would only be possible upon entering OTP (via SMS for instance).


----------



## Stevesolar (Dec 21, 2012)

Hi,
You are right - in some ways UAE banking is more advanced than i am used to in UK.
Biggest example of this is the text message every time i use a credit or debit card - this is reaaly good.
On the other hand - the online banking seems less secure and uses a very simple user name and password system without any electronic passkey device (like a Barclays widget).
For that reason, i dont use online banking in the UAE - until the bank i use introduces an electronic OTP device.
Cheers
Steve


----------



## w_man (Apr 16, 2010)

I have HSBC account and they issue a passkey device for online banking. I also have an ADCB Corporate account they do have a passkey device as well - not sure if ADCB issues passkey for personal accounts.


----------



## kmdxb (Jan 19, 2014)

Mobile banking can be even more amusing here. One bank I use tried to get me to register for their mobile banking service, and couldn't understand why I did not want to do that.

I tried to explain that the security was not very good as with mobile banking it makes it easier for someone with your phone to do things to your account, they countered with 'but any action requires a conformation code you have to enter and that is sent to you by SMS' - and yet they could not see that someone who has your phone and is using your mobile banking **HAS YOUR PHONE** so they can read the SMS...


----------



## Malbec (Jan 2, 2014)

w_man said:


> I have HSBC account and they issue a passkey device for online banking. I also have an ADCB Corporate account they do have a passkey device as well - not sure if ADCB issues passkey for personal accounts.


I am also using ADCB Corporate and they do issue token device and/or SMS authentication depending on user preference. Before you can see anything, you have to pass through authorisation process. What I have noticed however is that this kind of extra security is common across all other banks for corporate accounts.

How does ADCB work for personal accounts? Similar to Emirate NBD or there is better security in place before you can perform any transactions?

International banks like HSBC, Standard Chartered, Citibank etc. probably use the same or very similar software across different countries. They have obviously an advantage and disadvantage being international banks.

So from local banks, NBAD, with their security token device, seems to have the tightest security for personal accounts. Any others?


----------



## rsinner (Feb 3, 2009)

I have a personal account and ADCB sends OTP through SMS/email for online transactions.


----------



## Malbec (Jan 2, 2014)

rsinner said:


> I have a personal account and ADCB sends OTP through SMS/email for online transactions.


So do Emirates NBD. Question is if *without* OTP in ADCB you can:
- view full account details
- account balance
- do any kind of payments or transfers (even internal between your accounts)


----------



## Malbec (Jan 2, 2014)

To answer my question, yes in ADCB by using only username and password it's possible to view account details (including account holder name and account numbers), balance and do internal transactions between own accounts. I have been banking with them for 6 months already and although I am quite happy, there are some mishaps.

For example: one of their Visa Infinite benefit was 5% off flight tickets. So I called once to take advantage of it as the price of business ticket would be worth doing it over the phone. I was connected to DNATA agency which said they no longer have a deal with ADCB... On a side note, their prices are a rip off compared to online bookings.

Another one, I checked ADCB website for movie cashback benefit on 27/05. They mention that they offer 50% cashback on tickets purchased any day of the week, so I booked VOX Gold tickets on which I already had 50% discount thanks to Visa Infinity (paid AED 153 for two) but I was supposed to get another 50% cashback from the bank. They now say that it is applicable since 01/06, so why they already published such information in May without mentioning validity? Also their TouchPoints program is very hard to keep track if the points were awarded correctly for certain transactions.

Back to security, it seems NBAD & HSBC are the only banks that use passkey device for log in purposes, so I would put them on top in terms of online security.


----------



## londonmandan (Jul 23, 2013)

When I transfer money from my GBP ENBD account I get a text message with a number I have to enter.


----------



## Malbec (Jan 2, 2014)

londonmandan said:


> When I transfer money from my GBP ENBD account I get a text message with a number I have to enter.


Yes, but you are talking about external transfer. If someone hacks into your account, he will be free to play a ping pong game between your GBP <-> AED account as there is no authorisation required for transfers between your own accounts.


----------



## imac (Oct 14, 2012)

Malbec said:


> ...HSBC are the only banks that use passkey device for log in purposes...


this is not enforced... you can still choose to login only with password + challenge answer into hsbc and see account balances and do a few minimal transactions such as transfers between your own hsbc uae accounts, but if you were to try and do a wire transfer for example, it will require that you put in the number generated from the passkey... it works the same way for all of hsbc...


----------



## Dibblington (Apr 20, 2015)

With these widgets outsmarted in 2012, and if 'they' can hack the US military, I'm pretty sure online banking isn't very secure.

The only way to remain secure is to cut the internet and go offline, but then how hard is a cheque to forge, and how many times have we heard about cash card cloning and ATM PIN loggers?

Time to don the old lead helmet and live in a cave


----------



## rsinner (Feb 3, 2009)

Malbec said:


> Yes, but you are talking about external transfer. If someone hacks into your account, he will be free to play a ping pong game between your GBP <-> AED account as there is no authorisation required for transfers between your own accounts.


What does a potential hacker get by doing this?


----------



## Malbec (Jan 2, 2014)

rsinner said:


> What does a potential hacker get by doing this?


If he wants he can empty your account seeing there is no way getting money out. Just saying that it is possible to do mess by doing constant FCY conversions, he can also send for fun money to utility providers / Salik etc which do not require authentication once "registered". I know you may get the money back or have 5 years DEWA "free" but still. In my opinion username and password authentication should only allow to see balances, instead of full account details including the account holder, account numbers and before going "deeper" and be able to transact anything internally, one time pin should be required.


----------

