Consumers Still Prefer Convenience Over Security

Wednesday, August 24, 2011



Computing UK has an interesting writeup about HSBC bank's customer outrage over a complex secure login procedure.

The brouhaha underscores a major problem for information security: How do we sell the idea of better security to consumers when the outcome spells less convenience?

The backlash HSBC is experiencing stems from the implementation of a system that requires customers to have in their possession a credit card sized security key that is used to generate a one-time PIN number to ensure secure account access.

"The HSBC Secure Key is simply the introduction of a two-factor authentication process into our internet banking. It works by having one piece of information that remains the same [such as a username], and one that constantly changes but is based on a unique set of information for each user [such as the secure-token generated PIN]. The code is not sequential, so it can't be guessed..." an HSBC official explained.

The token-generated PIN numbers expire thirty seconds after they are generated, ensuring a higher level of authentication than most banks currently use for customer interfaces.

But that has not stopped consumers from flooding the bank with complaints that the system is too inconvenient for their liking.

"Any change to the way a customer accesses their account is going to take a while to get used to. But this small extra step delivers such an increase in security to our internet banking users, that we are confident we have got the balance right," the HSBC official said.

Some of the consumer comments regarding the secure login protocol include:

  • "The 'credit card' size device is yet another thing to carry in one's wallet – do HSBC not realise how many cards etc we carry nowadays?"
  • "Archaic, annoying, too thick, no more security – better to switch to another bank if you are obliged to use it..."
  •  "I realise the need for security with online banking but this is just a very annoying concept. I can see it won't be long until I lose this little gadget..."
  • "You can't do anything without it. I travel constantly for work and need to access my accounts. I don't want to have to remember to carry this. I will call them and ask them revert to my old account or consider changing bank after 30 years..."

Given the feedback from their customers, HSBC is already looking to replace the system with one that may be more paletable to customers who are used to quick and easy access to their financial accounts.

"This first version of Secure Key is not the final one – although we have designed it to be light and portable in comparison with our competitors' bulky card reader devices. We are already exploring options for version two that might be virtual. But we have a duty to strike the right balance between ease of use and the highest level of security our customers demand of us," the HSBC official said.

Thought the current system will be replaced, HSBC is determined to ensure that the adequate protection of sensitive customer data still be primary in any news system implemented.

"It's not just about the peace of mind knowing only you are accessing your accounts, it's about protecting the static pieces of personal information, like date of birth or mother's maiden name, that once lost, can never be replaced."


Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!


Possibly Related Articles:
Authentication Access Control Tokens Online Banking Headlines Security Login Two-Factor Consumers HSBC
Post Rating I Like this!
Christopher Hudel I do not know what to make of the last quote in the article - birthdates and maiden names are neither lost nor irreplacable!
Anthony M. Freed I think the HSBC rep was trying to express the fact that once PII is lost in a breach, it can not be made secure again.
Christopher Hudel I agree - but it was such an odd turn of phrase.
Anthony M. Freed So true - and reminds me of one from a month or two ago when a NATO spokesman advocated "persecuting" Anonymous skiddies, where I think he meant to say "prosecute" (though both are good ideas). Unfortunately, I can't correct direct quotes!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.