HSBC is investigating 'out of band' authentication security for online banking - in which unique ID log-in codes are communicated by telephone - as a possible alternative to the two factor card reader programme backed by UK payments association Apacs.
Under the out of band system, when a customer wants to makes an online payment the bank Web site generates a PIN which is confirmed by the bank via a call to a designated customer phone number. The bank believes the simultaneous use of two networks to authenticate a user may be more diffcult for criminals to circumvent than the token-based systems favoured by the rest of the industry.
HSBC and Abbey have so far opted-out of the national banking industry push to supply online account holders with Chip and PIN-style home banking technology. Such systems are considered vulnerable to man-in-middle attacks and require the consumer to carry a personal card reader at all times.
A HSBC spokesman states: "From our perspective, we took feedback from our personal customers which indicated they would prefer a system that does not involve carrying or using such a device."
HSBC does offer Vasco's two-factor digital authentication tokens to its UK corporate customers. The spokesman says these devices are used by business customers who need to give staff members access to online banking but who do not want staff accessing the company accounts after hours.
"Two factor devices are absolutely a positive step for the industry," the spokesman continues. "But we have taken a different path - this does not mean companies that have chosen to implement them are going in the wrong direction. HSBC will, like the rest of the industry, continue to invest heavily in the development of security systems to ensure our customers continue to be safe online."