Secure key comes to First Direct

Hominu

wiogs wrote: »

Unless of course you have a Windows smartphone is which case there is no app so tough!

I can understand their point - after all, who uses Windows smart phones still? I thought they died a death a few years ago? You need to throw it into the local trash can and upgrade to an Apple or Google phone.

quotememiserable

I don't see the problem, secure keys are dead easy to use. You can move banks, but they'll all introduce them.

agrinnall

Well that answers a question I had. I have just opened a 1st account, and today I did my first transfer out. I wondered if a device of some sort would be needed and was pleasantly surprised to find it wasn't. However, although they are annoying, I think overall I'd rather have the extra layer of security than a greater risk of somebody emptying my account.

chris_m

IronWolf wrote: »

Santander have the best system imo. If you try to pay someone new they send you a text with a passcode, otherwise you can log in and bank unhindered.

And if you don't have a mobile phone?

dryhat

Bitcoin solves all of the above problems.

Instant, secure transactions without having to give away any personal details or use any third party for processing.

What a fantastic invention.

jamesd

If you do choose to have one of those, do be sure to only use it to log in when you want to do one of the things that requires it.

Limit it to only the ones where you need it and you'll only be at risk during those relatively few sessions and will know that if you receive a request to use it when you don't expect to need it, you're being attacked and should not comply.

If you don't know how easy it is to compromise this system, consider this sort of sequence:

1. Send phishing email with link to fake web site. Or use a DNS hijack if your victim won't do that but is using say a compromised wifi connection.
2. Log in with Secure Key. Site in the background uses this to do its own login, sets up a new payee and transfers away all of your money.
3. First Direct says it was you because the SecureKey code was used to log in and so they are refusing to accept responsibility for the fraud. I assume.

Any decent token-based system can prevent attacks of this sort. Not the FD one.

Your best defences are not to use SecureKey or, if you do value convenience over security, to only ever use it when you want to carry out a transaction that needs it.

The FD system is the least secure token-based system I know of in the UK retail banking industry.

If you want a secure system, the one used by NatWest is the best I know of in UK retail banking. The response codes produced when you enter the first code are linked to the specific transaction type, so even if the code is compromised there is limited potential to misuse it. And it's only ever requested when needed, so you know immediately that if you get a request and aren't trying to do one of those things, you're being attacked.

atush

quotememiserable wrote: »

I don't see the problem, secure keys are dead easy to use. You can move banks, but they'll all introduce them.

yeah, but you need to know where it is 24/7 and it needs to be with your computer. So if you are away, and have left it at home on the desk, left it at work when you need it at home, it gets lost in your handbag- it is a right pain in the proverbial and you are sh*t out of luck.

rb10

jamesd wrote: »

If you want a secure system, the one used by NatWest is the best I know of in UK retail banking. The response codes produced when you enter the first code are linked to the specific transaction type, so even if the code is compromised there is limited potential to misuse it. And it's only ever requested when needed, so you know immediately that if you get a request and aren't trying to do one of those things, you're being attacked.

How is that better than Nationwide's?

When Nationwide require you to use the card reader (which is admittedly rarely), you enter the amount and last four digits of the account number - so is very much linked to the transaction that you are doing.

jamesd

Thanks. Looking at the pages describing the Nationwide system, the hardware seems to be the same one as that used by NatWest, the APACS subset of the CAP system. So similarly secure and I'd rank it as the equally most secure system I know of for retail banking that's actually in use in the UK, along with NatWest and presumably RBS, Barclays and others. Not without its vulnerabilities, but at least a lot better than FD's choice.

Kudos to Nationwide for apparently doing a good selection job. That makes them also a good possible alternative to anyone who wants more real security than FD is offering.

Hominu

jamesd wrote: »

If you don't know how easy it is to compromise this system, consider this sort of sequence:

Which is why I much prefer a card reader. Sure the codes for logging in are as secure as bat poo, but the codes for securing a new payee require the destination account number and amount, so they can't be used for different details.

atush wrote: »

yeah, but you need to know where it is 24/7 and it needs to be with your computer. So if you are away, and have left it at home on the desk, left it at work when you need it at home, it gets lost in your handbag- it is a right pain in the proverbial and you are sh*t out of luck.

Hence the downloadable secure key for your phone which doesn't require internet access.

Still prefer a card reader however. I have one at home, one in the car and one at work. All for different banks, and they all work interchangeably. The card is always in my wallet which I carry around with me.

It's just another HSBC "We do security like all the other banks, but we do it cheaper and with less flexibility!".

Smells a bit Microsofty - someone comes out with a standard, people start to use it, and then Microsoft come out with their own standard which they want people to follow.