Posts Tagged ‘Secure Key’

HSBC: Security vs. Usability

August 29, 2011 1 comment

Earlier this year, HSBC informed all its customers that it would be providing them with ‘upgraded’ security in the form of the HSBC Secure Key, a hardware device that generates a number upon each use; this number can then be used to log into the HSBC website. Unfortunately, they forgot to ask the customers if they wanted them.

HSBC Secure KeyThose familiar with the concept of security will have heard of the three factors of authentication, which can be broken down into simple concepts:

  • Something you know
    • A password, or a favourite colour.
  • Something you have
    • A phyical token or smart card.
  • Something you are
    • A measurable biometric, such as a finger or voice print.

It’s generally accepted that the more factors you have, the more secure your system is, and HSBC’s move was from single factor (digits from a known number preset by the individual) to two separate factors (a known answer to a preselected question, and the secure key itself).

The factor that they missed was usability, and quite frankly they have rolled out a very poor implementation. The ‘credit card sized’ key turns out to be the thickness of five credit cards, and is required for all access (even checking account balances). Some of HSBC’s competitors, going down a similar two-factor route, only require their devices for actions where the additional security would be welcomed, e.g. balance transfers.

My personal final straw was the advert for the keys themselves, which can be seen at The elderly gentleman is shown happily typing into his secure key like it was a 1980’s calculator and getting a code to use on the HSBC website.

This part, more than anything else, is a lie: any elderly gentlemen trying to use the key in that manner will break their fingers. The HSBC key is the most unmalleable device I have ever come across, and to switch it on and type in the required PIN requires each digit to literally be squeezed between thumb and forefinger one at a time.

Like so many other security measures, this is yet another organisation deciding to go their own way. Some banks already provide devices that read unique data from the chip on the card; quite often, one bank’s device can be used by another bank’s card. Make these ubiquitious, and you immediately cut down on the need to have one device per bank, you cut down on people having to always carry the single device capable of accessing their account around with them, and yet you get to keep your second factor.

HSBC has stated that they are already looking at replacing their system:

This first version of Secure Key is not the final one – although we have designed it to be light and portable in comparison with our competitors’ bulky card reader devices. We are already exploring options for version two that might be virtual. But we have a duty to strike the right balance between ease of use and the highest level of security our customers demand of us.

Computing magazine, 24th August 2011

Too little. And quite possibly too late.