HSBC: Bad Security

I would like to use a stronger word than “bad” in the title, but decency forbids.

HSBC has, or used to have, a compulsory 2-factor system for logging in to their online banking. It used a small widget called a Secure Key. This is good. Now, they have rolled out an Android/iOS/Blackberry app alternative. This is also good, on balance.

However, at the same time, they have instituted a system where you can log on and see all your banking information and even take some actions without the key, just using a password. This is bad. Can I opt out, and say “no, I’d like to always use the key, please?” No, it seems I can’t. Compulsory lowered security for me. Even if I don’t use the password, that login mechanism will always be there.

OK, so I go to set a password. Never mind, I think, I’ll pick something long and complicated. But no; the guidance says:

Your password is not case sensitive and must be between 8 and 30 characters. It must include letters and numbers.

So the initial passphrase I picked was both too long, and didn’t include a number. However, the only error it gives is “This data is invalid”. I tried several other variants of my thought-of passphrase, but couldn’t get it to accept it. Painful reverse-engineering showed that the space character is also forbidden. Thank you so much, HSBC.

I finally find a password it’ll accept and click “Continue”. But, no. “Your session is invalidated – please log in again.” It’s taken so long to find a password it’ll accept that it has timed me out.

6 thoughts on “HSBC: Bad Security

  1. While I understand what you were going for, I have to ask… decency forbids “Terrible”, “Awful”, “Horrendous”, and “Appalling”?

    Also, how do they handle customers without smartphones? Is it like Google and Yahoo where the only reason I’m able to have an account without being able to receive SMS is because I was grandfathered in?

    • You’re right. I should have been more creative.

      Using the smartphone-based Secure Key _is_ optional; you can continue with the hardware token if you like. (And I intend to.)

      Gerv

  2. Have you considered trying the Halifax? Here are some of their features…

    1) The “verified by Visa” widget that they use to verify your card for online purchases uses an unrecognisable domain name for which the SSL certificate doesn’t use extended validation. My wife was using her card on the Internet, and I was showing her how to be sure that she’s really dealing with Halifax Bank, by checking the green address bar and the organisation the SSL cert was issued to, and…. oh, look -there is no green address bar/no EV. From a high street bank. https://www.securesuite.co.uk/ (no site on home URL, but you can test the cert).

    2) Their SSL for their main banking site uses a weak signature, is vulnerable to Poodle, accepts RC4, no forward secrecy, no support for TLS 1.2, and more: https://www.ssllabs.com/ssltest/analyze.html?d=www.halifax-online.co.uk

    3) Ditto for most of that list for the verification domain when purchasing online: https://www.ssllabs.com/ssltest/analyze.html?d=www.securesuite.co.uk

    4) Their “two factor” security when logging in for online banking consists of a password, together with (selected characters) of a second password. One-time codes? Key device? What are those? What year is it anyway?

    As I say, have you considered trying the Halifax? If you have, let’s hope it wasn’t for long…

    • Sorry, didn’t realise this needed approval. I’ve approved it now, and deleted the link-free version.

  3. I don’t know if they’ve fixed it now, but for years they had a simple bug in their 3D Secure form and password reset page. When resetting your password you were shown an . I’d type a 10 character password into this and not notice that it was being truncated. When I then tried to use that password to pay for something, the maxlength attribute was missing, and it told me my 10 character password was wrong.