HSBC: How will we verify business banking customers? Selfies! UK bank HSBC will allow business customers to open new bank accounts using selfies as part of plans to simplify its application process. The bank will use facial recognition software to verify self-portrait photos taken by customers using their smartphones. A headshot selfie is then assessed against an ID document uploaded by …
Just a note that Androids "unlock with fizzog" feature had a "require live" check (which needed the eyes to blink) to avoid being fooled with a photo.
So if HSBC don't offer it (which wouldn't surprise me), it's a fair question what the fuck they have been paying themselves for over the years.
"What’s more, 80 per cent of consumers believe biometric authentication is more secure than traditional usernames and passwords"
And?
I'm not interested in what a percentage of customers believe on security as I doubt they are all security experts.
I'm interested in proper measures of how secure the different options are, not uninformed opinions.
Wonder how long it will be before a red faced bald bloke draws a good likeness of themselves on their helmet and gets approved by the facial recognition algorithm
Yay, bank security specified by the Jeremy Kyle audience. What could possibly go wrong?
It give sone the same peace of mind as Barclays' voice recognition and contactless payments. Presumably the banks have worked out they can shift responsibility onto other people and in the worst case get bailouts.
Like Barclays know their own security.
Last month I was told I am unable to withdraw cash from my current account because my chip and sign account/card needs to be pin verified, and that Barclays don't issue chip and sign cards.
This is while holding a chip and sign barclays debit card in my hand, of course.
Is this the same HSBC that I had to give up trying to open an account with after 4 months, because their system was so inflexible that they couldn't handle that my passport had my full name of John Jack Smith*, my gas bill had the name John Smith and my telephone bill had the name John J Smith. It was ludicrous. I had to go in every 2 weeks with my documents over and over again, and each time it came back that I had to go in again because the names didn't match.
I tried getting my gas bill and phone bill adjusted, but it was impossible to get my middle name in full on the bills.
In the end I opened the account up with Barclays, took about half an hour and no documents were checked or asked for.
*not my real name
If it's any consolation, HSBC in Canada has all the same drawbacks, exacerbated by our greater distances. Highly bureaucratic, ineffective website, decreasing number of branches, poor email or secure response, ineffective telephone presence, reluctance even to engage the post. I would say they're worse than 4 of Canada's "big five" banks, and worse than your typical small bank or credit union too. Speaking as somebody who tried to "make it work" for many a year.
Maybe HSBC think they'll get more new customers if the suckers don't see inside their local branch first.
You're lucky to have a local branch, ours closed in July, so our "local" branch is now 20 miles away.
Of course, HSBC is happy to believe that all the local pensioners who previously used the branch have cars or use the internet...
"You're lucky to have a local branch, ours closed in July, so our "local" branch is now 20 miles away."
When I told HSBC I'd be closing my account (as they'd closed the most convenient local branch) they asked me to come in to discus it. I offered to come into that same branch. They failed to take me up on my offer. As to internet banking - that was the other reason: they insisted they didn't support Mozilla on Linux.
"As to internet banking - that was the other reason: they insisted they didn't support Mozilla on Linux."
When it comes to internet banking, it's plain that HSBC's left and right hands aren't speaking to one another.
That aside, their internet banking does work on Mozilla on Linux - not only that but I find it works *better* on Mozilla on Linux than it does on Windows. However, things may have changed between whenever that was and now.
"That aside, their internet banking does work on Mozilla on Linux - not only that but I find it works *better* on Mozilla on Linux than it does on Windows."
It worked perfectly well for me. This came when their clunky arrangement for online payment from a current account to a credit card fell over in the middle & I got in touch to give them a friendly heads-up. I couldn't get past the "what are you using bit". They repeated this in writing. I didn't even want them to support my software - I just wanted them to support their own.
Last time I looked at HSBC group in the form of 1st Direct there was the admonishment that you shouldn't use it on a LAN. Now I can see that they were probably thinking of "don't use in in an internet cafe/public library/office network". But without digging out an ancient dial-up modem - if I could find one, I couldn't use my home laptop because it connects to the net via a TCP/IP connection to the router which I reckon makes it a LAN. I told them about it. Months later they were still saying the same thing and, of course, it gives them wriggle room if anything goes wrong.
HaHa Rapport
I was trying to login to a client's Router to do some port-forwarding one day. Typing in the Router's Username and Password caused Rapport to spring into action and ask me if I wanted to continue on the basis that this was a Secure Password. I asked the client about this and he sheepishly admitted that he used the same password for his banking.
Now if I was a hacker Rapport would be a good friend of mine...
I remember having a similar encounter with Rapport a very long time ago. In my case, I was setting up something at a client (may or may not have been a router - I really can't remember) and I asked the client what they wanted to use as a password. As soon as I typed in what they suggested, Rapport promptly told me that it was already in use - in fact, I'm sure it actually *said* it was the password for the bank log-in (or something equally sensitive).
I removed rapport from a client's PC due to the fact he didn't have permission to install it (and infact, we're not 100% how he did).
I filled the "why you are removing this" form it gave on uninstalling in with the words "non-authorised software installed", including my details.
I got a call from them accusing me of claiming Rapport is illegal software, and they have every right to get people to install it (whether they are allowed to or not).
"What’s more, 80 per cent of consumers believe biometric authentication is more secure than traditional usernames and passwords"
Of course 100% understand it is a lot harder to change your biometrics than your password and that while it is hard to remember a complex password (assuming you are allowed to set one) it is relatively simple to 'borrow' someone's biometrics through a number of techniques. When a fingerprint scanner can be fooled by little more than a photocopy it hardly classes as a security measure.
Mythbusters, a few years back, actually showed how easy it was to fool fingerprint scanners. I suspect the basic technique is much different now. The only issue with biometric data is it relies on a form of security by obscurity. Once you have the victim's biometric data is relatively easy to fool the systems but getting the biometric data initially may be a little more difficult. Also, once compromised the biometric data is useless for security.
Once you have the victim's biometric data is relatively easy to fool the systems but getting the biometric data initially may be a little more difficult.
I think I mentioned this on another article about biometric security for banking. The problem here is that while the bank *may* make it somewhat hard to steal the biometric details, others won't. This whole thing is a fad which is why that twat in the article was gushing over it. He's a salesman, it's a fucking retarded sales-gimmick.
So fast-forward a few years after "trendsetters" like HSBC et al start using this. The cost of incorporating biometric bullshit into websites will drop drastically and like online shopping carts there'll be hundreds of vendors offering them and millions of businesses using them. A lot of those vendors will put out products with shit security around the biometrics, and a lot of the companies using them will ignore what little advice they may get from the vendor.
So the clever hackers won't bother trying to get past HSBC's security (which may well be laughable anyway) they'll just go for the low-hanging fruit and crack the db on smaller site.
One of the main pieces of security advice out there is don't reuse passwords across sites, particularly not important ones. But now this gaggle of retards pushing biometrics-as-password are going to force everyone to use the same password everywhere. One which they can't hide very easily, can *never* change and undoubtedly *will* get cracked by someone and then spunked all over the net. Forever.
It's exactly this sort of gimmicky bullshit being pushed by spivs and conmen that is going to fuck everybody in the arse in a few years, but as long as these pricks can make a few quid now they'll happily piss in the well the rest of us have to drink from.
“Currently biometric identification is seen as the higher standard for verifying identity. Not only is it not prone to forgetfulness like the password; it is also more secure. What’s more, 80 per cent of consumers believe biometric authentication is more secure than traditional usernames and passwords, which often end up on Post-It notes,”
Well, all this proves is Richard Lack is a clueless bellend. Biometric is username, not password so he's just proved he's eminently unqualified to offer security advice.
Seems like their system has a massive flaw in it too (aside from just using facial-recognition). Apparently I can open a business account with them by uploading a photo of "myself", and a photo of "my" driving license. HSBC must consider themselves very fortunate that photo-manipulation software capable of turning out an authentic-looking but utterly fake picture of a driving license doesn't exist. Otherwise there's a good chance some untrustworthy types could start setting up accounts in all sorts of names and identities that don't belong to them.
The one upside, I suppose, is that if I ever want to log into Eric Pickles' bank account I can just draw an angry face on my thumb and hold it up to a webcam...
if it sort of works, all the other banks will leap on the idea and use it themselves
Right upto the point where every bank has about 430 million customers and needs to be bailed out again because of the amount of fraud going on....
Oh and the directors will fire another 10 000 people to boost short term profits so they can walk away with a big fat bonus.... just days before the bank implodes
Me cynical???? Never!!!!
Four exclamation marks... A sure sign of a deranged mind..
But given HSBCs previous abilities to listen to customers I won't be surprised if this is a complete disaster, I mean why change the habit of a lifetime? Like forcing customers to use those god awful RSA keycard things, or accidentally charging accounts for shares that don't exist, for a service that's entirely unwanted, then taking months to pay the money back, while claiming to have paid it...
Still no worse than any other bank on the planet.. Where's Albert Spangler when you need him..
The effectiveness of facial biometrics - for identification or authentication - is not the issue.
It's the circumstances under which the biometric data are acquired. The risk owner needs confidence that the presented biometric data is indeed that associated with the person for whom it is claimed to be biometric data.
Selfies create endless opportunities for unsupervised acquisition.
So wish good luck to HSBC; they'll probably need it.
You are asked to verify one piece of likeness with another one that you provide.
So if you upload your passport or driving licence with a doctored photo you could probably open a bank account with your dick.
As for proof of life.. there would be some satisfaction (maybe a lot if you do it right) in waving your dick at your banks login screen.
It comes down to a point, or better, many points of trust.
In HSBCs case your license or passport, which are themselves built up on trust of a number of official forms of identification.
These are interrelated from different government or business offices which have separately identified you. Your passport, license, birth certificate, a document addressed to you.
If you use biometrics, that biometric data should be taken by a trusted agent and stored in a trusted place.
Then there has to be a way to officially verify the voracity of that proof. It shouldn't be within one company but use a web of trust. If two or three trusted samples are held in different organisations and can be cross checked there is improved trust. A person can be identified with a percentage of trust depending on a range of factors.
It's bigger than just HSBC.
"These are interrelated from different government or business offices which have separately identified you. Your passport, license, birth certificate, a document addressed to you."
All from different places and all forged before uploading.
"If two or three trusted samples are held in different organisations and can be cross checked there is improved trust"
...and a potential offence under the DPA.
In HSBCs case your license or passport, which are themselves built up on trust of a number of official forms of identification.
My passport is a renewal of the one before; no further ID was required.
That passport was also a renewal.
The one before that was issued on the basis of my birth certificate alone. And that birth certificate was printed out for me on the basis of going the the records office with my name and date of birth...
It's the thick end of 30 years since I had to do all that, so I don't know if things are more effective these days - but I can't be the only one in the country with the root of the web of trust being myself.
For the removal of doubt: yes, I am the person I claimed to be back then.
Vic.
My first passport was acquired in the same manner although it was my original birth certificate, 2 signed photos (they never checked the endorsement) and some cash at the passport office, took about an hour.
My driving licence required a form and a £1 note at the post office, no checks were made then nor have been made since.
I had lost my original birth certificate when I needed a marriage licence, a trip to the original registras office and a few quid got me a replacement, there were no checks at all (and this was 20 years after The Day of the Jackal had been published).
Still that was in the days before there was any fraud, terrorists, illegal immigrants or children. /s
...and IT staff have been cut drastically in UK in favour of cheaper non-UK staff for whom its a job not a career and without the depth of knowledge of the systems developed over decades. Anyway I was very happy with my departure package and early pension. But as an IT geek I set up my own business. After a few years it came time to move on from that, I closed it down and opened another with a different focus. So I went back to HSBC to open a new business account for the new business. I was told I'd need an interview and that the first available appointment was in 6 weeks time - despite being a Premier customer, known to them as an employee and a customer for 30 years and having previously had a business account (and with no requirement of borrowing or overdraft).
I phoned round several other banks asking "how long will it take to open a business account". All quoted about 6 weeks to open a business account except Barclays who said "it only takes a week!" but then went on to clarify that first I needed an interview and the first available appointment would be in about 6 weeks. In all cases I get the impression this is simply because they have too few staff qualified to do that interview.
As I needed to accept non-cash payments and make payments immediately I had to resort to an alternative to conventional banking.
So the potential good news from this story is the aim to halve the account set up time (but still too long). As for the face recognition ID thing: yes it sounds like garbage but I'd wait to see the full details. Cynical as I am about HSBC I still think they're not THAT stupid (but the current online banking and web site does give me grounds to question my confidence...). Stupid usually comes from the marketing and PR guys who don't understand the proposals and simplify the announcements to attention grabbing press releases.
An interesting issue arises if a business changes hands. Will the bank suspend the account until the new owners have provided their selfies? The "identity" of a limited company is not the same as that of its directors, at law in some ways it's a person in its own right so they need a selfie of the limited company...
Also it's interesting to ponder how much of the billions HSBC have faced in fines and compensation in recent times might have been saved had the board been doing their jobs properly - like paying a premium for competent staff and valuing their expertise and contribution rather than considering them a commodity and looking for the cheapest (and not buying failing Banks in the Americas and then failing to recognise, far less address, their shortcomings). My few residual shares would be worth ten times current value.
"well-proven facial recognition technology which has been around for decades"
So, he's saying that people have been taking selfies with their phones for decades already ?
The only thing that has been well-proven with every single "biometric" technology is that they are not reliable and can generally be easily faked or worked around.
What has also been widely discussed is the fact that if your biometrics are compromised, there is no backup solution. Not to mention that fingers are easy to detach from hands.
This whole biometrics malarky is a disaster waiting to happen. Passwords may not be the best solution, but changing them is easy as pie.
Very scary stuff.
I reckon it probably is still illegal for them to take a photo of you everytime you use an ATM.....
Moot point for me though.....as I still can't get a bank account as I do not have multiple forms of machine readable state sanctioned Photo ID. So I'm homeless, unemployable and all the rest that goes with it.
Been in this situation for over a decade.
I keep asking now and then but it is doubtful that anybody will be able to suggest anythng that I have not already tried repeatedly. :-(
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
