Blog article
See all stories »

An article relating to this blog post on Finextra:

HSBC defends two factor authentication opt out

HSBC has defended its decision not to follow other UK banks in rolling out handheld chip and PIN devices to its Internet banking customers, saying its existing monitoring procedures and customer educa...

See article

HSBC and Abbey send clear message to phishermen

HSBC and Abbey have broken ranks with other UK banks and decided not to participate in a national push to supply online banking customers with two-factor authentication devices. 

While most of the major banks are laying plans to introduce an assortment of random-number generating systems as a supplement to basic password controls, HSBC and Santander subsidiary Abbey have decided to sit on the sidelines. 

Defending its stance to Finextra, HSBC says it is already satisfied with existing online safeguards and that its online losses are minimal. 

The UK move to supply consumers with Chip and PIN card readers at home is non-mandatory. At an economic level, the refuseniks will have weighed up the costs of supplying consumers with free card-readers against the level of losses they are prepared to sustain.  They may also take a view that the number generators are nothing more than a stop-gap device, incapable of protecting customers from more sophisticated 'man-in-the-middle' attacks.

Of course, consumers who are uncomfortable with the levels of security in place can always vote with their feet and move their online accounts to banks with more obvious safeguards in place. 

The fraudsters will do the same in reverse, modifying their behaviour and concentrating their efforts on institutions with less elaborate controls. 

This is supported by evidence presented in this paper, ‘Closing the phishing hole’, by Ross Anderson, professor of security engineering at Cambridge University.

Speaking at a recent conference in the US, Anderson observes that in the UK, one single bank took £30m of the £35m phishing losses sustained in 2006. According to investigators, the phishermen target this bank because of its lax internal controls, and above all its poor record of asset recovery: apparently it recovers only about 60% of stolen money compared with 75–95% for its competitors.  

The pattern is clear, says Anderson: “Rapidly rising fraud, with losses concentrated on banks that subject their online customers to fewer controls and that have less effective asset recovery teams.”

To be clear, neither of these assumptions necessarily applies to HSBC and Abbey.

But it's all about perceptions. The UK payments body Apacs has in the past done a decent job in moving the industry forward and presenting a strong united front to customers and the criminal fraternity. HSBC and Abbey's failure to play ball shatters the illusion of unanimity and sends out confusing mixed signals about the confidence of the banking industry in its ability to protect customer accounts from crime.  


Comments: (0)

Paul Penrose

Paul Penrose

Head of Research


Member since

06 Oct 2006



Blog posts




More from Paul

This post is from a series of posts in the group:

Trends in Financial Services

A community to discuss the future of financial services and any other interesting trends, strategies, ideas, views.

See all