Out-of-band better?

Identity Blogger has an interesting post today on how HSBC is moving towards ‘out of band’ 2-factor authentication to improve the overall security of its banking services.  The bank wants to reduce the risks by having the customer enter their one time PIN over a phone channel.

The main risk is that of a compromised PC being used to enter the PIN, as it would with RSA, Secure Computing, Entrust or most other solutions.  But hasn’t the trojan already got the easy secret, the password, and will it now only get the one-time password?  How is that improving the overall security for the session?  I suppose it assures HSBC that the second factor is collected on a ‘secure’ channel, thereby proving the use is who they claim they are…

Problem: I think my daughter, after much over-the-shoulder surfing, has my password figured out.  Last I checked she answers the phone in our house.  Fast forward a few years when she’s short on cash and going out for the evening (and perhaps not the angel she is today…) — does this proposed solution by HSBC now not make it easier for her to gain access to my account?

Of course, the main use case for HSBC would be two-factor for large value commercial transactions, so my teen-age scenario may not apply.  But surely those that are interested in gaining access to such a commercial account can be just as cunning as a 14 year old…


Author: code

Mike Waddingham is senior Information Technology management consultant with over 30 years of industry experience. He is the owner of Code Technology Corp.