It was an HTML e-mail with a convincing HSBC logo and some pretty graphics, but no digital signature or certificate. And it comes from somewhere called “acxiom” which sounds made up to me. What do you think? Real or phish? Here’s the URL it takes you to. Again, looks convincing but it’s not secure site (where my little padlock?) so there’s no certificate to check, a bit suspicious if you ask me. And if you click on “Apply Now”, you get some sort of pop-up window with no address bar visible. I don’t trust those, because you can’t see where you are supposedly visiting. The pop-up window doesn’t have a menu either, but it does have a little padlock. If you click on that, it says that “Verisign” (who are they?) have issued the certificate to “hsss1.hsbc.co.uk”. What’s “hsss1”? And what’s it got to do with Sheffield, South Yorkshire, GB?
How is the man using the Clapham ISP ever going to trust the Internet?
I was at a seminar on online banking fraud today. I was organised by Verisign and kicked off with a very good talk by Colin Whittaker of APACS who explained the size of the phishing problem in the U.K. and the key trends. While he was doing this, I kept thinking about my e-mail. What I was thinking was that marketing people don’t understand security. Sending out this e-mail helps the phishers, because it conditions customers to getting e-mails from the bank and clicking on links. But marketing people do understand hassle, and customers don’t really want to have to jump through hoops, especially to get to their own money. They seem to think that it’s the banks’ problem. Perhaps the way through this is to focus on using the token that the consumers already have — the mobile phone — rather than giving them a new one.
Precious few tokens have been issued. Colin talked about the U.K. situation with respect to two-factor authentication (2FA) using chip-and-PIN cards with cheap calculator-style readers to generate one-time passwords (OTPs). This is generally called Dynamic Password Authentication (or DPA) now. It’s been standardised for a while (ie, MasterCard Chip Authentication Protocol, CAP) but hasn’t been deployed in to the mass market, possibly because phishing losses are still very small. The situation doesn’t seem much clearer in the U.S., where banks and others are finding that complying with the FFIEC existing recommendation on two-factor authentication
is proving more difficult than imagined, with some institutions unsure where to begin risk assessment and others suffering “|paralysis-by-analysis” when faced with the growing array of solutions: mutual authentication, biometrics, risk-based authentication (which Verisign were talking about this morning), digital certificates and so on. Incidentally, Glenbrook’s Linda Elliott has an excellent overview of the activities of U.S. institutions if you want to get an up-to-date picture.
On thing I did find interesting at the seminar was that the Verisign “VIP” service (essentially an OATH-compliant outsource solution), which already has eBay and PayPal on board, has signed up its first couple of financial institutions. I use eBay and PayPal all the time, and I think I’d be happy to pay a few euros for a token for two-factor authentication to access them, so long as I could use the same token for both. If I had already purchased a token and then my bank allowed me to use it for home banking log in, I’d be pretty happy. I wonder if, when they have a few million tokens out there, banks will simply start using them as well, rather than deploy the industry solution (ie, DPA) because it just too much hassle to do it themselves?
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public. [posted with ecto]