[cryptography] [Cryptography] HSBC's Password Approach: Impressive

John Levine johnl at iecc.com
Thu Dec 26 00:22:32 EST 2013

>> They are being pretty clever to make up for terribly endpoint security.
>Yeah, all that might work for non brick and mortar stuff you maybe care about,
>say email [1], and your fave pornsite. But really... you need to be able to
>demand a hardware OTP token from your bank and brokerage...

They do that, too.  I have accounts at six of HSBC's banks, of which five have
some sort of token protection.  You can see four of them here:


For the fifth one, they gave me a choice of another token or an app
running on my Android tablet so I took the app.

They have a federated authentication setup so when you're logged into
a bank in one country, you can switch to banks in most other countries
where you have an account without logging in again.  Most require the
token when you switch, one gives you read only access if you don't
have the token.

The one bank that doesn't offer a token is the one in the U.S., by the way.


More information about the cryptography mailing list