Like Tree19Likes

And I thought HSBC could not get any harder to use....

Closed Thread
Page 6 of 6 FirstFirst ... 3 4 5 6
  1. #51

    Join Date
    Aug 2006
    Posts
    7,569
    Quote Originally Posted by pin:
    That's what Nationwide told me. They are a UK bank and can only serve UK residents, hence the requirement to have a UK address.

    They do have an offshore offering, which deals with their international private clients, but as I only keep about 500 pounds in the account, I was not invited to the party.
    I did change my address several years ago so maybe that is why. I don't have much contact with them - I only get a statement (sent airmail) if I make a transaction. Otherwise they just send a statement once a year.

  2. #52

    Join Date
    Apr 2011
    Posts
    2,446
    Quote Originally Posted by pin:
    That's what Nationwide told me. They are a UK bank and can only serve UK residents, hence the requirement to have a UK address.

    They do have an offshore offering, which deals with their international private clients, but as I only keep about 500 pounds in the account, I was not invited to the party.
    Nationwide haven't told me I have to close my account (yet)....if they do, I'll move all my business to HSBC UK who are more than happy to let former UK residents keep their accounts and Nationwide can whistle for it. Bunch of muppets. Plenty of non-UK residents who maintain UK accounts because they own UK property etc.If Nationwide want to lose that business, especially in the current climate, they really are fools.

  3. #53
    Quote Originally Posted by PDLM:
    EH? A hacker that is good enough will break whatever security you have. There's no such thing as absolute security.
    don't you feel more secure with additional password / pin ?? if given a choice will you drop additional password for bank account ?

  4. #54

    Join Date
    Mar 2007
    Location
    Gold Coast Marina
    Posts
    17,934

    Passwords are one thing. These bloody security devices are another level of inconevnience altogether. I have already set my affairs up to avoid using it as much as possble but can't avoid antirely.


  5. #55

    Join Date
    Jun 2005
    Location
    Hong Kong
    Posts
    23,205

    I'm fine with the one-time PIN generators for things where a security breach could be important (like a bank account). I wouldn't want to have to use one to log on to, say, Geoexpat. It's a question of finding the right balance of security and convenience. I can see the logic behind HSBC splitting the level of access you can get through a one-time PIN generator and through simple password logic - that makes sense to me.

    I agree that the "yellow button" stage for transfers to non-registered accounts is a pain. However, it seems to me that it protects you against two things:
    1) Forgetting to log out of a session on a computer to which someone else has access; sessions time out after about 15-20 minutes, so if you forget to log out someone could otherwise perform a transfer in that period.
    2) Intercept / man in the middle attacks (this is much less likely); if someone has somehow intercepted and decoded your session whilst in progress (https has some major known flaws) then they could, in principle, through a "man in the middle" attack initiate a transfer to their account if further authentication isn't required. Requiring you to use the "transfer to" account number to generate the PIN stops such an attacker, for example, simulating a session drop to get a new "green button PIN".

    So, it's a pain, but it makes sense to me. For the number of transfers I do (a few each month) it's something I'm happy to live with for the extra security. I can see that if I did dozens each day it would be an extreme pain.


  6. #56

    Join Date
    Dec 2009
    Posts
    7,471

    My laptop has a fingerprint device...

    Now, if they could link *that* up to my bank account I'd be in dream land!

    Then again, in that scenario Li Ka Shing might find himself chased by masked machete bearers trying to cut his hand off. I did hear about a rich rolex wearer in china getting his hand chopped off as he stopped at a traffic light with his hand out of the car window.


  7. #57

    Join Date
    Mar 2007
    Posts
    13,099
    Quote Originally Posted by PDLM:
    I agree that the "yellow button" stage for transfers to non-registered accounts is a pain. However, it seems to me that it protects you against two things:
    1) Forgetting to log out of a session on a computer to which someone else has access; sessions time out after about 15-20 minutes, so if you forget to log out someone could otherwise perform a transfer in that period.
    2) Intercept / man in the middle attacks (this is much less likely); if someone has somehow intercepted and decoded your session whilst in progress (https has some major known flaws) then they could, in principle, through a "man in the middle" attack initiate a transfer to their account if further authentication isn't required. Requiring you to use the "transfer to" account number to generate the PIN stops such an attacker, for example, simulating a session drop to get a new "green button PIN".
    Your #2 is a fine example (rare and unlikely but still fine)
    but I think you are mistaken with #1.
    if you forget to logout and someone tries, they need the FOB anyway.
    Having the extra yellow bit doesnt make things any better...

  8. #58

    Join Date
    Jun 2005
    Location
    Hong Kong
    Posts
    23,205

    I'm not sure I understand your point on #1. Prior to the two-button device you just generated another PIN from the single button device, but as I understand the complaint, it is that you need to use a device at all once you have authenticated at the start of the session. Both the old and new device methods stop attack type 1; the extra security from the new device is to stop attack type 2, at the extra inconvenience of 9 more key presses on the device and entry of 6 digits on the screen.


  9. #59

    Join Date
    Mar 2007
    Posts
    13,099

    Perhaps its just semantics.
    the 2 button device does not give you any further benefits over and above the single button device when it comes to scenario #1.
    It does give you protection for scenario #2 (which is very rare and unlikely)

    Overall, IMO, the annoyance factor does not justify its use...but heck, I'm stuck with it for my personal account. I hope they dont bring it in for the corp-account.


Closed Thread
Page 6 of 6 FirstFirst ... 3 4 5 6