PDA

View Full Version : HSBC Accused of 'Scandalous' Security Glitch


frostbite
10th Aug 2006, 18:31
As reported here
http://news.zdnet.co.uk/internet/security/0,39020375,39280707,00.htm

Except that "On the HSBC online banking scheme, after you type in your name and password, you have to provide some characters from a secret phrase."

bears absolutely no similarity to the login procedure I have been using for years!

VFE
10th Aug 2006, 18:42
That report is weird!!

Firstly you need your 12 digit alpha-numercial security code known only to you.

Then your DOB and three alphanumericals from another entirely different security code known only to you.

Crack those and you're in.

Chances of that? Any statisticians in the house? My calculator goes off the scale.... :rolleyes:

VFE.

Air Mail
10th Aug 2006, 20:25
I believe that the risk is if the computer you use to type in your details has a keystroke logger, then the full login details could be eventually recorded.

A lot of other financial web sites now use drop down menus to enter letters from a pass phrase.

BombayDuck
11th Aug 2006, 04:54
Er.... I have an HSBC card and they've now provided me with this little thingie with a button an' an LCD screen. So to log into my account I need my username, password AND a seven digit number that shows up when i press the button on that thingie. And each time you press the button you get a new number, which I assume can be used only once for accessing your account.

Even harder to crack, methinks...

Blacksheep
11th Aug 2006, 05:25
The process they gave me involved remembering a 12 digit number followed by an eight character password then random letters from a 'memorable word.' No-one can remember that lot, so many people write it all down and put it somewhere handy: or else they let "Windows" remember the first two bits for them and just write down the memorable word somewhere.

Do you have a key logger in your PC?
No?
You're sure about that?

I'm not and nor are any of the rest of you. You're on-line now or you wouldn't be reading this and a microsecond is a very long time to a pentium chip.

Until the banks provide each and every one of us with VPN connections, I don't believe the internet will ever be secure enough to use it for personal banking purposes.

VFE
11th Aug 2006, 21:14
But what are the odds on someone logging into YOUR account? What are the stats on bank account hacking via th'internet?

Banks refund theft losses from hacking, surely?

If your bank refunds the loss then I don't see what the fuss is all about really and I'd much sooner use the internet to transfer funds than wait on the phone to speak to someone and have them nosey at my account - do you worry about the numerous oiks working in call centres who have access to your bank accounts, and other personal details such as house insurance - etc - it's all up there on "their little screen" you know: address, how many bedrooms your house has, when it was built, what locks you have, your occupation, DOB, bank account/credit card details for DDebits.... christ, let's put it all into perspective please!

VFE.

Blacksheep
12th Aug 2006, 05:36
But how would you prove it was a hacker? In the internet banking agreement that you sign, the bank make you personally responsible for protecting your password. They might easily say that you hadn't taken proper precautions.

To transfer money, I write out a draft instruction, sign it, drop it in the slot at the local HSBC 24 hour self service kiosk and pick up the acknowledgement slip that pops out of the machine. Then the bank transfers the money within one working day using their own VPN and taking all the risk themselves - almost as easy as using the internet and completely secure. Its your money after all, risking it on the internet smacks of foolishness in my book.

I don't keep any banking information whatsoever in my PC. I also put all my credit card invoices and other personally identifiable financial papers through the shredder before throwing them out. You simply can't be too careful.