Written by 
It was an HTML e-mail with a convincing HSBC logo and some pretty graphics, but no digital signature or certificate. And it comes from somewhere called “acxiom” which sounds made up to me. What do you think? Real or phish? Here’s the URL it takes you to. Again, looks convincing but it’s not secure site (where my little padlock?) so there’s no certificate to check, a bit suspicious if you ask me. And if you click on “Apply Now”, you get some sort of pop-up window with no address bar visible. I don’t trust those, because you can’t see where you are supposedly visiting. The pop-up window doesn’t have a menu either, but it does have a little padlock. If you click on that, it says that “Verisign” (who are they?) have issued the certificate to “hsss1.hsbc.co.uk”. What’s “hsss1”? And what’s it got to do with Sheffield, South Yorkshire, GB?
How is the man using the Clapham ISP ever going to trust the Internet?
Technorati Tags: banking, fraud, internet, security
I was at a seminar on online banking fraud today. I was organised by Verisign and kicked off with a very good talk by Colin Whittaker of APACS who explained the size of the phishing problem in the U.K. and the key trends. While he was doing this, I kept thinking about my e-mail. What I was thinking was that marketing people don’t understand security. Sending out this e-mail helps the phishers, because it conditions customers to getting e-mails from the bank and clicking on links. But marketing people do understand hassle, and customers don’t really want to have to jump through hoops, especially to get to their own money. They seem to think that it’s the banks’ problem. Perhaps the way through this is to focus on using the token that the consumers already have — the mobile phone — rather than giving them a new one.
Precious few tokens have been issued. Colin talked about the U.K. situation with respect to two-factor authentication (2FA) using chip-and-PIN cards with cheap calculator-style readers to generate one-time passwords (OTPs). This is generally called Dynamic Password Authentication (or DPA) now. It’s been standardised for a while (ie, MasterCard Chip Authentication Protocol, CAP) but hasn’t been deployed in to the mass market, possibly because phishing losses are still very small. The situation doesn’t seem much clearer in the U.S., where banks and others are finding that complying with the FFIEC existing recommendation on two-factor authentication
is proving more difficult than imagined, with some institutions unsure where to begin risk assessment and others suffering “|paralysis-by-analysis” when faced with the growing array of solutions: mutual authentication, biometrics, risk-based authentication (which Verisign were talking about this morning), digital certificates and so on. Incidentally, Glenbrook’s Linda Elliott has an excellent overview of the activities of U.S. institutions if you want to get an up-to-date picture.
On thing I did find interesting at the seminar was that the Verisign “VIP” service (essentially an OATH-compliant outsource solution), which already has eBay and PayPal on board, has signed up its first couple of financial institutions. I use eBay and PayPal all the time, and I think I’d be happy to pay a few euros for a token for two-factor authentication to access them, so long as I could use the same token for both. If I had already purchased a token and then my bank allowed me to use it for home banking log in, I’d be pretty happy. I wonder if, when they have a few million tokens out there, banks will simply start using them as well, rather than deploy the industry solution (ie, DPA) because it just too much hassle to do it themselves?
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public. [posted with ecto]
So true … Banks are not helping themselves by sending out marketing campaigns like this. Unfortunately its often the marketing dept getting ahead of the internet group and dealing direct with an agency.
It is not just the Marketing Departments. Virtually all the Banks in the e-mails they keep sending us on ‘Security’ ask you to copy any phishing e-mails and forward them for analysis. Should you open the e-mail as part of this process you are liable to confirm the existence of your e-mail address and thus set it up to receive even more spam.
On the subject of security and if you have plenty of time to read all the posts have a look at the item on Payment News today on Fighting Fraudulent Transactions
Bruce Schneier blogs about why the focus in fighting online banking fraud needs to be on the transactions themselves, not solely on authenticating the user’s logon.
dave,
you are getting too paranoid… acxiom is a well known e-marketing company – hsbc miust have outsourced the marketing execution to them. hsss1 is a name of one of their web-servers and since you are getting a “padlock”, it means HSBC has taken care to ensure that the data entry forms are enrypted/etc.
btw, i am not associated with hsbc or acxiom!