Problems with HSBC Security Device

Closed Thread
Page 1 of 2 1 2 LastLast
  1. #1

    Join Date
    May 2006
    Posts
    123

    Problems with HSBC Security Device

    I'm having problems logging into my HSBC internet banking account with the security device. Regardless of how many times I try, I get an error message saying that either my login name, password or the security code is wrong. However, I'm positive that my login name and password are correct.

    I've had a similar problem in the past, but it sorted itself out after a week or two. This time it's already been several weeks. The obvious step is to call the bank, but I was wondering if anyone else had a similar experience. It's a pain and since it's already happened two times, I'm worried that even if HSBC helps me this time, it'll happen again. Any ideas?


  2. #2

    Join Date
    Jun 2005
    Location
    Hong Kong
    Posts
    23,205

    The problem is that the security device has an inbuilt clock which it relies on to generate the passcode. Every time you log in successfully the clock is resynchronised with HSBC's system clock, but if you don't log in for a period of (in my experience) about 2-3 weeks then the clocks get sufficiently far out of synch that the passcode fails.

    Call HSBC, tell them you haven't logged in for a couple of weeks, and they will instantly do something which in effect allows a much wider time synchronisation window for the next login, getting you back in.

    I do wonder if HSBC has fully thought through the new option of logging in without the security device for low risk transaction types. I suspect that the result will be m any more people not using the security device for several weeks at a time, getting out of synch, and then having to call HSBC to get the rest done. It's not clear to me that the cost savings through having to replace fewer worn out security tokens offset the additional cost (and customer frustration) of the extra phone calls to reset the security on the devices that go out of synch as a result.

    My advice would be that even if you use the "two password" login usually, make sure you use the security device at least every two weeks in order to keep it in synch.


  3. #3

    Join Date
    May 2006
    Posts
    123

    Thanks a lot, PDLM, great answer and much appreciated.

    I always wondered how the security device works. By the sound of it, it could do with some serious technological makeover. I find it quite unacceptable that they would out of sync in a 2 or 3 weeks

    Anyway, time to talk the bank. Thanks again.


  4. #4

    Join Date
    Jun 2005
    Location
    Hong Kong
    Posts
    23,205

    By the way, one for bored geeks, if my theory is correct then this has some chance of working...

    Try using a passcode that you generated, say, 5 minutes BEFORE you enter it at the login (you may have to experiment with this delay). If your device is running faster than the system clock then you may well find yourself with an accepted passcode. Of course, if this does work then the clocks will not be resynchronised (or not by as much) so you'd have to keep doing this every time.

    If your device is running slower than the system clock then I don't see a workround.


  5. #5

    Join Date
    May 2007
    Location
    In a little burrow
    Posts
    943

    How does HSBC communicate with the device to sync the clock?


  6. #6

    Join Date
    Jun 2005
    Location
    Hong Kong
    Posts
    23,205

    They don't - I used the term loosely to try to keep it simple. I believe that the record for each account on the HSBC server will have a "clock offset" (which can be deduced from the passcode) recorded each time there is a successful login. The "clock offset" from the previous login is applied at the time of the next attempt.

    Presumably the amount by which the clock runs slow or fast is reasonably constant, so quite why they couldn't extrapolate (at least for a few months) I'm not really sure.


  7. #7

    Join Date
    Feb 2007
    Location
    TKO
    Posts
    236

    Hmmm, intersting theory about the sync PDLM, but for my wifes' token, she had not used it for 3 month. I used it yesterday to set up the second password for her, and it worked fine


  8. #8

    I always thought it's just a list of TAN?


  9. #9

    Just checked Wikipedia, and I believe this is what the HSBC security device is:

    TAN generators

    The risk of compromising the whole TAN list can be reduced by using security tokens that generate TANs on-the-fly, based on a secret known by the bank and stored in the token or a smartcard inserted into the token.
    Last edited by reinkarnation; 11-11-2009 at 03:27 PM. Reason: grammar

  10. #10

    Join Date
    Jun 2005
    Location
    Hong Kong
    Posts
    23,205
    Quote Originally Posted by caipiroska:
    Hmmm, intersting theory about the sync PDLM, but for my wifes' token, she had not used it for 3 month. I used it yesterday to set up the second password for her, and it worked fine
    So by chance it happens that your token's clock runs at very close to the same speed as the system's. There will be a huge range here I suspect. 2-3 weeks was just my (well actually Mrs PDLM's) experience with her token. I use mine more or less every day so the issue hasn't arisen. I guess the tolerance on the synch has been set so that no tokens go out of synch within, say, 2 weeks, but some may, by chance, remain close enough for ever.

Closed Thread
Page 1 of 2 1 2 LastLast