HSBC Direct Prevents Keyloggers From Stealing Your Account

First we just liked our HSBC Direct account for its 5.05% APY. Then we found its security system pretty neat.

HSBC Direct makes you create two passwords. One you type in. The other you click in. This helps prevent against the possibility of someone using a keylogger to steal your bank account information.

Fantastic! — BEN POPKEN

Comments

Edit Your Comment

  1. acambras says:

    Yep, ING Direct has it, too. Very cool.

  2. madderhatter says:

    I wish more sites would use certificates for authentication. Ones issued by reputable sources of course, like the one VeriSign issued me for certificate administration duties on their website. Maybe one day in the near future sites will accept biometric logins.

  3. 44 in a Row says:

    I like this system from a security perspective, but it’s a serious pain in the ass.

  4. RandomHookup says:

    I’m with 44IAR…I have an HSBC account and it’s a hassle (plus it makes you go through lots of steps just to find out you did it wrong).

  5. nweaver says:

    Doesn’t do anygood. Keylogging/rootkit software is already adapted to capture those passwords.

  6. Hawkins says:

    Mr. Weaver: Maybe it’s a little harsh to say that it doesn’t do any good.

    While there are certainly attacks that this method doesn’t protect you from, there are lots of common attacks (like standard keyloggers, and hardware keyloggers) that this method effectively defends against.

    Those of use that don’t use this bank can add this level of security to our own banking: all modern operating systems offer an on-screen keyboard, as an assistive device for the handicapped. Just use that for your password. Or even just PART of your password.

  7. brilliantmistake says:

    My B of A credit account uses a “sitekey” where I have to verify that the picture they show me is correct as I log in. I use PayMyBills.com to manage all my bills, and B of A’s system isn’t compatible with their system (the only one with that problem). Now I have to go to B of A’s website directly to pay the accounts, which is annoying and inconvenient.

  8. MattyMatt says:

    ING has yet ANOTHER layer of protection: you choose a secret picture when you sign up (like a picture of a cat, or of Doritos, or a hammock) and then they show it to you after you’ve logged in. If you don’t see the picture that you picked, you know you’ve just given away your login info to someone nefarious.

    Do they have keyloggers and spyware for Macs? I feel all smug and secure with mine, but I worry that I’m wrong about Macs being completely safe.

  9. buthidae says:

    My HSBC account has a little keyfob with a button on it. It’s internal timer will cause it to generate a unique code which will match HSBC’s database, because they know which unit I have and what timer is in it. It’s a little bit annoying to have to dig it out each time, but it’s fairly darn secure!

    Keylog that, bitches! :-)

  10. Crim Law Geek says:

    buthidae: How do I get me one of those keyfobs (i assume an RSA SecureCard challenge-response dohickey)? I would rather enter a random code than have to dick around typing a 8+1 number (minimum) password on a screen keyboard.

  11. cjc says:

    In the case of the on-screen keyboard, if a keylogger is already living on your computer, you’re screwed. It shouldn’t be surprising to find other malware that will capture mouseclicks, etc. Attacks are more costly — the attacker has to get more software on your computer — but I don’t think it would be that much more costly, given how one piece of malware tends to invite friends along.

    Bruce Schneier has an old discussion on why even two-factor authentication, i.e., those keyfobs with ever-changing numbers on them, while they may help to some extent, aren’t a magic bullet:

    http://www.schneier.com/blog/archives/2005/03/the_failure_

    Basically, the attack model two-factor is meant to address is the passive listener. Modern attacks are geared more towards active, man-in-the-middle attacks that will use that RSA SecureID code during the minute it’s valid.

  12. jayrwasdf says:

    I have both HSBC and ING.
    I think ING does a better job.
    1. I need to remember two passwords for HSBC.
    To much security causes less security, since
    this leads to “yellow stickies” with the password written on them.

    2. ING something much better for it’s keyboard.
    It’s only a 0-9 keypad for a numeric PIN, but it also has letters associated with the numbers. You can click, but you can also type in the letters. The great thing about this is the letters are randomly assigned per sesion. So A might be a 0 for one session and a 1 for the next. So the key loggers would not get anything useful.

  13. These keyboards prevent you from using very strong passwords that are impossible to remember — which you store in your password logger. They’re also browser-dependent, off-limits to blind and disabled people, and much, much easier to shoulder-surf than real keyboards.

  14. notlazyjustdontcare says:

    HSBC usernames are 20-digit numbers. That’s too hard for most people to remember. Add two different strongish passwords and that’s a lot of encouragement to just write down your credentials. If ING had the same interest rate, I’d switch back in a second.

  15. rekoil says:

    I have a key fob as well (it’s an RSA SecurID) for my E-Trade account. It shows a 6-digit code that changes every 60 seconds, which is clock synchronized to their auth system. My password is a combination of a traditional password plus the code from the SecurID. This is known in the business as two-factor authentication – something you “know” along with something you “have”.

    One thing I’d like to see would be some sort of centralized auth system that allows me to use a single SecurID with accounts from multiple financial service providers. If more of my banks/credit card companies/brokerages/etc start using these, I’m not looking forward to keeping 3-4 of these things on my keychain.

  16. notlazyjustdontcare said: “HSBC usernames are 20-digit numbers.”

    Mine was a long string of numbers, but I easily changed it to a more normal login — and one I can remember.

  17. Johnie says:

    This is part of a Federal Reserver/FDIC guidance that was supposed to be imposed by end of 2006. All online banking/financial site must use multiple factor authentication system. One way to do this is through a keyfob (ie RSA SecurID).


    http://www.ffiec.gov/press/pr101205.htm

  18. jacques says:

    Hrm, neither of my two banks (Chase and ABN AMRO) use two-factor. In fact, up until I specifically changed it, my user id for Bank One online was my SSN. Way to go fellas.

  19. fishfucerk says:

    Do they have keyloggers and spyware for Macs? I feel all smug and secure with mine, but I worry that I’m wrong about Macs being completely safe.

    smug people should at least know how to use google.

    http://www.google.com/search?client=firefox-a&rls=org.mozi

    furthermore, hardware keyloggers aren’t unheard of.

    what is, however, is someone *actually* having a keylogger on their system. Anyone have personal experience with this in the wild?* Like, beyond a prank by your co-worker?

    * personal meaning you know a dude — not that you know a dude on the internet. we all know a dude on the internet, dudes.

  20. orielbean says:

    Biometrics are very very bad – why? Because when some jackass hijacks the database that links your name and accounts with your retina, voice imprint, and thumbprint, you are really screwed. How would you fix that? You’d need some sort of crazy affadavit to get them to fix it.

  21. RexRhino says:

    I think most people are missing the point here. Most protection schemes are not designed for your actual protection (although that is a secondary purpose), but in order to make you feel “comfortable” with banking online. Online banking not only saves you time, it saves your bank time (which is money), and so is highly desirable from a profit standpoint. There is a huge incentive for banks to make you feel safe when you are banking online. It is like the corporate-financial equivalent to making you discard your liquids at the airport… its most important function is to let you know the people in charge are “doing something” about the problem.

    The truth is, no matter what the security procedures in place, a good chunk of people will simply not be technically savvy enough to figure out if a site is legit or part of a phishing scheme.

  22. Shinola says:

    I am a former HSBC customer. I left because of their poor service and urge you to consider taking your business elsewhere.

    One month, HSBC paid my rent check to my landlord twice–ten days apart, for reasons I never understood. Though the error was all HSBC’s, and though they surely had the money lying around, I couldn’t get my money from them for a week, and no one in the entire organization would even pretend to give a damn (until I closed my account).

    Also, their fees are high, their Web banking is hard to use, their branches are understaffed, and their telephone associates don’t speak English as well as they need to.

  23. kidgenius says:

    This service is a mandatory federal measure that all banking institutions are being forced to move over to. HSBC looks like they are leading the pack, but rest assured, the rest of the banks and credit unions will be there soon.

  24. olegna says:

    Interesting. Samba Bank (Saudi Arabia) uses this. I always thought it was some silly thing done by some IT hack over here, but now it makes sense.

    Thanks Consumerist! (Wink and a smile with a little shiny sparkle on my tooth as a happy dog barks!)

  25. Cal says:

    I believe INB Direct (mentioned above) started this long before HSBC started the practice. ING Direct’s model is a little more accesible in that it allows typing _letters_ that change each time. For example, the number 1 might be “L” today and “J” tomorrow. It allows users who can’t easily click (eg, through a mobile browser) to access their account. Of course, the security of acccessing one’s bank account via a mobile phone might be questionable, but at least somebody with a scanner won’t be able to get the password even if they can get through the SSL.