Are Banks’ Two-factor System Safe Enough? HSBC Thinks Not.
September 6, 2007 at 7:47 am by Ehab Bandar
In a move that could set a precedent, HSBC is challenging the safety and security of the standard two-factor system typically employed to access online banking sessions. Instead, it’s introducing an out-of-band solution using the user’s phone line and a PIN generated by the online banking site. An out-of-band solution refers to communication that occurs outside of a previously established communication method. This helps avoid the so-called man-in-the-middle attacks where a hacker could intercept or hijack a user’s computer.
Two-factor is not bulletproof . The PC may be compromised and it makes no sense to us to feed information into a compromised channel, said HSBC Personal Internet Banking Manager Nick Staib.
Rebecca Thomson of ComputerWeekly.com explains how the new system would work:
HSBC’s “out of band” system relies on the customer’s phone to keep their account secure. When making a payment, a pop-up appears asking which phone number they want to be contacted on and containing a Pin number generated by the computer. HSBC will then ring them and ask them for this number.
In fact, HSBC is also leading the way in informing its customers about improving their online safety. On their home page, they heavily promote “Get Safe Online“, a site sponsored by the British government and businesses that provides “free, objective advice.” Check out their blog for the latest news.
Whether this approach proves to be more reliable than standard two-factor authentication — like the one employed by Bank of America — remains the domain for fraud experts. But one thing is clear, concern is rising now that so much of our financial information and life is online.
(No Ratings Yet)
Loading ...Share: 
September 8th, 2007 at 12:03 PM
Smart move by HSBC - it’s great that things are moving forward in the world of authentication in such a positive fashion. But does it go far enough? Simply ringing a phone number cannot guarantee that the right person is going to pick up at the other end and receive/act upon the all-important code read out by the system (a ‘work’ phone could be answered by a colleague, a mobile could be in the hands of a thief etc.). On the other hand the unique GrIDsure system would close this serious loop-hole by creating a “processed” version of the original code which only the authorised user would know. (Using GrIDsure, clever applications providers like Masabi could enable users’ mobiles [or other types of device] to do this off-line - even where extremely old-fashioned phones with no displays and zero features form part of the loop!)
November 12th, 2008 at 5:40 PM
6qc86wv161mjnsm4