activating (or not) HSBC's online banking (retail banking edition)

As part of my account setup, HSBC gave me a physical two-factor device for the retail-banking online banking.  They said it was set up for me.

When I went to register for the online banking, I had to go through the usual process of setting questions about the name of my second gerbil, and so on, this being the state of the art in "security" and "best practice".

It was now apparently ready to log in, but trying to log in brought me to "Secure Key activation" / "Activate your Physical Secure Key".  For this, an activation code was required.  A box popped up saying "Generate activation code" saying "Please tell us how you would prefer to receive your activation code".  I would have preferred to have received it in person at one of the many person-to-person meetings so far.  But the issue with the box that had popped up was: there was no way to select a mechanism, and clicking on "Continue" brought me back to exactly the same "Generate activation code" box.  Thus, we see that HSBC's IT is exactly as good as the IT of other banks.  Banks are about as good at IT as car manufacturers are at in-car electronics.

I asked my contact how to proceed, and later received a call from a colleague in a different jurisdiction.  This rep told me that contact details can not be used for activation within a month of being added, and my contact details were not added.  In order to add my contact details (phone, email), I could do some kind of online signing exercise ("livesign"?).  This is several months into a process of establishing a private banking relationship, with the retail banking side of things, for which this online banking thing is, attached to the private banking.  I said I wasn't happy, because the private banking team had had my contact details for months, there was no doubt about them, so why am I being asked to go through yet more time-consuming and pointless admin to set them again, as though from square one?  We had to end the call.

Later, my account manager called, and they can send the activation by letter, to arrive mid-week the following week.  Okay, but..

All that had to be done here was to establish credentials for using online banking.  Given extensive in-person meetings, it should be very easy to establish such credentials.  A physical device, apparently individualised for me, was handed over.  But because no one at banks understands the fundamentals of information security, what the world ends up with, is increasingly complicated processes in which this depends on that, and you need an activation code, and how shall we send the activation code, well by their registered contact details for activation codes of course, which have to be signed for via live-sign on a web site, and must have been in place for a month before an activation code can be issued over it, and btw if they ever do get logged into the damned thing, let's log them out again after 10 seconds.

None of this complication makes anything more "secure".  The fundamentals are: there are in-person meetings.  These in-person meetings can be used to exchange whatever credentials (activation codes, hardware devices, etc), are needed, in full.  If that is done, and the process is designed properly, then there is no need to revert to "aaaaaarggh! anonymous!!!1" behaviour when the client tries to use these credentials online.

The end result is that months into this, I don't have online banking, but should have, and am awaiting a letter by post, containing an activation code that could have been given to me in person.


^ the button on this does nothing -- it goes in circles.  That's the world we live in.

Comments

Post a Comment

Popular posts from this blog

the persistent idiocy of "privileged ports" on Unix

TCP and UDP have ports.  These are 16 bit; there are 65535 or so per IP address. These protocols don't care to differentiate between the ports.  Elsewhere, IANA presumes to operate a process to allocate "well-known" ports in the range 1-1023, "registered ports" in the range 1024-49151, and to reserve the remainder, 49152–65535, for "ephemeral" ports.  The caller end has to have a port, which is how replies get back within the virtual connection, and these are conventionally picked from the ephemeral range by the OS's networking stack. The whole idea of ports is ridiculous, because it allows ISPs to arse around presuming to decide which services they will "not allow".  Anything that allows IPSs to do anything other than shift opaque packets will allow ISPs to meddle and break things, and due to the Law of Meddling, if they can, they will.  I am currently working around an issue with Claro, a pretend ISP, blocking port 5060, allocated to SI
Read more

google is giving more and more 500 errors

Image
Total state capture and moral bankruptcy are not the only problems facing Google.  They are also giving an increasing rate of 500 Internal Server errors.  This is the sort that means they've messed up, but not in a way that they should have messed up.  On the other hand, they have drawn a lovely picture of a robot falling apart. Today's example is from Google Calendar under calendar.google.com.  I was trying to make an appointment, and now I'm doing this. I remember, in 2018, a friend trying to convince me that 500 Internal Server Errors no longer happened, or if they did it was my fault, and that they hadn't seen any for years, and some other things.  They assured me that they would love to see screenshots of such a rare specimen, which I bored them with for a while.  That friend happens to be a Google employee. Well, there are plenty of others posting about Google Calendar on twitter today, including screenshots of 500 Internal Server errors, so I doubt this one is en
Read more

Guernsey Waste in incorrect bag-rejection horror May 6th, 2024

Image
The rubbish collection folk at my new place seem pickier than at other places on Guernsey. Last week, they removed some card packaging that I'd included in the card and paper (plastic) clear bag, and left it on the lane.  This week, they have attached a rejection label entitled "Polite Notice".  Just like modern software-engineered error messages (see attached tag "extremely_general_error_handling"), this does not give a specific reason why the bag was rejected, but instead lists miscellaneous possible "reasons", leaving the victim guessing, or perhaps trying to follow a process of elimination. In this case, some possible reasons, which the label does not claim to be exhaustive ("was most likely because ..."), and of which none apply, are: (i) "did not have the required payment sticker" -- no, I applied to 90 litre sticker; or  (ii) (a) "too heavy" -- no, I estimate it was 3kg, and I easily supported the bag's weight o
Read more