HSBC to issue security tokens to its customers

Bloomberg

masonic wrote: »

Even with a secure key, there are risks associated with doing online banking on a computer that might be compromised. If a bad guy is able to install a root SSL certificate on the machine and perform DNS spoofing, they could perform a real time man in the middle attack via a phishing site that would look totally convincing to the end user. The user would need to do something requiring secure key authentication after login, but once entered, that six digit code could be immediately hijacked and used for a different purpose by the malicious webpage. The user could be engineered into giving up additional codes in succession by returning an error at login and asking them to try again.

Admittedly nothing is totally fool proof but this system appears to be the most secure one out there. I am one of the few people who like the secure key.

smartiedriver_2

Bongo_Jazz wrote: »

So HSBC give out free replacements, eh? I wonder what the replacement costs them? At an estimate of £20 (more accurate estimates welcome) If I were to accidentally sit on the flimsy plastic thing every week (5 working days tilI I get the next one), then in a year I would be costing them over £1000. Potentially much more than that, if I go into a branch and pick up a new one. Even at a £10 cost, that's still £500.

A cynic (not me, honest) might suggest to people thinking of leaving HSBC over this matter that there might be another way of showing them your feelings on the matter - take all your money to another bank but leave your HSBC account open, then ring them up every so often or pop into a branch and ask for a replacement securekey. As many times as possible.

If you're not leaving, but are frustrated with the new system, presumably you could still use the crippled service but go into a branch for another replacement every so often and have it re-enabled there and then.

If enough people were to do this (the cynic might say!), HSBC would soon notice the rising replacement costs were higher than forecast and would have 2 options:

1) Start charging for replacements - which would alienate a LOT more existing customers, and would quite possibly end in a mass frustrated exodus (people hate charges - especially for something that's forced on them!), OR

2) Acknowledge that maybe these things aren't all that robust or convenient to carry around after all, and seek an alternative solution - such as restricting their need to the 'new payees' option or introducing the sms/smartphone alternatives described above.

And there do seem to be a LOT of people who are unhappy over this all over the net, many of whom say they're planning on leaving HSBC over this thing...

Just a thought (a purely hypothetical one, of course ).

My goodness. It's people like you who push bank charges up which will inevitably end up in everybody having to pay for current accounts.

If you don't like it, either leave, formally complain, or do both. Don't mess it up for the people who like the secure key and are very happy with their bank!

Bloomberg

smartiedriver wrote: »

My goodness. It's people like you who push bank charges up which will inevitably end up in everybody having to pay for current accounts.

If you don't like it, either leave, formally complain, or do both. Don't mess it up for the people who like the secure key and are very happy with their bank!

I totally agree with you, the post you responded was oh so childish. It amazes me that someone can write such rubbish on what is essentially a mature forum. All the best.:mad:

alanq

masonic wrote: »

Even with a secure key, there are risks associated with doing online banking on a computer that might be compromised. If a bad guy is able to install a root SSL certificate on the machine and perform DNS spoofing, they could perform a real time man in the middle attack via a phishing site that would look totally convincing to the end user. The user would need to do something requiring secure key authentication after login, but once entered, that six digit code could be immediately hijacked and used for a different purpose by the malicious webpage. The user could be engineered into giving up additional codes in succession by returning an error at login and asking them to try again.

Isn't that why HSBC recommends using Trusteer Rapport?
"Trusteer Rapport adds valuable security when you log on to HSBC Personal Internet Banking. It checks that you are using the real HSBC website and not a fake. It locks down the link between you and the bank so that fraudsters can't listen in. Finally, it blocks all known viruses that target online banking."
http://www.hsbc.co.uk/1/2/security-centre/security-downloads

masonic

alanq wrote: »

Isn't that why HSBC recommends using Trusteer Rapport?
"Trusteer Rapport adds valuable security when you log on to HSBC Personal Internet Banking. It checks that you are using the real HSBC website and not a fake. It locks down the link between you and the bank so that fraudsters can't listen in. Finally, it blocks all known viruses that target online banking."
http://www.hsbc.co.uk/1/2/security-centre/security-downloads

You have taken my post out of context (I was responding to someone saying you could bank in a cyber cafe with almost total peace of mind. You would not be able to install Rapport in a cyber cafe). However, you are correct. Rapport is designed to address exactly the kind of vulnerabilities I described.

Toreador

masonic wrote: »

Rapport is designed to address exactly the kind of vulnerabilities I described.

But apparently HSBC don't have any confidence in it, hence the new security key.

masonic

Toreador wrote: »

But apparently HSBC don't have any confidence in it, hence the new security key.

My own view is that Trusteer has over-reached with Rapport. On the one hand, it offers something of value in validating the connection between the browser and banking website to prevent man-in-the-middle and phishing attacks.

However, on the other hand, it also tries to create a safe platform for banking on infected machines, which is where it tends to fall down. There is already malware out there that can specifically target Rapport, and so there is now a game of cat and mouse between Rapport and the malware. It is going to be very difficult for Rapport to stay afloat.

The new security key is a better solution against things like keyloggers. Rapport offers valuable protection against man-in-the-middle and phishing attacks. In combination, they have a synergistic effect.
However, the only solution to a malware infected computer is to format and reinstall.

throughtherain

Bongo_Jazz wrote: »

Potentially much more than that, if I go into a branch and pick up a new one.

This is the funniest thing I've read in ages - the mere thought that you go into a HSBC branch and the staff there were actually able to fulfil whatever request or answer any question you had there and then. It hasn't happened yet in 10 years with them...usually they have to pass the request on to at least 5 other 'team members' in the branch, get you to join at least 3 queues, put your name on a waiting list to be seen, make an appointment for later in the week, direct you to a machine, tell you to use the computer or lovely red phone they provide. And even after all that you'd be lucky to get your issue resolved!

KxMx

I don't have any problems with it- wouldn't dream of logging onto internet banking with anything other than home PC so keeping it in the house is not a problem.

If I am out and about, then I can use phone banking or get a balance from a cashpoint.

Toreador

KxMx wrote: »

If I am out and about, then I can use phone banking

Given the recent revelations about phone hacking, I wonder whether this is actually more risky than internet banking. There's no need for anything as complex as key recording etc if all you have to do is listen to a voice recording...