HSBC Weakens Their Internet Banking Security

From a recent email about “changes to your terms and conditions”. (“Secure Key” is their dedicated keyfob 2-factor solution; it’s currently required both to log in and to pay a new payee. It’s rather well done.)

These changes will also enable us to introduce some enhancements to our service over the coming months. You’ll still have access to the full Internet Banking service by logging on with your Secure Key, but in addition, you’ll also be able log in to a limited service when you don’t use your Secure Key – you’ll simply need to verify your identity by providing other security information we request. We’ll contact you again to let you know when this new feature becomes available to you.

Full details of all the changes can be found below which you should read carefully. If you choose not to accept the changes, you have the right to ask us to stop providing you with the [Personal Internet Banking] service, before they come into effect. If we don’t hear from you, we’ll assume that you accept the changes.

Translation: we are lowering the security we use to protect your account information from unauthorised viewing and, as long as you still want to be able to access your account online at all, there’s absolutely nothing you can do about it.

8 thoughts on “HSBC Weakens Their Internet Banking Security

  1. The Halifax doesn’t even have two-factor security on their bank accounts.

    Halifax online banking is protected by a password and…. drum-roll…. a second password. Two-factor security, as understood by a teenager on work-experience… and implemented by a major high-street bank in 2014.

  2. Ditto for Nationwide, who have a keyfob which requires your card to work… but let you bypass that with 3 random numbers or memorable data. Because someone, in their infinite wisdom, decided that having a 6 digit code of which you need to remember half, in random positions, is just as secure (well, that or knowing the name of your dog, the first car you owned, and whatever else you picked as security questions or whatever).

    Compared with my Dutch bank who just have the keyfob, and only for their mobile app let you lower the security (but that’s all opt-in on your side, requires 2-factor auth to set up and is tied to your phone and phone number (even if I’ll happily believe that’s spoof-able)).

    That and I still can’t fathom why this country still uses cheques. “Here’s a slip of paper verified only by signature” with arcane customs as to how you’re meant to ensure people don’t add zeroes to the end (or letters to the front) of the exact sum you want to pay…

  3. Well, the devil is in the detail. First Direct, owned by HSBC, introduced Secure Key (which may or may not be the same) and now require it for *some* online banking functions which were previously only password-protected. The only significant one was the ability to set up a new payee. I opted not to have a secure key.
    So it depends on the nature of this ‘limited service’ surely?

    • At the moment, Secure Key is required for all logins and for paying a new payee. In the future, it will be possible to log in and view information without a Secure Key. So this is a weakening of security.

      HSBC should implement a per-account “off switch” for the new capabilities.

  4. First off, providing what I assume is read-only access without requiring two factor isn’t a bad idea. Two-factor is very annoying…

    Anyways, you bank should cover you for any looses, right? I guess you never know in America. My point is, you should be happy that your bank cares enough about convenience to take a risk on you… Instead of just being overly paranoid.

    Don’t envy the people who login using obfuscated and signed java-applets containing binary code hidden in .gif files… I’m sure all the security-through-obscurity is tiny bit safer… But it not pleasant to use :)

    • I’m not in America :-)

      2-factor is fine when you get used to it. I have a special key for the bank which I take with me, and I have Authenticator on my phone which does 3 other websites.

  5. Gijs, in fairness to Nationwide, their alternative password-based system isn’t quite as bad as Halifax’s, because it doesn’t allow full access; you’ll still get prompted to use the card reader if you try to perform certain actions, such as making a payment.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>