This article is a guest post for the Online Banking Blog(OLBB) by John Ahlberg of Gemalto.
HSBC has come in for some criticism in the UK in recent weeks for its introduction of new security keys for its online banking customers. The credit card-sized keys generate a unique PIN for each time a customer wants to log on to their account, meaning they add an extra, second factor of authentication. This is obviously a good thing for customers’ security, yet it has attracted condemnation from customers frustrated by the lack of mobility it offers.
This once again brings up the age-old trade-off between security and convenience.
Banks are in a precarious position on this issue. On the one hand, they are under greater pressure than ever to do more to ensure the security of their customers, yet on the other are only too aware that these very same customers are averse to any changes which make it more difficult to use the service. Ideally, they need to strike a balance between the two which will provide an adequate, increased level of security, but without it being so inconvenient that customers decide to take their business elsewhere (as is proving to be the case with HSBC’s latest venture).
This is, of course, is easier said than done, but one option for banks moving forward may be to offer a secure mobile app to complement their token authentication systems. One of the criticisms of HSBC’s new system is that it removes much of the freedom that online banking customers have come to expect and enjoy. Offering an additional mobile option would respond to this demand.
However, from a security point-of-view it is hard to criticise HSBC’s efforts to up its game. Vocal though they may be at present, one suspects that, given time to experience the new system, most of those opposed to this heightened security will eventually accept the changes. And those opposed would no doubt be significantly more annoyed were their account to be emptied due to a lack of such stringent measures. That said, there is little point in bringing in these measures if all they achieve is to discourage eBanking altogether.
Given the number of organisations which appear to be adopting a ‘laissez-faire’ attitude towards online banking security, HSBC’s efforts are a breath of fresh air. But they must be mindful that their customers understand this, rather than simply searching for a simpler, and less secure, option.
Tags: HSBC, Secure Key, authentication, online banking, eBanking, security
I applaud their effort but I am a firm believer in not punishing the customer for hackers evilness to the extent possible. There are other out of band authentication techniques that are more mobile and friendlier. Think Mobile!
ReplyDeleteThe Vasco tokens have been in use at HSBC in Asia since 2006 and have dramatically reduced phishing and man-in-the-middle attacks. There was also immediately a perception of improved security amongst the customer base.
ReplyDeleteAll in all I believe the net benefit is clear and those customers annoyed by the extra workload, would likely be the same customers who would shout loudest in the case of an account compromise.
HSBC has successfully implemented the same system in South East Asia nearly 4 years ago. Although it may seem inconvenient initially, It is our believe that customers here have gotten used to the extra step and are happy to enjoy the extra security.
ReplyDelete