>> They are being pretty clever to make up for terribly endpoint security. > >Yeah, all that might work for non brick and mortar stuff you maybe care about, >say email [1], and your fave pornsite. But really... you need to be able to >demand a hardware OTP token from your bank and brokerage...
They do that, too. I have accounts at six of HSBC's banks, of which five have some sort of token protection. You can see four of them here: http://obvious.services.net/2013/07/better-have-big-pockets-if-you-want.html For the fifth one, they gave me a choice of another token or an app running on my Android tablet so I took the app. They have a federated authentication setup so when you're logged into a bank in one country, you can switch to banks in most other countries where you have an account without logging in again. Most require the token when you switch, one gives you read only access if you don't have the token. The one bank that doesn't offer a token is the one in the U.S., by the way. R's, John _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
