Out-of-band better?

Identity Blogger has an interesting post today on how HSBC is moving towards ‘out of band’ 2-factor authentication to improve the overall security of its banking services.  The bank wants to reduce the risks by having the customer enter their one time PIN over a phone channel.

The main risk is that of a compromised PC being used to enter the PIN, as it would with RSA, Secure Computing, Entrust or most other solutions.  But hasn’t the trojan already got the easy secret, the password, and will it now only get the one-time password?  How is that improving the overall security for the session?  I suppose it assures HSBC that the second factor is collected on a ‘secure’ channel, thereby proving the use is who they claim they are…

Problem: I think my daughter, after much over-the-shoulder surfing, has my password figured out.  Last I checked she answers the phone in our house.  Fast forward a few years when she’s short on cash and going out for the evening (and perhaps not the angel she is today…) — does this proposed solution by HSBC now not make it easier for her to gain access to my account?

Of course, the main use case for HSBC would be two-factor for large value commercial transactions, so my teen-age scenario may not apply.  But surely those that are interested in gaining access to such a commercial account can be just as cunning as a 14 year old…

Mike

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: