HSBC customers slam bank's online security system

Readers criticise bank's new access key, but HSBC says it has got the balance of security and usability right

HSBC has infuriated some its internet banking customers with its new secure log-in keys, which were introduced this year in an effort to improve security.

The bank started rolling out the credit-card-sized security keys, which generate a unique PIN each time a customer logs on to their online account, back in March. Since then, Computing has received numerous complaints from readers who say the system is flawed.

"Archaic, annoying, too thick, no more security - better to switch to another bank if you are obliged to use it," posted one reader with the username JB.

"I realise the need for security with online banking but this is just a very annoying concept. I can see it won't be long until I lose this little gadget!" posted pompeybella.

"The 'credit card' size device is yet another thing to carry in one's wallet - do HSBC not realise how many cards etc we carry nowadays?" posted Alan B.

"You can't do anything without it. I travel constantly for work and need to access my accounts. I don't want to have to remember to carry this. I will call them and ask them revert to my old account or consider changing bank after 30 years," he added.

HSBC told Computing that customers will get used to the system and that the bank is also already exploring options for version two, which might be a virtual access key.

"Any change to the way a customer accesses their account is going to take a while to get used to. But this small extra step delivers such an increase in security to our internet banking users, that we are confident we have got the balance right.

"It's not just about the peace of mind knowing only you are accessing your accounts, it's about protecting the static pieces of personal information, like date of birth or mother's maiden name, that once lost, can never be replaced," said an HSBC spokesperson.

"The HSBC Secure Key is simply the introduction of a two-factor authentication process into our internet banking. It works by having one piece of information that remains the same [such as a username], and one that constantly changes but is based on a unique set of information for each user [such as the secure-token generated PIN]. The code is not sequential, so it can't be guessed, and expires after 30 seconds so can't be generated and used at a later date.

The spokesperson added that HSBC is already looking into replacing the system.

"This first version of Secure Key is not the final one - although we have designed it to be light and portable in comparison with our competitors' bulky card reader devices. We are already exploring options for version two that might be virtual. But we have a duty to strike the right balance between ease of use and the highest level of security our customers demand of us."