Online banking – do we want safety over convenience?

I forgot to say that I would be would be happy to exchange some of the convenience for a higher level of security.

We tested the Rapport software as part of the work for Which and it does seem to add a reasonable additional level of security, as well as reminding you about password resource. You may still choose not to use it but we do think it adds value.

Of course, this only applies to your computer – if you access online banking from work or from public computers, they are unlikely to have Rapport installed or, if they do, will not be configured with your details.

“Password re-use”, apologies.

@matthew
I have to admit I have my reservations about Rapport and haven’t installed it, despite being prompted by several banks. I have never liked the idea of being prompted to install software from websites and years of internet usage have told me that generally this is a really bad idea.

Because of this I only have limited knowledge of how Rapport works – my understanding was that it tried to ensure you were entering your details into your banks web page and not a phising page. I fail to see why this is better than a webpage bookmark and the https security highlights you now get in the url bar on current browsers.
You suggest that you have to provide it with your details? Is this right? How can entering your details into a 3rd party piece of software improve you internet banking security? Surely this is a huge security risk?

I’m pleased to hear this. I opened a savings account with Tesco a year or so back, and promptly closed it again when I found I wouldn’t be able to access it without a keypad. Perhaps I wasn’t the only one ?!

Smile now only require the card reader when setting up new payments. If you want to make a payment to someone regularly it’s not needed. This seems a good balance to me.

Nationwide have a nice similar middle ground where the extra security of a card reader is only necessary when you do something new.

Update, my HSBC reader arrive just after I posted.
Have to enter serial number of reader when activating – so probably card readers are all different !!
No longer have to enter chars #,#,# from password to login and I’ve just gone an created and remembered a new complicated one!!

In fact you can even mix and match the card readers from different banks. My old Tesco reader worked fine with my Smile account. It’s the card that seems to matter…

and spot my bad use of English!

(blush)

Interesting suggestion. I wonder what the security experts would think.

The domains should be preceded by https: , not just http: , otherwise some malware may alter your ‘hosts’ file (which locally maps domain names to IP addresses) and thus send your browser to a phishing site even though it does clearly say ‘xxx.fsa.gov.uk’. But otherwise it seems possibly a good idea to me (but I’m not a security expert.)

Your advice to ‘always use a bookmarked log-in page’ is at odds with advice I’ve heard from a Barclays security adviser. They said you should never use a bookmarked login site because malware (e.g. a virus) can alter your bookmarks to make them go to a phishing site.

But then if I can’t use a bookmark to go to my online banking website, what do I do? Type it in every time? You must be kidding!

(P.S. I hate secure card readers, why can’t they come up with a standard card reader that works for all banks, and possibly also public libraries, video rental shops, etc, so you only need to carry one for everything, and preferably incorporate it into a smartphone so you don’t even need to carry a separate device!)

Maybe purely a matter of definitions but HSBC’s device isnt a card reader its a “Secure Key” , you put your chosen PIN in and it generates a 6 digit code which is used in the login protocol.
You dont need your credit/debit card to use it.
When you “activate” using the Secure Key you have to provide the serial number of the device so I assume its a “pseudo-random” number generator of some sort and cannot be used on different accounts.
The one I have for Nationwide however is a card reader.

Yes Rarrar, you are correct. However, the HSBC secure key is still a physical device that I must use to login, so removing the ability to logon from any location. As a side thought, most HSBC branches have a PC that you can use to logon to their internet banking website – I guess these systems will be subject to the same security controls. So I wonder how many customers they will have who complain when they turn up in branch who are unable to logon to internet banking in the bank.
Yes, Nationwide have a card reader. But, you don’t need it to logon to internet banking. You can still use your username and password / security details combination, therefore you are able to logon from any location.

I am surprised to see that you think that HSBC would waste its time by scamming customers with it’s suggestion that you install Rapport – the financial and computer press writers (including Which) would have had a field day if this was the case. Agreed, no piece of software can guarantee you 100% security (which HSBC & Rapport accept), but any help is welcome.

As far as the Secure Key is concerned, if you are away from home you could carry a couple of pre-generated numbers, suitably disguised. I agree that this is slightly less secure, but if you don’t also record the answer to your login security question with it you should be reasonably safe.

@Russel – wrt the Secure Key, does pre-generating numbers actually work? I thought that the generated numbers depended on the time and date, as well as the PIN and the device serial number. So that once you’d generated a number, you only had a few minutes to enter it before it became invalid. As I haven’t got such a device, can anyone test this pre-generating idea?

Mick – can I ask how your account details were obtained by Fraudsters (this would be useful to know for the rest of us) and if a card reader or similar device would have actually made your internet banking more secure? i.e. was it a keylogger, a phishing email, a cloned website etc???

If you weren’t 100% happy it was HSBC (or any organisation) calling you, the best idea is to take a name and department then call back on the published number to be reconnected.
The Secure Key will make it difficult to intercept your login deatils online, as the number will only be of use for one login. Anyone using a keylogger will not be able to build up your code from the ‘type characters 1 & 5’ system.
I agree that the new key can be difficult to carry – if you know that you will be away from home, you could generate one or two numbers and then record them suitably disguised? Less secure, but convenient.
You should not keep a written copy of your code to access the Secure Key (or at least not with the key), so anyone finding your key would have a useless piece of electronics.
I think that the issue of a Key to personal customers was a very good step forward – I have been using them for many years with other HSBC accounts both here and overseas and have never had a problem.

And they have made the new field you now complete secure, so you can’t see what you have typed. Given that this code will only be used once surely this is unnecessary. Making it visible would help with detecting typos

When I have had phone calls from HSBC they have always provided me with partial answers to security questions and I would provide the rest of the answer.
This for me proved they were who they said they were !

@Russell – Sybilmari has a point about the security of the secure key. However, I take your point about key loggers, but drop down menus for numbers achieves the same goal and doesn’t mean I have to carry another card with me. Each secure key has a serial number on the back and it is linked to your account. That means, lose the secure key – lose access to your internet banking. Really not a good system, especially if you have carry it with you to multiple locations. The card readers are a better idea, as you can always use another one as the pin number is your debit / credit cards pin number and this is used to generate a random number. This at least proves you have your card and your pin. Still I would prefer something not linked to my debit/credit card and pin number – what was wrong with security questions?

@rarrar – when HSBC phone me, yes they do have bits of information about me. Its never a security question though. Its my postcode, phone number, or date of birth – information like that. Information that is not that hard to obtain, and information that someone who was trying to steal your bank details would have available. I’m not trying to be paranoid here – it just smacks of double standards. On one hand HSBC have introduced a secure key to make internet banking more secure and then on the other hand cold call their customers with no use of decent security information to let you know that its actually HSBC.
It would be more useful if they published a phone number which they would contact you on. This would then appear on your mobile (you could even save it as a contact) and then you could be reasonably confident that it was the bank contacting you. Egg bank do something similar – the number they phone you on is the same number that they use to phone you.

John
Okay I’ll accept your arguments that the questions asked by HSBC dont provide security – maybe even worse they give a false sense of security.
A challenge phrase would be useful as would a phone number to ring them back on. I must admit that the CLI number shown on my phone is always the same for HSBC .

I assumed that HSBC’s security key was credit card size so it can be carried around with you. As someone who is away from home quiet a bit, this was important for me. Not so apparently. The pressure of your purse/wallet on that little green button will bleed the battery within a matter of weeks ! It should be called home banking rather than internet banking. Does anyone know a bank that has a better way of doing this ?

Yes, I have the same thing from HSBC. It works fine, so long as you accept the limitations of effectively doing all your financial business from one computer.

But I don’t understand how HSBC’s system knows the number that has been generated. Perhaps not so random?

They are not “real” random numbers just pseudo-random numbers. 2 devices can be synchronised so that they produce the same series of pseudo-random numbers as long as both know the seed number ( PIN) that is being used.

No computer system is invulnerable to viruses, whether they be Mac/Linux or anything else. Anything produced by one man can be broken by another (and given that Linux is open source I would say that the ability is even greater than for, say, Windows which in theory at least has some form of protection).
The only reason that Windows is the main interest for hackers and crackers is that it is generally the first option for PC buyers, particularly the less technically minded 90%. If you have a Linux system you probably have some technical knowledge so may be less likely to fall for attempts to load malware.
Windows’ market share brings with it the greater risk of being attacked. This does not mean that it is impossible that other systems will be infected.
The only way to categorically ensure that your computer cannot be infected after purchase is to never ever connect it to another device or load software/data from some form of external media. And even then, you can’t be totally sure that something extra hasn’t been loaded at the manufacturing stage or (getting paranoid) in the shop which sold it to you.

Yes, perhaps I am extra cautious (and I have used Apple & Mac systems) but I’d rather pay a modest amount and accept a small performance cut to reduce the risk that my system will be compromised at some point in the future which would cost me a lot more in just time alone.

trott3r wrote “To me this keypad system should be optional rather than being forced on more experienced users like me who are very unlikely to infected.”

Fair enough – as long as you also waive any right to compensation from the Bank in the case of any fraud which could otherwise have been prevented.

We are all fallible and make mistakes – a bit of technological inconvenience is to be welcomed if it saves us from ourselves!!

As use of the keypad is part of HSBC’s Terms & Conditions, you are doing the right thing in moving your business to another bank whose requirements meet your needs.

I agree absolutely, Russell. Fraud costs money and ultimately other customers will pay the costs of investigation and any reimbursement of funds.

That’s a very good point, Ilew. I frequently have trouble finding the log-out command – presumably because they do not want you to leave the site but that’s hardly a serious concern nowadays. Amazon’s log-out is particularly obscure. It’s at the bottom of a long list of options on a dropdown menu under “Hello John . . . Your account” where it says “Not John? Sign Out”. I just want to click and close, not play hunt the symbol. Some sites, like Nationwide, ask you if you really mean it. Why? . . . If I had made a mistake I would just sign in again.

If you aren’t active on your Nationwide site for a short while it automatically logs you out. Personally, with fat fingers I can hit the wrong buttons (that bl**dy Caps Lock too often) so I don’t mind being asked if I want to log out. M&S banking also do that. It is little effort to click “yes”.

I agree about Amazon – not obvious where to find it and you don’t want others taking advantage – particularly near Christmas to see what you’ve ordered.

Yes Malcolm, I am in favour of the automatic closedown after a few minutes of inactivity. I have no serious objection to being asked whether I am sure I want to leave; as you say it is effortless and I know the question is coming so my mouse is poised to pounce upon it.