HSBC security key

jjlandlord

Plxply wrote: »

issue a different private key to each person, RSA and DSA are pretty bulletproof at this point and I would like to see someone crack a 2048 bit key let alone a 1024 bit one.

You would not need to crack the key, just to get it. After all it would be laying around in the phone.
Would they need to issue a fob to protect these keys?

I think the point of hardware fobs is that they are self-contained and not dependent on the platform's (phone, computer, etc.) security.

Plxply

jjlandlord wrote: »

You would not need to crack the key, just to get it. After all it would be laying around in the phone.
Would they need to issue a fob to protect these keys?

I think the point of hardware fobs is that they are self-contained and not dependent on the platform's (phone, computer, etc.) security.

That is a valid point, through having the hardware tokens themselves they are most likely based on smart card technology however it has been proven many times that smart cards operate on a security through obscurity method rather than any proven security and you can always get to the keys with enough time.

I always carry my secure key with my wallet and phone, even if I were to have both stolen the thief would have to know my internet banking password and ID. It would require an extremely sophisticated attack to get both the persons password and the keys from their phone.

Of course they could always just threaten you with a knife to provide access to your account, at which point all security becomes invalid

martin998877

I have several bank accounts.

Under the old system, HSBC was the only account I was happy to access in any dodgy old internet cafe. Yes my ID and DoB could be captured by a keylogger - but I had a ten digit security number only three numbers of which would be requested and entered on any login - totally secure with a keylogger or prying eyes.

The secure key is fairly secure, but my login ID could still be captured, as could my security question. All it then needs is prying eyes to see my 4 digit pin number go into the Secure Key, and to steal the secure key, and they have easy access.

The previous ten digit number was secure, in my head, and only 3 of its 10 numbers was revealed at any login. A real backward stupid step.

And the people who say "its more secure now and that's good" - it isn't - and something is not true just because someone tells you it is, try thinking about it instead... It's like speed limits, if the limit is 40 then that doesn't mean 39 is safe and 41 is bad and dangerous. It could be that 30 is too fast, or that 50 is safe along that road.

tcbuk

Been putting off using mine but was forced to use it today.

As somebody who only goes anywhere with a wallet and a set of keys, just how am I supposed to carry this thing around all the time ?

I use an RSA device for work purposes and it's less than half the size on my keyring, seriously hideous implementation IMO.

Interesting point about the previous system being more secure whereby you only ever enter 3 digits of your pass code.

Up the revolution.

jjlandlord

Plxply wrote: »

Of course they could always just threaten you with a knife to provide access to your account, at which point all security becomes invalid

HSBC should issue a Chuck Norris to each of its customer. He could even be in charge of carrying your secure key.
That'd be the safest system.

martin998877 wrote: »

All it then needs is prying eyes to see my 4 digit pin number go into the Secure Key, and to steal the secure key, and they have easy access.

The previous ten digit number was secure, in my head, and only 3 of its 10 numbers was revealed at any login. A real backward stupid step.

This is not a valid point. We're talking about online security.
You should protect the 4 digit pin from "prying eyes" the same way you should protect your card's pin every time you use it in a public space.

dawyldthing

is anyone having problems with their card today. I've tried switching it on 5 times and every time its saying 'failed 1' without putting in any details at all, i'm pretty fed up with not being able to access my bank account because of this stupid machine thing! grr

spenderdave

Received my key this morning. Rather hesitated whether to activate it, but decided to go ahead and it was reasonably painless.

I agree that it is a very cheap contraption, the keys are fiddly and the display far smaller than it needs to be. I don't need to access my banking away from home so it will remain here and hopefully will continue working...

I did get one funny while activating - when you enter the pin in the box of the first screen it took me to a page saying 'permanently moved here' with a very long meaningless address. I had to go back to the HSBC home page where it prompted me to carry on the process on the second page (obviously having accepted the pin). Using Opera (masked as Firefox). I think others have seen similar, obviously the website code is buggy.

The choice of questions for the various security things are a bit odd to say the least. They don't seem to have used their brain much choosing them...

Fingers crossed, working at the moment, but they could have done it an awful lot better.

atush

martin998877 wrote: »

I have several bank accounts.

Under the old system, HSBC was the only account I was happy to access in any dodgy old internet cafe. Yes my ID and DoB could be captured by a keylogger - but I had a ten digit security number only three numbers of which would be requested and entered on any login - totally secure with a keylogger or prying eyes.

The secure key is fairly secure, but my login ID could still be captured, as could my security question. All it then needs is prying eyes to see my 4 digit pin number go into the Secure Key, and to steal the secure key, and they have easy access.

The previous ten digit number was secure, in my head, and only 3 of its 10 numbers was revealed at any login. A real backward stupid step.

And the people who say "its more secure now and that's good" - it isn't - and something is not true just because someone tells you it is, try thinking about it instead... It's like speed limits, if the limit is 40 then that doesn't mean 39 is safe and 41 is bad and dangerous. It could be that 30 is too fast, or that 50 is safe along that road.

I feel like you do- it is less secure, AND I am more likley to be locked out of my acct if the card is lost or broken. I travel a lot so this is a major pain- what if I forget to bring it with me!!!!

I hate this new thing, it is a real pain.

atush

kingwahwah wrote: »

ME Too. Still get in to account normally. hear some dont.

I didn't receive mine, then they blocked my acess while I was on holiday in europe and I couldn't check my euro acct- it is illegal to go overdrawn in France. I have one now but refuse to activate it till the final day (they gave me another 30 days as I hadn't recieved mine)

mat8iou

The device may be small, but its not that small that I'll want to carry it around all the time. If all the banks follow suit, I'll end up with at least 10 of these devices for different personal accounts, personal credit cards, business accounts & business credit cards... It seems to go completely against the current trend to consolidate functions into a single device (I can use my phone to make calls, take photos, browse the net, listen to music, as a GPS etc - but I need to carry around another little box as part of a half baked security system dreamed up by the bank. Internet banking (& other similar devices for security) has been around for years - so why are they suddenly rushing to do this now?
There has to be a better alternative.