Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)
Q31 – To what extent has the restriction on using a user’s name or birth date under cl 5.6(d), been relied on?
It does not appear that any data is available on the self selection of name or birth date as user codes. Prior to the last review of the EFT Code there were some incidents where financial institutions used birth dates as the default telephone access code. This practice no longer occurs.
Some anecdotal evidence is available on current practices:
- Self selection screens for changing access codes tend to carry suitable warning messages about the selection of weak access codes.
- A limited number of self selection processes will automatically reject weak access codes (eg sequential numbers), but these are not (yet) designed to reject name or date of birth.
- Clause 5.6 (d) has not been relied on in practice to the extent that it has come to the attention of consumer stakeholders.
- Criminal activity based on ‘guessing’ common passwords is likely to represent a smaller proportion of criminal activity now that most attacks rely on social engineering or deception to entice the consumer to reveal their password.
Overall, the usefulness of Clause 5.6 (d) is questionable. It never had the support of consumer stakeholders and this Clause is a candidate for removal in the interests of simplifying and shortening the Code.