19 July 2018
Paul Penrose


Paul Penrose - Finextra

307Posts 1,376,607Views 248Comments
Trends in Financial Services

Trends in Financial Services

A community to discuss the future of financial services and any other interesting trends, strategies, ideas, views.
A post relating to this item from Finextra:

HSBC defends two factor authentication opt out

17 May 2007  |  13514 views  |  0
HSBC has defended its decision not to follow other UK banks in rolling out handheld chip and PIN devices to its Internet banking customers, saying its existing monitoring procedures and customer educa...

HSBC and Abbey send clear message to phishermen

17 May 2007  |  5286 views  |  0

HSBC and Abbey have broken ranks with other UK banks and decided not to participate in a national push to supply online banking customers with two-factor authentication devices. 

While most of the major banks are laying plans to introduce an assortment of random-number generating systems as a supplement to basic password controls, HSBC and Santander subsidiary Abbey have decided to sit on the sidelines. 

Defending its stance to Finextra, HSBC says it is already satisfied with existing online safeguards and that its online losses are minimal. 

The UK move to supply consumers with Chip and PIN card readers at home is non-mandatory. At an economic level, the refuseniks will have weighed up the costs of supplying consumers with free card-readers against the level of losses they are prepared to sustain.  They may also take a view that the number generators are nothing more than a stop-gap device, incapable of protecting customers from more sophisticated 'man-in-the-middle' attacks.

Of course, consumers who are uncomfortable with the levels of security in place can always vote with their feet and move their online accounts to banks with more obvious safeguards in place. 

The fraudsters will do the same in reverse, modifying their behaviour and concentrating their efforts on institutions with less elaborate controls. 

This is supported by evidence presented in this paper, ‘Closing the phishing hole’, by Ross Anderson, professor of security engineering at Cambridge University.

Speaking at a recent conference in the US, Anderson observes that in the UK, one single bank took £30m of the £35m phishing losses sustained in 2006. According to investigators, the phishermen target this bank because of its lax internal controls, and above all its poor record of asset recovery: apparently it recovers only about 60% of stolen money compared with 75–95% for its competitors.  

The pattern is clear, says Anderson: “Rapidly rising fraud, with losses concentrated on banks that subject their online customers to fewer controls and that have less effective asset recovery teams.”

To be clear, neither of these assumptions necessarily applies to HSBC and Abbey.

But it's all about perceptions. The UK payments body Apacs has in the past done a decent job in moving the industry forward and presenting a strong united front to customers and the criminal fraternity. HSBC and Abbey's failure to play ball shatters the illusion of unanimity and sends out confusing mixed signals about the confidence of the banking industry in its ability to protect customer accounts from crime.  

TagsRetail banking

Comments: (0)

Comment on this story (membership required)

Latest posts from Paul

ANZ and Visa lose the plot

30 June 2011  |  6857 views  |  0 comments | recomends Recommends 0 TagsMobile & onlineRetail banking

Don't give up the day job...ever

20 May 2010  |  6103 views  |  0 comments | recomends Recommends 0 TagsTrade executionWholesale bankingGroupWhatever...

Now we are ten

19 April 2010  |  6473 views  |  3 comments | recomends Recommends 0 TagsRetail bankingWholesale banking

Finextra's Best of the Web

05 March 2010  |  5982 views  |  1 comments | recomends Recommends 0 TagsRetail bankingWholesale banking

The ATM was the last great financial innovation

25 February 2010  |  10136 views  |  8 comments | recomends Recommends 0 TagsRetail bankingWholesale bankingGroupFinance 2.0

Paul's profile

job title Head of Research
location London
member since 2007
Summary profile See full profile »
I'm responsible for editorial content and quality control across the full range of Finextra media.

Paul's expertise

Member since 2006
307 posts248 comments

Who's commenting on Paul's posts