We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
HSBC security key
Options
Comments
-
-
I'm happy HSBC have done something about their security, I just don't think they have thought it through very well. Office workers everywhere will easily be able to put up with it, probably.
I don't want to have to carry it with me everywhere. Multi factor authentication works very well from mobile phones and using simpler techniques (multiple passwords and random information/question response).
A simple solution...
These devices could be used only for creating a new payee.
Lloyds TSB only use their multifactor (they call your phone number and ask you to dial a response code that is written on the PC screen - you could even use a house phone!) only when you create a new payee.
This means you can happily check your balance, move money between savings etc, and pay a bill. What you cannot do is transfer your money to someone new. You also have the option to delete a payee (HSBC customers jealous?) which means that you would have to add them as if they were new. You decide where a hacker would be able to send the money to.
I can't see why something like the above couldn't be used with this new key, but the current system (forcing me to carry the key whenever I wish to login) won't work for me.
Which means that I will start looking for a new bank which can provide the service I need. I would like to think HSBC will listen and rethink this for those of us who do not work in an office and get the train to work, but I doubt it.
As others have said, Internet banking is about convenience, this removes that. Putting your own money beyond your reach is possibly more secure, and certainly a little impractical these days.
Good Luck HSBC, this is another customer of 25 years saying thanks for asking what I would like, and goodbye.
P.S.
One size does not fit all and if we don't moan about things we don't like, how would they know what to improve?0 -
Don't think you understand how account aggregation software works. You don't hand over your passwords etc. to a third party, they are kept stored and encrypted on your own pc.
That doesn't make sense... no matter where these are stored, at the point in time when you make an enquiry to the third-party service about one or more of your accounts, their system has to (by definition) retrieve your log-on credentials from wherever they are stored and pass them on to your Bank's online service to obtain the data in respect of your query... at that particular point in time, the third party has your credentials and is - in every respect - you! They are using those credentials to transact with your Bank on your behalf. So do you trust them, and their security systems, 100%?
And that's my point... you've handed the log-in credentials over to a third party, encrypted or not, whether permanently or for only a few seconds. If those same credentials are subsequently presented by "someone" who takes your money, to whom are you going to complain or from whom do you intend to recover your cash? Obviously, not your Bank!
I can imagine the scenario... the penniless customer on the phone to a Customer Services centre demanding their money back... "It's not my fault, I only gave my log-in identities and all the passwords needed to access my bank accounts to an Internet-based company that has assured me that it's 100% trustworthy, so someone else must have hacked into your systems and stolen my money - you will have to refund it!"
Errmmm... I'd love a ringside seat to watch this play out...
0 -
I don't want to have to carry it with me everywhere. Multi factor authentication works very well from mobile phones and using simpler techniques (multiple passwords and random information/question response).
You need to get over to the various Tesco banking threads!
It appears with the new tesco banking site that if you use a different PC from the one you normally use you have to go through some sort of two factor authentication and this can only be done via your Mobile Phone (Shock horror!)
As you can imagine there are some hyperventillating about this and saying this is quite unacceptable and they don't either have, use, carry around or whatever a mobile phone.........0 -
Re account aggregation services...
Interestingly, Lloyds general T&C's for personal banking clause 4.8
"4.8 We will not treat you as breaking your security obligations just because you use an aggregation service we do not provide.
A typical aggregation service allows you to view information about your accounts with different banks on a single website.
This surprised me actually....and anyway its contradicted by clause 4.3e
(e) not let anyone else give instructions, or have access to information, on your accounts unless he or she has a separate
arrangement with us to do so, or you have authorised him or her to do so under condition 13.....
(clause 13 relates to powers of attorney)
It seems to me that lloyds are saying that just because you use an account aggregation service you are not assumed automatically to have broken the T&C's BUT should something go wrong then clause 4.3e may apply in that you released your account details.0 -
GraceCourt wrote: »That doesn't make sense... no matter where these are stored, at the point in time when you make an enquiry to the third-party service about one or more of your accounts, their system has to (by definition) retrieve your log-on credentials from wherever they are stored and pass them on to your Bank's online service to obtain the data in respect of your query... at that particular point in time, the third party has your credentials and is - in every respect - you! They are using those credentials to transact with your Bank on your behalf. So do you trust them, and their security systems, 100%?
Not always true. For First Direct and Egg money manager (same software), the services are not involved in accessing your banking, your PC gets the transactions/balance data for you and then passes them on to the 3rd party application to add to their records. At no point are your credentials passed to anyone besides your PC and the bank in the initial session handshake.
Services like Yodlee and lovemoney however store your "credentials" in a non recoverable format (salted and hashed) - this obviously incurs more risk but if someone stole their database the data would be of no use to them. They don't fly around in a state someone can read as the connections are encrypted as well.
There is a risk involved in that they are acting as you granted, but that doesn't mean they are there for the taking by someone who hacks them. This is why the Sony etc hacks didn't get credit card details, the credit card database would have been worthless data.0 -
ChiefGrasscutter wrote: »Re account aggregation services...
Interestingly, Lloyds general T&C's for personal banking clause 4.8
"4.8 We will not treat you as breaking your security obligations just because you use an aggregation service we do not provide.
A typical aggregation service allows you to view information about your accounts with different banks on a single website.
This surprised me actually....and anyway its contradicted by clause 4.3e
(e) not let anyone else give instructions, or have access to information, on your accounts unless he or she has a separate
arrangement with us to do so, or you have authorised him or her to do so under condition 13.....
(clause 13 relates to powers of attorney)
It seems to me that lloyds are saying that just because you use an account aggregation service you are not assumed automatically to have broken the T&C's BUT should something go wrong then clause 4.3e may apply in that you released your account details.
If these made a direct connection to the bank without going through your browser/PC and they were concerned then the banks would just block them - period. There is no way any serious organisation would let this continue.0 -
A simple solution...
These devices could be used only for creating a new payee.
Lloyds TSB only use their multifactor (they call your phone number and ask you to dial a response code that is written on the PC screen - you could even use a house phone!) only when you create a new payee.
This means you can happily check your balance, move money between savings etc, and pay a bill. What you cannot do is transfer your money to someone new. You also have the option to delete a payee (HSBC customers jealous?) which means that you would have to add them as if they were new. You decide where a hacker would be able to send the money to.
I completely agree. Very little fraud can be done by read only access to your transactions and your balances. They don't send your paper statements to you encrypted do they?!0 -
I got the key today, looks nice but another thing to keep hold of, if you go abroad and wish to do internet banking you will need this gadget with you... i hate it.... its another darn thing to carry with you...... you will need it EVERY time you log on your net banking... :mad:0
-
I'm new to HSBC, opened an HSBC Advance, I had to query initially why it was taking so long to open the account (go live) anyway, that is sorted but the adviser said I can't have one of these secure keys at the moment! So was wondering if customers who have been with the bank a while are getting them first?0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.7K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards