First Direct 'Secure Keys'

This topic was created by stu 4 .

  1. stu 4

    First Direct 'Secure Keys'

    Oh man... this is gonna be a rant - interested in opinions. imho this is crying out for a news story.

    So... First Direct have now changed the way you log on for internet banking..

    old way:

    - combination of answer to common question (low security, easily phished). i.e. what was the name of your school (oh - lets have a look of facebook, etc)

    - entering 3 character of your password (pretty high security providing proper password naming rules applied)

    new way:

    - you MUST use a secure key (either physical one or one on your phone - which they call an 'electronic secure key as if the other one isn't electronic....)

    - same answer to common quesiton required

    - enter secure key code

    thats it - you are now in and can steal all my money.

    Now, whenever I have used secureID type keys before they are an additional level of security - I still need my regular password as well - e.g. VPN use for company, etc, etc.

    Here, they have TAKEN AWAY the password !!!

    so lose yer phone (or physyical key) and thief simply needs to guess (or easily find on the phone or social media) your answer to common question, and they are in.

    WTF!!!

    The only person this seems to protect is First Direct! - what ? you got all your money stolen ? Did you lose your phone (yes), did you tell us immediately (no... I didnn't realise it was lost/stolen till next day).. well that's not our problem is it - you've been careless, tough shit.

    What they CAN say, is that without the secure key its less likely someone can get into your account - but with proper password security this was unlikely anyway.

    they are just covering their arse, and giving the end user a far less secure service that before.

    So, for me, thats the end of internet banking. I can still do some stuff without a secure key and will just have to call them when I want to do other things.

    this is typical of banks (the verified by visa shite is another example of 'implementing a system which adds FA extra security but covers the banks arse)

    1. Phil W

      Re: First Direct 'Secure Keys'

      Been using this for some time with HSBC, they brought it in a while ago.

      I have to say apart from the inconvenience of having and forgetting/leaving at home my SecureKey instead of just memorising my passwords and codes, I don't see a problem. (with the physical SecureKey anyway, HSBC don't do the app version).

      The key is only of use to someone who steals/finds it if they guess your PIN which is 4-6 digits, so it's at least as secure as your credit/debit card. The PIN can be reset using the answers to your security questions sure, but the same can be said for phoning them up and claiming to have forgotton your phone banking password. The solution here is to make the answers to your security questions lies, that you only use with HSBC/FD. (For instance saying your favourite author is Oolon Colluphid and that your grandfather was called Hig Hurtenflurst).

      The biggest problem I've found is that so far I've broken the LCD on my key 3 times and had to get a replacement, and been unable to access my online banking in the meantime.

    2. Necronomnomnomicon

      Re: First Direct 'Secure Keys'

      Why is your security code vulnerable? You need to enter a password to get it, which can be different to your actual First Direct account password?

      So for a thief to get the data out of my phone, they'd need to

      A) bypass the lock screen (OK, fairly trivial)

      B) Guess the Digital Secure Key password (which as a sensible person, I have made a random string and stored in KeePass, which I keep in sync via OwnCloud - other file syncing services are available)

      C) Take that secure key and enter it on the First Direct website, having guessed or otherwise found both my username and the answer to my security question.

      You can still log in with your security question and a few password characters- but as that's not two-factor, you can't transfer money, only view stuff.

      Seems more secure to me.

  2. turbulenthair

    You mention concerns with security because of the loss of password, and the generic easily obtainable answers to generic questions.

    What you are perhaps not aware of is that you can set your own security question, to be anything you like.

    e.g "What would be a complex password for accessing my first direct account?"

  3. Julian Bradfield

    how's the secure code made?

    As far as I can see, there's no challenge, just a response. If it's a one time pad, what happens if it gets out of sync? If it's not a one-time pad, what's it doing?

  4. Paul 77

    Fail

    Yup, in the middle of the Pacific right now. Come to use the secure key, and, you guessed it, the display is shot. I don't know who they are getting to make these devices, but the Nationwide one that I also have has never had a problem (other than dead batteries (pair of CR2032)). Not impressed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon