HSBC EMBRACES OLD TECHNOLOGY IN ITS BATTLE AGAINST HACKERS


 If you live in the UK and are somehow involved in the business world and exposed to media you could not help but have noticed the extensive advertising campaign that HSBC has been running on its new (sic) ‘security device’ for online banking - Secure Key.    ( I was tempted to refer to them as  ‘ large UK bank’  - but it is so obvious who it is – no point in pretending. )

A lot of money has been thrown at this campaign – I would guess millions.  (http://www.youtube.com/watch?v=Jx0Z5CiQMIw)   Full page spreads in large circulation newspapers cost big bucks not to mention prime time TV slots.   So here you have the worlds largest retail bank splashing millions on advertising and even more on a ‘cool’ little device that looks like a mini-calculator  - but basically a technology that has been around for about a decade.   This will be rolled out to 4m retail customers worldwide at a reported cost of up to £50 per pop! (http://www.bankingtech.com/bankingtech/article.do?articleid=20000201121)  You do the math!

This same technology has been used by HSBC itself and many other banks for most of the noughties.   But all to no avail.  Has online banking fraud stopped ?  No.  

So why pursue a strategy- that has been proven to be wrong.  As they say – a sign of madness is doing the same thing over again and expecting a different result.    

Technically the product is flawed.   And it is cumbersome.  Watch this video to see just how cumbersome !!  (http://www.youtube.com/watch?v=iOOWiQS5pUQ&feature=related)  and also  (customers don’t want another ‘thing’ to carry around and potentially lose) , but  - most importantly it is vulnerable to being hacked by a Man-in-the-Middle or Man-in-the-Browser attack.   

After identifying yourself with a user name and password you are then asked to enter the One Time Password (OTP) back into the browser.   The browser being the vehicle that you are trying to secure and establish trust over.   But here you are entering your ‘million dollar’ PIN into an insecure browser.   This is security by obscurity at its finest.   

Also – as to be expected many customers don’t like it – forums have been set up where rants (and some raves ) are shared (http://forums.moneysavingexpert.com/showthread.php?t=3296224)

I have not even mentioned the carbon footprint of manufacturing these devices and then shipping them to 4m customers around the world. This number will grow by about 20 % per year as people lose them and they need to be replaced.  So who foots the bill ?   YOU and me -  the bank's customer foots the bill.   How?  In increased bank charges.   And when you do get hacked – and many will – the bank has to make good the loss – again at the cost of YOU the customer.  Even higher bank charges.  

Surely there are solutions out there that can be delivered over the web as a SAAS solution – obviating (in this case ) the multi-million pound investment in tokens and postage and packaging.   Surely there are solutions that offer a higher level of security and ones that are much easier to use and ones which are cheaper.    Of course there is. 


Live Ensure ( http://www.liveensure.com).


Maybe if you know someone at HSBC you should tell them about it.  






Comments

  1. Ross Macdonald14 September 2011 at 04:46

    Looks like i am not the only one who did not appreciate this new product - see this article

    http://www.computing.co.uk/ctg/news/2103811/hsbc-customers-slam-banks-online-security#comments

    ReplyDelete
  2. EddyCormon22 September 2011 at 10:33

    OTP (One Time Password) tokens have been and are being rolled out everywhere in the world massively. Only UK, US and Canada never have been into this.
    In The Netherlands there are almost as many tokens as people.
    It is not because the technology is old (and proven) that it is wrong or not suited.

    Bear in mind that authentication token on your mobile phone is very vulnerable, SMS is way too expensive and PKI is not feasible on large scale (TCO and scalability problems).

    Transaction signing using a hardware token is still the best to fight Man In The Middle attacks as the amount and part of the beneficiary account is embedded into the One Time Password combined with the time of transaction.

    Of course enhancements for OTP are possible like End-To-End Encryption (available with this authentication server: http://www.DS3global.com which supports all tokens, all methods from all vendors).

    ReplyDelete
  3. Ross Macdonald24 September 2011 at 14:32

    hi Eddy - thanks for your thoughts. We have a very different take on this whole issue. There a few problems with the suite of solutions you propose - the most important being that the browser is used to traffic the key value pairs prior to the validity of trust of the browser being established. We step outside of the browser which is only used to initially identify the user. We then traffic the disposable signature over a secondary channel over the Internet and establish trust. Once done so through triangulation and validation of the context ( user, device, site, session ) - then the user can proceed with trust. Check out our website http://www.liveensure.com for more info. We also now have an iPhone App called Live Ensure available in the App store. Download it and then go to http://experience.liveensure.com and try it out. This competes head on with a token - but is a SAAS offering. Let me know what you think.

    ReplyDelete

Post a Comment

Popular posts from this blog

The End of Passwords

Finally it seems … the penny has dropped.   Passwords are a poor substitute for real online security.   There is more and more ‘chatter’ about it.    Robin Henry writing in the Sunday Times on New Years Day talks of the end of ‘password hell’ invoking solutions in the pipeline from the Web Gods – Apple and Google.  The talk is of new biometric solutions such as facial and hand movement recognition.  Even IBM is talking this way.  ( http://www.forbes.com/sites/thestreet/2011/12/20/ibms-tech-predictions-for-the-next-5-years/ )  I agree with the notion that passwords are a dying breed but not that biometrics will become vogue.   They are fraught with problems of their own such as reliability, accuracy and the need for referencing of data-bases ( fail !) .    Why are passwords defunct?   Basically they are difficult to remember and they are easy to steal.    The solutions needed are those that require no cognitive load for the user ( the most unreliable participant in this enterprise
Read more

WIKILEAKS - the fuss?

Why all the fuss ? Why the ‘outrage’ at this ‘threat to national security’ ?   Are we really worried that nuclear war is going to break out because of these ‘dirty’ secrets getting out.  As if the North Koreans are going to up the ante any more than their mock charge of last week because of the abuse and scorn heaped upon them by US Diplomats.  ? !    Come on. To me the irony of this bluster is that it is (largely) from the right wing establishment in the US - calling it treason!     Any party that parades a half wit like Palin as a presidential hopeful hardly holds any moral high ground when it comes to protecting the USA.   Her appointment as the ‘leader of the free World’ will be enough to send any level headed American ( let alone any one of their Allies ) into a panicky tailspin at the thought of what she may stumble into ( by accident or design) . So how did these documents get out there?   Poor security.  Plain and simple.   If the US is so worried about this incident su
Read more