HSBC: How will we verify business banking customers? Selfies! UK bank HSBC will allow business customers to open new bank accounts using selfies as part of plans to simplify its application process. The bank will use facial recognition software to verify self-portrait photos taken by customers using their smartphones. A headshot selfie is then assessed against an ID document uploaded by …
Just a note that Androids "unlock with fizzog" feature had a "require live" check (which needed the eyes to blink) to avoid being fooled with a photo.
So if HSBC don't offer it (which wouldn't surprise me), it's a fair question what the fuck they have been paying themselves for over the years.
"What’s more, 80 per cent of consumers believe biometric authentication is more secure than traditional usernames and passwords"
And?
I'm not interested in what a percentage of customers believe on security as I doubt they are all security experts.
I'm interested in proper measures of how secure the different options are, not uninformed opinions.
Wonder how long it will be before a red faced bald bloke draws a good likeness of themselves on their helmet and gets approved by the facial recognition algorithm
Yay, bank security specified by the Jeremy Kyle audience. What could possibly go wrong?
It give sone the same peace of mind as Barclays' voice recognition and contactless payments. Presumably the banks have worked out they can shift responsibility onto other people and in the worst case get bailouts.
Like Barclays know their own security.
Last month I was told I am unable to withdraw cash from my current account because my chip and sign account/card needs to be pin verified, and that Barclays don't issue chip and sign cards.
This is while holding a chip and sign barclays debit card in my hand, of course.
Is this the same HSBC that I had to give up trying to open an account with after 4 months, because their system was so inflexible that they couldn't handle that my passport had my full name of John Jack Smith*, my gas bill had the name John Smith and my telephone bill had the name John J Smith. It was ludicrous. I had to go in every 2 weeks with my documents over and over again, and each time it came back that I had to go in again because the names didn't match.
I tried getting my gas bill and phone bill adjusted, but it was impossible to get my middle name in full on the bills.
In the end I opened the account up with Barclays, took about half an hour and no documents were checked or asked for.
*not my real name
If it's any consolation, HSBC in Canada has all the same drawbacks, exacerbated by our greater distances. Highly bureaucratic, ineffective website, decreasing number of branches, poor email or secure response, ineffective telephone presence, reluctance even to engage the post. I would say they're worse than 4 of Canada's "big five" banks, and worse than your typical small bank or credit union too. Speaking as somebody who tried to "make it work" for many a year.
Maybe HSBC think they'll get more new customers if the suckers don't see inside their local branch first.
You're lucky to have a local branch, ours closed in July, so our "local" branch is now 20 miles away.
Of course, HSBC is happy to believe that all the local pensioners who previously used the branch have cars or use the internet...
"You're lucky to have a local branch, ours closed in July, so our "local" branch is now 20 miles away."
When I told HSBC I'd be closing my account (as they'd closed the most convenient local branch) they asked me to come in to discus it. I offered to come into that same branch. They failed to take me up on my offer. As to internet banking - that was the other reason: they insisted they didn't support Mozilla on Linux.
"As to internet banking - that was the other reason: they insisted they didn't support Mozilla on Linux."
When it comes to internet banking, it's plain that HSBC's left and right hands aren't speaking to one another.
That aside, their internet banking does work on Mozilla on Linux - not only that but I find it works *better* on Mozilla on Linux than it does on Windows. However, things may have changed between whenever that was and now.
"That aside, their internet banking does work on Mozilla on Linux - not only that but I find it works *better* on Mozilla on Linux than it does on Windows."
It worked perfectly well for me. This came when their clunky arrangement for online payment from a current account to a credit card fell over in the middle & I got in touch to give them a friendly heads-up. I couldn't get past the "what are you using bit". They repeated this in writing. I didn't even want them to support my software - I just wanted them to support their own.
Last time I looked at HSBC group in the form of 1st Direct there was the admonishment that you shouldn't use it on a LAN. Now I can see that they were probably thinking of "don't use in in an internet cafe/public library/office network". But without digging out an ancient dial-up modem - if I could find one, I couldn't use my home laptop because it connects to the net via a TCP/IP connection to the router which I reckon makes it a LAN. I told them about it. Months later they were still saying the same thing and, of course, it gives them wriggle room if anything goes wrong.
HaHa Rapport
I was trying to login to a client's Router to do some port-forwarding one day. Typing in the Router's Username and Password caused Rapport to spring into action and ask me if I wanted to continue on the basis that this was a Secure Password. I asked the client about this and he sheepishly admitted that he used the same password for his banking.
Now if I was a hacker Rapport would be a good friend of mine...
I remember having a similar encounter with Rapport a very long time ago. In my case, I was setting up something at a client (may or may not have been a router - I really can't remember) and I asked the client what they wanted to use as a password. As soon as I typed in what they suggested, Rapport promptly told me that it was already in use - in fact, I'm sure it actually *said* it was the password for the bank log-in (or something equally sensitive).
I removed rapport from a client's PC due to the fact he didn't have permission to install it (and infact, we're not 100% how he did).
I filled the "why you are removing this" form it gave on uninstalling in with the words "non-authorised software installed", including my details.
I got a call from them accusing me of claiming Rapport is illegal software, and they have every right to get people to install it (whether they are allowed to or not).
"What’s more, 80 per cent of consumers believe biometric authentication is more secure than traditional usernames and passwords"
Of course 100% understand it is a lot harder to change your biometrics than your password and that while it is hard to remember a complex password (assuming you are allowed to set one) it is relatively simple to 'borrow' someone's biometrics through a number of techniques. When a fingerprint scanner can be fooled by little more than a photocopy it hardly classes as a security measure.
Mythbusters, a few years back, actually showed how easy it was to fool fingerprint scanners. I suspect the basic technique is much different now. The only issue with biometric data is it relies on a form of security by obscurity. Once you have the victim's biometric data is relatively easy to fool the systems but getting the biometric data initially may be a little more difficult. Also, once compromised the biometric data is useless for security.
Once you have the victim's biometric data is relatively easy to fool the systems but getting the biometric data initially may be a little more difficult.
I think I mentioned this on another article about biometric security for banking. The problem here is that while the bank *may* make it somewhat hard to steal the biometric details, others won't. This whole thing is a fad which is why that twat in the article was gushing over it. He's a salesman, it's a fucking retarded sales-gimmick.
So fast-forward a few years after "trendsetters" like HSBC et al start using this. The cost of incorporating biometric bullshit into websites will drop drastically and like online shopping carts there'll be hundreds of vendors offering them and millions of businesses using them. A lot of those vendors will put out products with shit security around the biometrics, and a lot of the companies using them will ignore what little advice they may get from the vendor.
So the clever hackers won't bother trying to get past HSBC's security (which may well be laughable anyway) they'll just go for the low-hanging fruit and crack the db on smaller site.
One of the main pieces of security advice out there is don't reuse passwords across sites, particularly not important ones. But now this gaggle of retards pushing biometrics-as-password are going to force everyone to use the same password everywhere. One which they can't hide very easily, can *never* change and undoubtedly *will* get cracked by someone and then spunked all over the net. Forever.
It's exactly this sort of gimmicky bullshit being pushed by spivs and conmen that is going to fuck everybody in the arse in a few years, but as long as these pricks can make a few quid now they'll happily piss in the well the rest of us have to drink from.
“Currently biometric identification is seen as the higher standard for verifying identity. Not only is it not prone to forgetfulness like the password; it is also more secure. What’s more, 80 per cent of consumers believe biometric authentication is more secure than traditional usernames and passwords, which often end up on Post-It notes,”
Well, all this proves is Richard Lack is a clueless bellend. Biometric is username, not password so he's just proved he's eminently unqualified to offer security advice.
Seems like their system has a massive flaw in it too (aside from just using facial-recognition). Apparently I can open a business account with them by uploading a photo of "myself", and a photo of "my" driving license. HSBC must consider themselves very fortunate that photo-manipulation software capable of turning out an authentic-looking but utterly fake picture of a driving license doesn't exist. Otherwise there's a good chance some untrustworthy types could start setting up accounts in all sorts of names and identities that don't belong to them.
The one upside, I suppose, is that if I ever want to log into Eric Pickles' bank account I can just draw an angry face on my thumb and hold it up to a webcam...
if it sort of works, all the other banks will leap on the idea and use it themselves
Right upto the point where every bank has about 430 million customers and needs to be bailed out again because of the amount of fraud going on....
Oh and the directors will fire another 10 000 people to boost short term profits so they can walk away with a big fat bonus.... just days before the bank implodes
Me cynical???? Never!!!!
Four exclamation marks... A sure sign of a deranged mind..
But given HSBCs previous abilities to listen to customers I won't be surprised if this is a complete disaster, I mean why change the habit of a lifetime? Like forcing customers to use those god awful RSA keycard things, or accidentally charging accounts for shares that don't exist, for a service that's entirely unwanted, then taking months to pay the money back, while claiming to have paid it...
Still no worse than any other bank on the planet.. Where's Albert Spangler when you need him..
The effectiveness of facial biometrics - for identification or authentication - is not the issue.
It's the circumstances under which the biometric data are acquired. The risk owner needs confidence that the presented biometric data is indeed that associated with the person for whom it is claimed to be biometric data.
Selfies create endless opportunities for unsupervised acquisition.
So wish good luck to HSBC; they'll probably need it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
