HSBC to challenge two-factor system

Bank claims that system is safer

HSBC has rejected two-factor authentication

HSBC is developing a rival form of security authentication because of concerns about the standard two-factor system backed by industry body Apacs.

HSBC’s online banking will use a specified phone line ­ usually a mobile phone ­and a PIN generated by the online banking site, rather than the cardreader and password system being rolled out by most banks.

The so-called ‘out of band authentication’ is more reliable because a criminal with the right password is unlikely to have the designated phone as well, said HSBC personal internet banking manager Nick Staib.

The weakness of two-factor authentication is that the PC used to access the bank’s site may be commandeered by hackers.

‘Two-factor is not bulletproof ­ the PC may be compromised and it makes no sense to us to feed information into a compromised channel,’ said Staib.

The majority of high-street banks use two-factor authentication, and Apacs has issued an industry-standard card reader for banks to provide to customers.

But HSBC prefers out of band because the user does not have to carry an extra device or remember further details. ‘It sidesteps the issues of tokens and man-in-the-middle attacks,’ said Staib.

The authentication system is part of a wider programme to move all HSBC online banking services onto a single global IT platform.

In the next two years the bank will use a standard IT architecture in all 83 countries in which it operates, said head of e-commerce Alison Leonard.

‘The changes will allow business people to undertake change, where historically it has been the IT people,’ she said.