HSBC In Deployment Of One-Time Security Tokens
November 14, 2009The global banking giant HSBC will be rolling out security tokens as part of their anti-fraud, on-line security policy.
One of the problems with banking on-line is the theft of passwords. These thefts can occur in many ways, ranging from the installation of malicious software on your computer to phishing for the passwords.
Malicious software includes keystroke loggers and/or screenshot taking applications, surreptitiously installed via viruses and trojans. They’ll monitor which sites you log into, and if that happens to be one for a bank, they’ll record your keystrokes (meaning, they can records your username and password).
Phishing scams try to redirect you to a fake bank site that replicates the looks of the original bank. Once you type in your username and password…well, you’ve essentially typed in your access details for them.
So, how does a token provide security? Well, it’s what’s called a two-factor authorization scheme. Access to on-line banking would require the correct username and password as well as the token. If you have one but not the other, you’re not getting into your on-line account.
So what is this token, then? It’s, simply speaking, a piece of hardware that looks like a USB memory stick. It can be literally a USB memory stick with special software or it can be something that looks like a USB memory stick with a LCD display.
In the former, the presence of the memory stick is detected. If the token is not there, on-line banking is not allowed by the bank (you can connect to the site, but can’t get in).
In the latter, random data will flash on the LCD screen every couple of minutes. This data, or code, must be typed in as well as the username and password. If any of them are a mismatch from the expected values, you can’t log in. The idea here is, scammers in Nigeria can get their hands on your password, but not on USB stick 4000 miles away.
If you consider that last sentence, you’ll realize that tokens don’t guarantee safety; however, they will provide much more protection than simple usernames and passwords with very little in terms of inconvenience (until you lose the USB device, that is).
