Secure key comes to First Direct

roxy28

I think someone mentioned " man in the middle attacks" with the FD secure key, its all above my head but i am leaning on the side of no secure key for me....but still looking at these threads for more info.

IronWolf

roxy28 wrote: »

I think someone mentioned " man in the middle attacks" with the FD secure key, its all above my head but i am leaning on the side of no secure key for me....but still looking at these threads for more info.

I'm no expert on hacking, but I believe man in the middle attacks are a lot easier without a secure key.

Santander also provide a unique 'phrase' which they quote to you when you try to log in. If its not what you expect then you dont log on.

This makes it even harder to man in the middle as he has to also intercept what santander are sending, not just the user.

jamesd

IronWolf wrote: »

I'm no expert on hacking, but I believe man in the middle attacks are a lot easier without a secure key.

Then you believe wrongly. It does not make such attacks much harder because all the attacker has to do is relay the SecureKey code as well as the other login details. That's trivially easy for any skilled attacker using the common attacks to do, whether it's by a compromised browser, phishing or any of a wide range of other means.

What would be really nice is if enough customers learned how insecure this system is and caused FD to do something that is actually secure instead. Customer education and demand for actual security from banks would be a really nice thing if it came out of this.

There are much more secure systems already in widespread use by many British banks, the card-reader based systems that link the code to a specific transaction's details. Since that link is there it blocks using it for whatever account an attacker wants to send the money to.

planteria wrote: »

why are you so against using the secure key?

Because I like actual security that can do its job. This thing is easy for an attacker to circumvent using effectively the same methods that are already used in fraud: fake web sites, compromised browsers or compromised PCs that get the login details, but this time relaying the code from the key as well as the login ID and password.

That introduces two problems for customers:
1. Customers might believe that it actually makes their logins more secure against attackers and exercise less caution.
2. FD may claim that because the key was used it must have been the customer, even though it ensures no such thing.

It doesn't help that they appear to be telling customers to use it in the way that maximises the harm potential for customers, using it at every login. They could at least tell people to use the weak system in the most secure way available, only when needed.

alanq

First Direct recommends use of Trusteer Rapport.

"

Trusteer Rapport

Protects end user endpoints against Man-in-the-Browser malware and phishing attacks. By preventing attacks such as Man-in-the-Browser and Man-in-the-Middle, Trusteer Rapport secures credentials and personal information and stops online fraud and account takeover. And, it keeps endpoints malware-free by blocking malware installation and removing existing infections."

Security is provided not just by firewalls, antivirus software, passwords and Secure Keys it is by use of a combination of many tools.

IronWolf

jamesd wrote: »

Then you believe wrongly. It does not make such attacks much harder because all the attacker has to do is relay the SecureKey code as well as the other login details. That's trivially easy for any skilled attacker using the common attacks to do, whether it's by a compromised browser, phishing or any of a wide range of other means.

What would be really nice is if enough customers learned how insecure this system is and caused FD to do something that is actually secure instead. Customer education and demand for actual security from banks would be a really nice thing if it came out of this.

There are much more secure systems already in widespread use by many British banks, the card-reader based systems that link the code to a specific transaction's details. Since that link is there it blocks using it for whatever account an attacker wants to send the money to.

Because I like actual security that can do its job. This thing is easy for an attacker to circumvent using effectively the same methods that are already used in fraud: fake web sites, compromised browsers or compromised PCs that get the login details, but this time relaying the code from the key as well as the login ID and password.

But it requires a real time log in, whereas without a secure key it does not need to be completed in real time.

The HSBC Secure Key also requires a unique code for new transfers out, and it uses the last 4 digits of the account number you're transferring to aiui.

jamesd

IronWolf wrote: »

But it requires a real time log in, whereas without a secure key it does not need to be completed in real time.

That's hardly a great challenge given that the collection is also happening in real time.

IronWolf wrote: »

The HSBC Secure Key also requires a unique code for new transfers out, and it uses the last 4 digits of the account number you're transferring to aiui.

If the destination is linked to the code generated in a non-trivial way that's useful extra protection, if FD was to use that sort of approach, though what they are using does not seem to have any means for even entering a challenge into their device.

roxy28

IronWolf wrote: »

The HSBC Secure Key also requires a unique code for new transfers out, and it uses the last 4 digits of the account number you're transferring to aiui.

Have HSBC used this secure key for a while?. if so i wonder if there have been many complaints about security, money going amiss etc.

atush

I have ahd and used mone for several years and still hate it. It is fiddly, and I have been away to the US or europe I have to think- where did I put it? And find it.

Must call them (or call in) as the preformance of mine is suspect- the numbers don't come up 100%in in black now- there are small gaps. Think the battery is running out so need another.

Gromitt

IronWolf wrote: »

I have the same thing with my Google account but they let you choose between text and phone app.

One thing I like about Google is that my phone, tablet, etc, all use different passwords to login to my Google account, so if I lose any of them I can just revoke the password. Likewise, if someone steals my PC, they'd need my phone to login as they text a code to it.

Like others have said, HSBC and FD using SecureKeys are just examples of them being cheap. There are better methods but they are treated as "too expensive". If you are going to rely on a secure code then ensure the transaction details are encoded into it, not just salt+time+hash = code. Santander, Halifax, TSB are all good systems. Nationwide, Barclays, Co-Op, Natwest, etc are all "OK" systems.

IronWolf wrote: »

Santander also provide a unique 'phrase' which they quote to you when you try to log in. If its not what you expect then you dont log on.

So user enters the login details into a fake web site, that website then connects to Santander's website and enters them for you and retrieves unique phrase, then displays that phrase to you. You assume its the correct website and continue to login. The work to accomplish this would take about 10 minutes and thus provides no proof whatsoever that you are on the real site. Your web browser actually provides more security in the form of a certificate, but rarely do people check them before entering sensitive information.

jamesd

roxy28 wrote: »

i am leaning on the side of no secure key for me....but still looking at these threads for more info.

I probably won't go with it but it's not necessarily a bad thing. If you do go with it, just remember to never use it to log in unless you intend to do one of the things that requires it. That way you'll know that any request or insistence that you use it at other times means you're being attacked and should not comply.

Since no routine payments require it, you can do almost all of the day to day transactions without ever needing it, unless you find yourself regularly needing to set up new payees.

A complaint to FD about them not using the more secure card reader or phone based systems wouldn't be a bad idea whether you use it or not. At least that would tell them that some customers do care about banks making more secure choices.