HSBC to issue security tokens to its customers

masonic

gt94sss2 wrote: »

While what you suggest might work with the card readers rolled out by most other UK banks - its an inherent weakness in their security.

It probably wouldn't even work with those, as the ones I've seen were based on a 'challenge - response' system where a numeric code provided by the online banking system was used to seed the algorithm used by the card reader. The inherent weakness in those systems was that these supposed "one time codes" were predictable in some circumstances (e.g. when validating a transaction, the last 4 digits from the account number might be used).

diskomonkey

It a pile of sh*t and it makes me want to punch things. Especially HSBC execs.

Sorry not be quite as eloquent as you other folk, it just makes me angry. :mad:

sky123_2

I see what you mean, I just tried it. If I write down some keys and try them later, the HSBC website just rejects them, because some time has passed : (

alanq

masonic wrote: »

It probably wouldn't even work with those, as the ones I've seen were based on a 'challenge - response' system where a numeric code provided by the online banking system was used to seed the algorithm used by the card reader.

The Nationwide BS uses a number generated by the card/reader to login which does not take a number from the computer screen. To set up and make payment, however, does use a 'challenge - response'. Nationwide BS customers have no need to use the dodge of writing down login numbers in advance as there is still the option to login using memorable data instead.

Jesthar

Bah, mine arrived this week. It'll be an annoyance for me, all my login details are memorised, not written down anywhere. Oh, and both complicated and unique.

Anyway, first impressions. Wow, it's a flimsy little beggar, especially the keychain attachment. Wonder how long it'll take to break if I do carry it... HSBC should've gone with the same setup they use for the business accounts - smaller AND more secure. Those are much more expensive too, though, which explains that one.

Plenty of room on the back to write your internet banking number on, I note. *I* won't be doing that, but I wonder how many will?

The buttons on the thing are tiny, as is the screen. The buttons seem to need a firm pressure to use, though. Could be a problem for some disabilities and/or older customer on both counts, I suspect. On that topic, whilst the HSBC business security system has directions for contacting them to arrange alternatives if you can't use the fob due to disability, there are no such instructions on the Secure Key help page. Some extensive and creative googling revealed that their are at least braille/large format alternatives, but individual customer reports vary as to whether those who need such a version actually got one automatically.

Reports of reliability also vary, from 30 seconds extra, to a few minutes, to much longer and several code generations before one works, to the device freezing up after the first use. Oh, and as with for alternate versions of the fob, there are no instructions on the HSBC website on what to do if your Secure Key is lost/stolen/broken. There's a video on how to activate a replacement secure key, but not on how to order one - or any information on how long it takes. Again, creative googling reveals an average wait time of five to ten business days - I can see that becoming a big complaint point...

One interesting point I can't seem to find any answers to is what HSBC are going to do for people not in the UK (expats/on overseas business/travelling), and whether or not they can get a longer grace period due to not being able to get their Secure Key in time. Or what would happen if your fob needed replacement whilst overseas. Could be difficult for someone on the move a lot, perhaps.

Ah well, guess I'll hold off using it a bit longer, then eventually have to see how it goes. I should add that I'm all for improved security, but this system, especially the support aspects, is showing signs of potentially suffering from a poor implementation. Only time will tell...

lou-28_2

I have one and don't mind it. My partner has one too but I do his internet banking for him so I've had to mark our initials on them to know who's is who's.

I've recently introduced internet banking to my mum which she now thinks is brilliant but she hasn't had a card reader yet. I can't see her being too impressed with it.

Nessie23

HSBC used to have one of the most reliable and easiest to use internet websites.

As mentioned by many posters the implementation of this secure key is poor. It is annoying and time consuming to have to use the secure key just to check your balance.

I prefer the RBS/Natwest implementation where you are required a special code to set up a new payee but can easily check you balance and carry out internal transfers.

So as soon as my regular saver matures with HSBC, the current account and any other HSBC accounts I hold are getting closed

Bloomberg

Nessie23 wrote: »

HSBC used to have one of the most reliable and easiest to use internet websites.

As mentioned by many posters the implementation of this secure key is poor. It is annoying and time consuming to have to use the secure key just to check your balance.

I prefer the RBS/Natwest implementation where you are required a special code to set up a new payee but can easily check you balance and carry out internal transfers.

So as soon as my regular saver matures with HSBC, the current account and any other HSBC accounts I hold are getting closed

A lot of people on this site do not like the new secure key for various reasons. Whether or not you like the new device it does give you a much greater level of protection. The reason why it is needed even just to log on is because if someone can look at your account this in itself could compromise the security.

People who are planning to jump ship just to avoid the secure key may well be wasting their time because there is a chance that one day most if not all banks will have a similar device.

I asked a member of staff if HSBC still refund money lost due to on line fraud, apparently they do. As much as I like the secure key I do think that a keyring fob would be far better. Only business customers and people with private bank accounts (Those with £2m) get a keyring fob - shows what HSBC think of about the rest of us.

gt94sss2

Bloomberg wrote: »

As much as I like the secure key I do think that a keyring fob would be far better.

I would prefer the older 'keyring' fob as well but I think HSBC will be phasing that out. They already seem to be doing so in Hong Kong

I guess the new Secure Key is more expandable and lets them add extra functionality as/when needed.

Regards
Sunil

masonic

Bloomberg wrote: »

People who are planning to jump ship just to avoid the secure key may well be wasting their time because there is a chance that one day most if not all banks will have a similar device.

I agree it is very likely most banks will move to two factor authentication, but we can already see that the banks have approached this in different ways. It absolutely makes sense to move away from a system that is unworkable for you, because based on what has happened so far, it is almost certain that a future implementation at a different bank will be different. For instance, many people who can't stand the idea of carrying around HSBC's secure key might not object to authenticating using a registered mobile or landline phone. That's an alternative that is available right now. I think it is very likely that in the future banks will give their customers some choice in how they authenticate themselves, but until then there does appear to be some choice available between the various banks. Those banks who don't yet use any second factor will be well placed to take advantage of future technology, which is likely to better balance security with convenience.