OverKill Bill: HSBC’s Security Device

by Ka Edong on July 11, 2006

Around a month ago, I received a “security device” from my credit card company, HSBC. It’s a small keychain with a single button. When the button is pressed, the keychain will display a 6-digit number. The “security device” generates a unique 6-digit code to be used each time I log-on to my HSBC on-line account. The number is different each time the button is pressed. And my on-line account can tell whether I’m just faking or guessing a 6-digit number. Or whether somebody else is trying to access my account.

Frankly, I think HSBC’s heightened security is overkill for my needs: to view my monthly bill (get it? overKill Bill?).
Afterall, I don’t have a million dollars to lose.

I compare this with my BPI Expressonline account. It has been secure after more than 6 years I’ve been using it. No “security device” needed, just a password that I change regularly when prompted to by BPI Express Online.

I also maintain some rules of thumb when doing online banking:
a.) Never use online banking when in a public computer (e.g. an internet shop)
b.) Never use online banking when surfing via an un-secure WiFi connection

Security device? Ah, I don’t have the patience. But I don’t have much choice, I can’t get in HSBC’s online banking without it.

ka edong
OverKill Bill

Incoming search terms:

Comments

  • http://rrelos.net/techblog Richard

    two-factor authentication using a token device is the preferred mode of providing identity protection and non-repudiation facilities. it’s good to see HSBC providing this by default (did they charge you for the device?). our client in EU, a multination bank conglomeration, provides 2F security using such device.

  • http://technobiography.edongskey.com ka edong

    hi Richard,

    yes, they charged P500. and I still haven’t used it 🙁 . In fact, I haven’t successfully logged into my account.

  • http://www.baliwesti.com esti

    yo ka edong, they charged you P500 for it? how come, I wasn’t charged for it. (or maybe i just didn’t see it..)

    Btw, the number changes over time, I tried pressing on the device for one lazy afternoon and saw that it never changes for some time (around 30s or less) and then changes 😀

  • http://rrelos.net/techblog Richard

    ka edong. that’s what you call cross-selling… hehehe 😀

  • http://technobiography.edongskey.com ka edong

    ehehe! honga, cross selling!

    esti, i think they deployed it in phases. Maybe you were part of the “free of charge” batch … ewan lang .

    or baka may libreng kotse yung keychain ko … 😀

  • http://jijo.free.net.ph Federico Sevilla III

    I think the HSBC “One Time Password” security device is quite innovative. It provides you with all the benefits of two-factor authentication without tying you down to any particular platform, computer, or browser.

    The benefits of two-factor authentication cannot be overstated. While you and many other regular eBanking customers have been able to bank safely using the standard login/password, phishing has become widespread and it is very easy for non-techie users to get caught off-guard.

    While definitely not a cure-all, two-factor authentication like what is provided by HSBC’s OTP device significantly reduces the negative impact that phishing can cause.

    For whatever it’s worth, I wasn’t charged for my HSBC OTP device. There are corresponding charges if I need to have it replaced, though.

  • http://technobiography.edongskey.com ka edong

    I remember seeing the P500 charge on the web when I applied for the device. But I haven’t seen it charged on my credit card.

    Phishing? I don’t consider it a threat to me. I’m smart enough not to get duped into that.

    What’s been extremely challenging (and exasperating) is *still* not being able to login to my HSBC account.

    Two-factor authentication? It may work for others. It’s not working out for me. I consider it a barrier to online banking convenience.

  • http://www.baliwesti.com esti

    i agree with ka edong. the two factor authentication is a bit of a hassle to me cause i keep on forgetting the device in my office, when i have to log in during weekends at home i can’t. just one of the trade offs for having extra security. you need the device always 😀

  • http://technobiography.edongskey.com ka edong

    dami pala natin on HSBC. I consider myself a techie. At least techie-er than the average credit-totting Pinoy.

    At kung ako na-bu-buang sa HSBC, how much more the average card-holder? Or maybe the average guy doesn’t go gaga over these things.

  • justpassingby

    i also have hsbc. check again because i havnt been charged P500 for the device. you will only be charged if you lost it and ask for a replacement.

    i like the device because it is the best way to secure your account. you will be surprised how loose personal information circulates in this country. just this couple of weeks i have received more than 10 “invitations” for credit card and personal loan applications. they are armed with personal information including my “mother’s maiden name” which used to be the standard question to verify your identity (because presumably only you and some people close to you will know your mother’s maiden name and does not appear on most public records). i always ask them where they got or who provided them my personal and confidential info and they always have a standard answer: “we cant tell you that sir, its confidential”

  • http://eofw.edongskey.com ka edong

    hi justpassingby,

    I didn’t get charged. No charge if you opt-in for the online billing statements (they won’t send monthly statements by mail). If you choose to continue monthly statements via mail, you’ll be charged P500.

    I got locked out once again from my online account. I had to request for password reset. bummmer

  • justpassingby

    hi edong, hsbc has shortchanged you. i get my paper monthly statements via mail and i wasnt charged P500 for the device. same with my wife. i remember reading that the P500 charge applies only when you lose it and ask for a replacement.

  • http://eofw.edongskey.com ka edong

    we’ve got a conversation going here, justpassingby! 😉

    they implemented the device in phases. I guess we belong to different phases with different rules 🙁 .

    Yeah, I still prefer to have a piece of paper for my monthly statements. I miss those paper bills ….

  • justpassingby

    you can still opt for the paper statements instead getting your bill online. if they charge you P500 you should complain. its not right for anyone to be charged for something you did not ask for. i’m sure there is a law (in the consumer welfare act prolly?) in effect that states just that. pero i still think they will not charge you. try mo mag inquire sa customer service. matagal na din ako sa hsbc and i’m really satisfied with their service 🙂

  • srimanta roy

    This is absolutly useless for security for online system. its only makes sense for network admins etc. not client users.

    I haven’t seen any bank doing this.
    It makes life just so cumbersome. I live outside india and I feel there should be an option given to users whether they want this security device, default should be not a requirement.

    regards,
    – roy.

  • http://rollyo.com/hentai-manshin furry manshin hentai

    hentai pop manshin manshin hentai u

  • John

    Please read the back of device’s box… it says FEE applies if you don’t enroll your account for e-statements… right?

    It means that you are being charged because you are not using the device.

  • boo34

    suggestion lang naman po kaso baka risky, maybe you can record the 10 or 20 different generated pins in your mobile phone (secured pa rin naman kahit manakaw or mawala ang phone,since no one knows whats the use of that pin), tapos use the different pins anytime na mag aaccess online, now you have 20 reserved pins, idedelete mo na lang yung nagamit mo na, kung matyaga kang mag record pwedeng gawing 50 pins,hehe, cguro naman mag wowork ito since registered naman sa account natin yung serial number ng device 🙂

  • http://ronx13.multiply.com Ronx

    ^ Hmm, I don’t think that security device would work that way. Kasi samin sa Asia United Bank (AUB) nag-iimplement din kami ng gantong tinatawag na “Security device” — quite similar IMO. May paraan yung website para ma-synch yung number na lumalabas dun sa device (at any given moment) dun sa dapat na ipinapasok pag login ng HSBC. So kung kumuha ka ngayon ng 20ng generated numbers at bukas mo ginamit, iba na yung series na lalabas bukas. Parang ganun. Hehe 🙂

    Ok na rin itong Security Device nila. Ika nga nila di ba — “better be safe than sorry”. In this case parang “better be paranoid than sorry” hehehe! 😀

  • rymon

    I think the device is quite an innovation. Extra hassle for extra feature/convenience. Kumpara sa ibang bank na may internet banking, puede ka dito interbank/intrabank transfer without enrolling the 3rd party account. So in a way, alternative measure to sa mandatory enrollment na gawin mu sa ibang bank. Maganda ito for instant transfers or as a substitute sa check. Imagine mu kun wala ito, and puede ka mag interbank transfer without the mandatory enrollment, in essence puede ka ma.holdup kahit saan (ipapatransfer lng sayo). Kaya sa tingin ko di ka magpakita na meron ka nitong device, kasi puede ka ma.hold.up.hehehe pro may clearing pa, so puede pa rin complain ka before actual transfer.

Previous post:

Next post: