HSBC - Nasty thing they just sent me. (secure key)
Options
Comments
-
briansparks wrote: »HSBC doesn't care what we think about it.
Surely, they do prefer that you complain about their secure key than about having your account hacked...
And I'm sure that their customers actually do too.0 -
In all 3 of my local HSBC branches, they have big posters in the windows advertising these devices also, so it's difficult not to know about them.
The only problem I see is that they are standalone, so what happens when someone figures out the algorithm and can then imitate any banking user? (Providing they know your login details of course) It's not like the Barclays pin-sentry where they also require your debit card, so if anyone stole your device or reverse engineered it, they'd still need your debit card.0 -
Has it been mentioned that for thick fingers and other disablements there is a large size version?0
-
Has it been mentioned that for thick fingers and other disablements there is a large size version?
Are you serious?
I mean, great that the disabled are being taken care of, but, really?Cashback Earned ¦ Nectar Points £68 ¦ Natoinwide Select £62 ¦ Aqua Reward £100 ¦ Amex Platinum £48
0 -
You can even get a version that reads everything out for you
0 -
In all 3 of my local HSBC branches, they have big posters in the windows advertising these devices also, so it's difficult not to know about them.
The only problem I see is that they are standalone, so what happens when someone figures out the algorithm and can then imitate any banking user? (Providing they know your login details of course) It's not like the Barclays pin-sentry where they also require your debit card, so if anyone stole your device or reverse engineered it, they'd still need your debit card.
Apparently the secure has a clock in it which is synced with the HSBC mainframe. Every minute or so the code changes which is what makes the system practically fool proof. That is what I have been told, admittedly my understanding of the system is very limited.
To date there has not been a single case of anyone circumventing the secure key. If someone was to get hold of your device they would need to know your username and answer to secret question and then guess the secure key PIN.Money is a wise mans religion0 -
I think the main way in which someone might be able to get around the system would be if they kept everything written down, which would have been the same with the old system.
Abuse of trust from vulnerable people trusting others could also be a problem.
If everything is done correctly though, then it should pretty much eliminate online fraud.DFW - DEBT FREEEEEE!
Total - 10762/10762
Every silver lining has its cloud.0 -
I seem to have slipped through the net with this whole secure key thing... I can still log on without it from anywhere :j
Even if/when they do sign me up, i'll just pin it to my monitor, along with all my post-it notes with all my passwords on, most of which are all 'password' anyway. Thanks HSBC for the education on identity security.0 -
The only problem I see is that they are standalone, so what happens when someone figures out the algorithm and can then imitate any banking user?
These devices generate a pseudo-random token every minute based on a 'seed', which is basically a secret random sequence.
That's were the security lies:
1. Knowing the algorithm does not really help you, what you need is to know the secret 'seed'.
2. The algorithms are such that it is extremely difficult (i.e. not practically possible) to discover the secret 'seed' based on the sequence of generated tokens.
Actually, I think that the algorithm is indeed known.0 -
Isn't that what they said about the RSA SecureId, which generated one-time passcodes at the touch of a button for logging into secure systems? They said that was uncrackable and unbreakable (and to be honest, still is), but that didn't stop a group of people infecting the network used to control the system by using the weakest link - people.The breach into RSA's network was carried out by hackers who sent phishing emails to two targeted, small groups of employees of RSA. Attached to the email was an Excel file containing malware. When an RSA employee opened the Excel file, the malware exploited a backdoor in Adobe Flash. The exploit allowed the hackers to use Poison Ivy Remote Administration Tool to gain control of machines and access servers in RSA's network.
There are some hints that the breach involved the theft of RSA's database mapping token serial numbers to the secret token "seeds" that were injected to make each one unique. Reports of RSA executives telling customers to "ensure that they protect the serial numbers on their tokens" lend credibility to this hypothesis.
In a 21 March 2011 email to customers, RSA essentially admitted that the information stolen from their internal network would allow an attacker to compromise a SecurID-protected system without having physical possession of the token
What I'm saying is that the dongle itself may (or may not, I've not examined it and don't have the knowledge to) be secure, but there is most likely a database somewhere inside HSBC that contains these 'seeds', and if found, that person could possibly emulate any banking user and commit havok.0
This discussion has been closed.
Categories
- All Categories
- 343.3K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.3K Work, Benefits & Business
- 608.1K Mortgages, Homes & Bills
- 173.1K Life & Family
- 248K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards