Online bank security at login

[Alan]

I wonder if there is going to be a new wave of increased security when logging in to financial institutions. A few weeks ago HSBC UK told me that in January I will be issued with a new device to be used when logging in. Sounds similar to the RCA security key, except it comes with a keypad for me to enter my PIN and then type in the security code it displays, which will be different at every login.

Last week I got the following message from HSBC USA that they are changing their login process as follows:

At HSBC, we are always searching for ways to protect the security of your account.
Starting November 13, HSBC will be implementing a new technology to keep your Personal Internet Banking account as secure as possible.
Your existing user name, password, and security key will remain the same. Now, you will be prompted to enter different characters of your security key each time you log in. You will enter these characters using your computer keypad rather than the virtual keyboard you have been using. This will aid in deflecting "keystroke logging" the most frequent form of password theft.
HSBC is making this change as part of our ongoing efforts to identify the most secure technology available for our customers.

And today I get an e-mail from Treasury Direct that they also are changing their login process as follows:

Dear TreasuryDirect Account Holder:
We're committed to providing a secure environment for your investments and personal information.
In a few weeks, we'll be replacing the access card with personalized images, one time passcodes, and computer registration as new layers of security to your TreasuryDirect account. Continue to use your access card until you're notified within your TreasuryDirect account.
Thank you for using TreasuryDirect.

Anyone else seeing upcoming changes?

 

[Brat]

Did you read of the recent discussion by Symantec about a stolen security key and a new version of the stuxnet worm? Maybe that is driving those changes.

 

[Alan]

Did you read of the recent discussion by Symantec about a stolen security key and a new version of the stuxnet worm? Maybe that is driving those changes.

I had not heard that, but you may be correct. After googling the interweb:

Key points:
• Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
• The executables are designed to capture information such as keystrokes and system information.
• Current analysis shows no code related to industrial control systems, exploits, or self-replication.
• The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
• The exfiltrated data may be used to enable a future Stuxnet-like attack.

If they are concerned about sophisticated key-logging worms then this may be the reason. However:

HSBC UK already has a log in that does not require you to type in all your password (please enter the 3rd, 4th, next to last and last charcters in your password)

Treasury Direct and HSBC USA uses a virtual key board for you to click on the characters in your password, and TD also asks for random characters from the card you were issued with.

 

[W2R]

I would like all the security possible. It scares me to death to think of some hacker getting into my bank or investment accounts.

Often when logging in to these accounts I use the software keyboard that comes with Windows, though I know that isn't a security be-all and end-all. Still, it's pretty easy to do. I also have a ton of security software on my computer and use it. I am open to future improvements in security.

 

[MichaelB]

The HSBC plan looks interesting and much more secure. More banks and financial institutions should follow this example and beef up their security.

 

[Alan]

The HSBC plan looks interesting and much more secure. More banks and financial institutions should follow this example and beef up their security.

I have accounts at 6 banks and brokerages and if they all go the HSBC route then I'll have to carry 6 electronic gadgets when I'm traveling. If the CC companies followed suit, then it starts getting a bit over-whelming.

 

[W2R]

I have accounts at 6 banks and brokerages and if they all go the HSBC route then I'll have to carry 6 electronic gadgets when I'm traveling. If the CC companies followed suit, then it starts getting a bit over-whelming.

Maybe you can string a dozen of them on a beaded metal chain, and persuade your wife to wear it as a fashion statement. (Just kidding!)

 

[Alan]

Maybe you can string a dozen of them on a beaded metal chain, and persuade your wife to wear it as a fashion statement. (Just kidding!)

With that, I'm off to cook dinner

 

[MichaelB]

I have accounts at 6 banks and brokerages and if they all go the HSBC route then I'll have to carry 6 electronic gadgets when I'm traveling. If the CC companies followed suit, then it starts getting a bit over-whelming.

Silly me. I was thinking one keypad for the bunch. If I were to put another half dozen devices on the desk I'd end up sleeping alone on the couch...

 

[W2R]

Silly me. I was thinking one keypad for the bunch. If I were to put another half dozen devices on the desk I'd end up sleeping alone on the couch...

On the desk? What about break-ins? You'd have to have a safe installed firmly into the foundation of your house, hide it under something, and put the devices in the safe.

Then, as long as you remember the combination to the safe...

 

[MichaelB]

On the desk? What about break-ins? You'd have to have a safe installed firmly into the foundation of your house, hide it under something, and put the devices in the safe.

Then, as long as you remember the combination to the safe...

As a separate device it is useless without some corresponding information. If lost or stolen easily excluded from network access. Actually, a card reader so one could swipe a magnetic card, along with some keyboard entry, would be a good alternative.

 

[Mulligan]

As a separate device it is useless without some corresponding information. If lost or stolen easily excluded from network access. Actually, a card reader so one could swipe a magnetic card, along with some keyboard entry, would be a good alternative.

That's the problem. I'm sure my device if I have to have one will be laying on my notepad marked on the cover-" account passwords", laying next to the computer.

 

[Alan]

As a separate device it is useless without some corresponding information. If lost or stolen easily excluded from network access. Actually, a card reader so one could swipe a magnetic card, along with some keyboard entry, would be a good alternative.

I had a colleague from England where, 2 years ago, his bank did provide a device where he had to insert his smart chip debit card and enter his PIN to get the device to generate a number to allow him to log on.

This new system at HSBC, they brag about not needing a card, just a PIN number. So, if someone has your PIN and device plus username .....

Here are the details, with a demo video as well, not sure if the link will work for non-customers.

https://www.hsbc.co.uk/1/2/security-centre?WT.mc_id=HBEU_links_SEM_2FA_I_SC2_0711

We're the first UK bank to introduce a two factor authentication device like this. Some devices are larger and require the user to insert their card, this device is one of the smallest and simplest to use.

 

[MichaelB]

Video works fine. The security may as well but it looks like the login process is getting longer. It is an improvement over simple keyboard internet access.

 

[Alan]

The day after we arrived in the UK we unexpectedly needed £1,600 in cash. I went to the branch of HSBC in the town I was staying but they didn't have tellers and the business person told me where the closest branch with a teller was, and to be sure I brought photo ID with me.

I went and told the teller what I wanted. He said to write out a check for cash for £1,600 which I did and he handed over the money without ever asking for ID. Now, my account details has my home address, in the USA, they don't know I'm in the UK, and I am at a branch about 20 miles away from the branch where I have my account.

To me it looks like anyone who steals my checkbook can write checks for cash very easily with only a signature. (rant over)

 

[Achiever51]

Interesting thread as DD just called and told me her debit card has been compromised. She learned of it when she got an alert of a several hundred dollar transaction at a store in California - she immediately called her bank and they've already cancelled her card, but she's still very upset. What a pain!

 

[Alan]

Interesting thread as DD just called and told me her debit card has been compromised. She learned of it when she got an alert of a several hundred dollar transaction at a store in California - she immediately called her bank and they've already cancelled her card, but she's still very upset. What a pain!

I'm sorry to hear that, what a nuisance.

We used our UK debit cards a lot while in the UK this last 7 months. These days the stores, pubs and restaurants all have "smart chip" readers so to buy anything requires you to enter your PIN, and the card never leaves your posession as the card reader is brought to your table.

However, some purchases over the internet still only require card details, unless the site requires "verified by Visa" where you have had to have already set a password on your card through your bank.

 

[clifp]

The scheme that I am seeing which I approve of is to text a pin number to your cell phone when you log into a financial institution from a new computer.

Schwab had pretty interesting scheme, when I logged into from Chinese internet Cafe (ya I know risky but I was in the middle of escrow on my house. ). Before they gave me access they gave me a list of stocks and said you own one of these stocks, on and by the way you have one chance to get it right. Luckily I am very familiar with my portfolio.

 

[misanman]

Concerned about Security

I love online account access and management. I'm amazed at how easy it is to move large sums of money around the banking system. In fact, it's so easy that my concerns about security have escalated as well.

So, how real is the threat? Assuming I'm not sharing account numbers and pins/passwords, how hard would it be for someone to steal from those accounts.

And how serious is the keylogging threat?

I have security software (Norton Security Suite) and it's current but should I be doing more?

Thx

 

[Alan]

I love online account access and management. I'm amazed at how easy it is to move large sums of money around the banking system. In fact, it's so easy that my concerns about security have escalated as well.

So, how real is the threat? Assuming I'm not sharing account numbers and pins/passwords, how hard would it be for someone to steal from those accounts.

And how serious is the keylogging threat?

I have security software (Norton Security Suite) and it's current but should I be doing more?

Thx

I also love online banking and recently registered with a money changing site (HiFx) completely on-line, sent images of my password and pdf copies of US bank statements to prove who I was, and then easily moved £35k (~$60k) from my bank in the UK to my bank in the US. Quite scary, really, how easily that was achieved.

I only log onto my accounts from our laptops, as I'm sure they have the latest anti-virus software, but I still worry about keystroke logging software which is why I like sites that use virtual keyboards and/or only ask for a random selection of characters from the password.

 

[GregLee]

The scheme that I am seeing which I approve of is to text a pin number to your cell phone when you log into a financial institution from a new computer.

The last two secure sites that I've signed up for have asked me for 3-4 question-answer sequences they can use to verify my identity, and then offered to let me skip them so long as I'm using the same computer. They also have me choose a picture for them to display during login and give a name for the picture, which name I must supply when I log in.

I'm not enthusiastic about texting a pin to my cell phone, since I can't remember pins and I don't have a cell phone. And don't know how to text, except in theory.

I've been looking for Firefox extensions to automate the login process for these security-conscious sites, and am not finding what I want. I have four such extensions, now, and I still have to do at least one step manually, during login.

 

[clifp]

The last two secure sites that I've signed up for have asked me for 3-4 question-answer sequences they can use to verify my identity, and then offered to let me skip them so long as I'm using the same computer. They also have me choose a picture for them to display during login and give a name for the picture, which name I must supply when I log in.

I'm not enthusiastic about texting a pin to my cell phone, since I can't remember pins and I don't have a cell phone. And don't know how to text, except in theory.

I've been looking for Firefox extensions to automate the login process for these security-conscious sites, and am not finding what I want. I have four such extensions, now, and I still have to do at least one step manually, during login.

Just to be clear they only do this when I am logging on from a new computer. Obviously this is a problem for folks like you and Nords without cell phones so the questions work ok.

 

[pb4uski]

The last two secure sites that I've signed up for have asked me for 3-4 question-answer sequences they can use to verify my identity, and then offered to let me skip them so long as I'm using the same computer. They also have me choose a picture for them to display during login and give a name for the picture, which name I must supply when I log in.

I'm not enthusiastic about texting a pin to my cell phone, since I can't remember pins and I don't have a cell phone. And don't know how to text, except in theory.

I've been looking for Firefox extensions to automate the login process for these security-conscious sites, and am not finding what I want. I have four such extensions, now, and I still have to do at least one step manually, during login.

The online banking that I use for my great aunt's finances has a similar setup when you set up a new payee. They call your phone (landline in my case) and provide a 4 digit code that you then input to progress to th next step in the process. It actually works pretty good.

 

[obgyn65]

I have a couple of online accounts in the US, including BoA and Edward Jones, and the answer to your question is "not yet".

Anyone else seeing upcoming changes?