It also gives you the option of you both moving to a bank that ticks all your other boxes, and use internal transfers to send money to your son. It might be the easiest option all round, as it takes one requirement off your list.
Thanks again but it's a mere kludge that would work for just one payee. I really do want a general solution and am now investigating Lloyds TSB.
No it's not.
The code that it is generated is time dependent and that intelligence is in the terminal.
Possibly, but that doesn't put the intelligence in the card.
ITYF that the terminal does all the work. All that the card does is provide proof that the user has ownership of the card with the required account number.
tim
I believe the codes are sequence number based, in particular I've heard of people reading out a sequence of codes and storing them offline. The central system will tolerate a few missing codes in the sequence. You can only do this easily in the basic identification mode.
With sequence number codes, the sequence number has to be stored in the card, so that it can be used with different readers, which is something that some banks actually say can be done.
The terminals aren't customised which means that if they did that they would be a primary target for reverse engineering, as, if you succeeded with one, you would have broken the whole system. Unless the system depends on end to end cryptographic operations between the card and the bank, the terminal is a man in the middle.
The device I have from HSBC doesn't use my card at all, but simply generates a series of 6-digit numbers each time you press the button.
I've tried storing them for future use but it doesn't work, so I assume they're somehow time-limited. If I press the button and log on immediately it works fine. If I wait a few minutes and then try to log on it fails and I have to use the device to generate a new number.
Chris
That is different, and sounds like the technique used in securekey (a version of which was recently cracked!). That is time based, and the normal devices don't require a button to be pressed; they continually display the code for the current time.
I noticed typical marketing hype on the HSBC on the TV adds recently, and I admit it did look too small to be using the card based strategy. I'm not sure why they chose to do that.
I think that should have been SecurId, not ..ekey.
The SecureID devices do contain sensitive information, but they are personal to the user, and will have individual cryptographic keys, so obtaining full details of one will not break the others, although finding a weakness in the algorithm might.
I assume that the HSBC ones are like that.
Some information, possibly not the latest, on the SecurID compromise can be found at
That's not how forums work best. They work best when they find the underlying requirement and address that.
Certainly, in relation to software, it is very common for people to overconstrain their requirements because they have made design decisions too early.
If you can do things on your account without the device, then so can anyone else! Especially if you're planning to use a public internet point...
Anyway, I have a card reader with my NW account, and most of the time it is not needed. Only for things such as setting up new payees for direct transfers. Subsequent payments do not need that authorisation.
And without the reader, I believe these things can still be set up by phone.
Thank you for explaining how forums work best: Someone asks for the best route to take when driving from their home in Bolton to Southampton and of the ten replies, three say he should not live in Bolton and should move, 5 explain why there's no point in going to Southampton anyway, one mentions that driving is not a green option and the last one answer the question. I am only waiting for that last person to arrive.
Thanks and that is exactly how Barclays promised their accounts worked, but after I opened one and tried it for my self I found that their device-less access offered no more than a read-only access to view history.
That is not so useful to me because I spend a great deal of time abroad.
Eh.
Why would someone need to reverse engineer the terminal if that is the way to break the system? All that they have to do is open an account and get the bank to send you one. Does that compromise the system. No it doesn't.
The security here is in a combination of: the card with its PIN, the terminal and the initial code(s) created by the website. You need all three to be correct to get the right answer.
The terminal is a minor player here, but that doesn't mean that it doesn't have any intelligence.
tim
That relies upon the terminal having hundreds/thousands of different starting conditions and the bank knowing which one it was that they gave to you.
Unlike the Nationwide/other banks system which I use, another account holder with HSBC cannot (normally) use your terminal if they have lost theirs.
tim
You going somewhere where they don't have phones?!
For years I used Natwest's Actionline service to do most of my private and business banking, and much of that while I was in Europe.
Now, with online banking, less travel, and less activity, I can hardly remember the number! But as far as I know it's still possible to do the same things.
P.S. My answer was Lloyds TSB which does all of the above very well.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.