HSBC Offers Secret Transaction Decoder Rings for High Rollers

Unless your name is Sir Winifred Montegue Moneybanks, don’t expect to hold the item at left in your hands anytime soon. HSBC is rolling out a new security device to give big money blokes in the UK a secure way to conduct complex internet transactions.

The keyring sized Vasco device generates a unique code to use alongside customer’s user name and password during authorizations.

However, all luxuries trickle down from the rich like pre-colonial sugar. Someday the device may occupy space on your key ring right next to the starter for your disposable Aston-Martin.

Digital Tokens for UK Biz Users” [Finextra via Bankwatch]


Edit Your Comment

  1. nweaver says:

    Actually, I believe ETrade already has such tokens as well (RSA SecureIDs).

    They are a pretty simple device. They have a clock in them, and a secret AES key. It just continually encrypts the time and puts it out on the display. They cost about $50 each in small quantity, so say ~$20/each to the bank.

    When you log into the bank, you use your pin PLUS the number on the device. Since the bank also knows the key in the device, and the time, it just encrypts the time and sees if it matches.

    Also, this means you need to capture the pin AND steal the device to access the account arbitrarily (but if you take control of the victim’s computer, you can capture the session he used to log in with, so it doesn’t solve all the security problems).

  2. Clare says:

    Thanks for explaining HOW they work, nweaver. My dad was a sales rep, and he had one of those doohickeys to log into his company’s dial-up internet access and VPN on his company laptop.

  3. Nick says:

    As others have pointed out, this is nothing new.

    Now compare it to HSBC Canada’s security: Your password _must_ be exactly 6 digits long. You want something longer? Bad luck, you can’t.

    They’re now ‘upgrading’ it to a system whereby you have to enter your mother’s maiden name every time you log in, and enter 3 randomly selected characters from your new 8 character password. Whilst this is actually more secure – it makes it harder for phishers to get your password once and log in as often as they like – it’s also incredibly annoying – you have to go through multiple steps to log in now, instead of just one, and you have to think through what a particular digit of your password is. I’d rather a securid token by far.

  4. matto says:

    I’ve been using SecurID fobs at various gigs in my industry since before the turn of the century. Its about time that banks catch on to the technology. I’ve long been waiting for a financial institution that supported one-time-password tokens like this, and hope the retards in charge over on this side are paying attention.

    What would be uber-cool would be a bank that allowed you to use these tokens for your ATM PIN. Maybe next century, huh?

  5. RowdyRoddyPiper says:

    Bloomberg now uses this for their anywhere feature (which allows you to get to your bloomberg terminal, well from anywhere), though I suspect this is more to prevent people from sharing accounts rather than for any security purpose.

  6. yeabirfday says:

    Bank of America has been using their new “SiteKey” system, where you enter your ID, then they show you a picture and phrase *you* chose to prove that they’re actually Bank of America, after which you enter your password. It’s an anti-phishing measure, so my I’m-actually-curious question is, how different are the goals of these two methods?

  7. x23 says:

    Wells Fargo does this too. the accountant whipped one out the other day when she was trying to show me how something or another was broken in her browser. i thought it was awesome.