We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Secure key comes to First Direct
Options
Comments
-
Yes. And then you won't have any risk at all of FD trying to claim that just because SecureKey was used it must have been you.molly_mandy wrote: »I trust if we select not to use a key, we can still just ring up & ask FD to do things we can no longer do e.g. set up new direct debits ??
We've already seen way to much of that silliness in relation to card PINs and various banks insisting that use of PIN proved it had to be the customer, in spite of their security people being well aware that it doesn't prove that, just that somehow the PIN or transaction was compromised (by cameras, compromised readers, friends or family members observing the PIN and a host of other means). At least the FOS no longer accepts that argument but it's still more strife than it needs to be.
It is good that FD is paying attention, though. Just unimpressed with their choice of not very good technology to do it when there are far better options available.0 -
So just how secure is SecureKey? Not very, I would suggest, after having just noticed something on my own HSBC Securekey:
To obtain a unique code you must enter a four digit PIN on the small device then enter the resulting code online. Of course this means that you're constantly using the same four buttons on the keypad - or fewer than four if a particular digit is used more than once in the PIN. Now, if you look at the keypad while angling it to reflect the light, you can easily see which four buttons are used - each has a ring of impregnated sweat, as per a fingerprint, around it. It's quite unmistakable; anyone looking at my SecureKey can easily detemine which four digits are in my PIN - and I think this means there are just 24 possible combinations.
I guess this thoroughly insecure aspect of the device has been reported elsewhere, but if not, you know now. And it seems like you can't easily clean off the marks.
Is it a problem? Not really. Generally we are not liable for fraud (unless negligent). It's all about the banks protecting themselves, and making life more difficult for the rest of us.0 -
To obtain a unique code you must enter a four digit PIN on the small device then enter the resulting code online. Of course this means that you're constantly using the same four buttons on the keypad - or fewer than four if a particular digit is used more than once in the PIN. Now, if you look at the keypad while angling it to reflect the light, you can easily see which four buttons are used - each has a ring of impregnated sweat, as per a fingerprint, around it. It's quite unmistakable; anyone looking at my SecureKey can easily detemine which four digits are in my PIN - and I think this means there are just 24 possible combinations.
Attacker would need physical access to the input device to use this vector. You should protect it.
Mitigation techniques include touching the other keys occasionally, in order to distribute your sweat, and cleaning the keypad occasionally to remove your sweat (and increase hygiene).
If three, rather than four, distinct digits are used in the PIN, this attack becomes more difficult, since it's unclear to an attacker which of the three digits has to be repeated: the number of permutations increases from 24 to 72.
Warmest regards,
FAThus the old Gentleman ended his Harangue. The People heard it, and approved the Doctrine, and immediately practised the Contrary, just as if it had been a common Sermon; for the Vendue opened ...THE WAY TO WEALTH, Benjamin Franklin, 1758 AD0 -
FatherAbraham wrote: »If three, rather than four, distinct digits are used in the PIN, this attack becomes more difficult, since it's unclear to an attacker which of the three digits has to be repeated: the number of permutations increases from 24 to 72.
FA
You might be right on the 72, but I thought it was 36. And maybe the button pressed twice as much will have a bit more sweat around it
(then only 12 permutations?) Let's face it though, who's going to clean it and press random buttons. If the thing didn't exist (preferable) there'd be no danger of compromise. They've gone too far with this silly device. It's a nuisance and gives the customer nothing. 0 -
Hence the downloadable secure key for your phone which doesn't require internet access.
I think that is incorrect - today I was in an area without mobile coverage and wanted to log in on a PC but the mobile app wouldn't work because I didn't have internet access.
This also means that I will be paying for roaming charges when travelling overseas if I want to do banking on a PC, even when I have a "free" internet connection for the PC.
FirstDirect should have followed the design of e.g. Google's Authenticator, which operates offline.
While I appreciate the security aspects, having to rely on a device that I need to have with me physically is quite annoying in comparison to the way some other banks have solved this issue. (And yes, I know there are banks with an even worse solution like the card reader one, but at least with those they are interchangeable so you can keep one at work, one at home etc.)0 -
You can't use a colleague's , or even your own, Natwest reader with First Direct, HSBC, Clydesbank, Yorkshire Bank. Just as an example.0
-
Lloyds doesn't use card readers.0
-
NatWest and Nationwide readers are interchangeable.0
-
First Direct state you don't need to be online to use the secure key:
"Do I need to be online to use the App on my device?
The Digital Secure Key is stand alone. It will work anywhere, without being connected to Wi-Fi or mobile networks. The Banking on the go App, however, needs a connection to link to your bank accounts."0 -
It turns out that this is sometimes true. Sometimes when I have tried, I have been able to use it off-line. However, FD seems to have built in some form of update mechanism in the app, that does not use the Google Play services to update the app. It updates from within the app itself, and when such an update is pending, the app won't do anything without a connection - not generate a code, not even show the help section...First Direct state you don't need to be online to use the secure key:
"Do I need to be online to use the App on my device?
The Digital Secure Key is stand alone. It will work anywhere, without being connected to Wi-Fi or mobile networks. The Banking on the go App, however, needs a connection to link to your bank accounts."
I am a bit puzzled by how the app can know there is an update if it doesn't have a connection - I can only assume that there is some form of timer built in that after a set period wants a connection to check for updates. Perhaps it is a security feature. In any case, when I have not used my app for a week or so and then try to use it offline to generate a code, it won't work until I give it a connection.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.6K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards