Home / Uncategorized / HSBC stumble with Secure Key

HSBC stumble with Secure Key

HSBC have just hit the headlines as they’ve launched an additional layer of internet security, in th form of a calculator terminal called ‘secure key’.  The calculator is small enough to attach to a key fob, and generates a random pass code each time you want to go onto online banking.  This is small, but still the same irritating device that I complained about in 2007 when NatWest sent me a Xiring terminal.

Why is it so annying?

First, it forces customers to use an extra layer of security they don’t like.

Second, it adds time and challenge to online banking processes.

Third, it means people cannot access online services such as payments, if they don’t have the device with them.

Fourth, it’s just a clunky device that makes customers feel their user experience with internet banking is undermined and less secure.

I’ve never liked such things and never will, and apparently most of HSBC’s customers feel the same.


I have a solution but, before discussing solutions, let’s look in more detail at what HSBC has launched.

It’s Secure Key …


…. a small, calculator styled system.

The system is designed for two-factor authentication – a second secure code on top of a PIN or password – and using Secure Key the customer enters their PIN and then gets an OTP – One-Time Password – which is a dynamically generated random number. 

This number is on top of the card PIN system, and is meant to ensure really secure internet banking.  In other words, it protects the customer … or maybe it protects the bank, as the bank is liable for customers' online banking losses.

Although the Secure Key is smaller than the similar styled systems from other banks, as it does not read the card, it still means that people need to have this with them to do most online payments activities.

That's why customers are complaining, as demonstrated above, because it’s both a hassle and potentially locks them out of their account.

As the Daily Mail puts it:

“One Financial Mail reader says HSBC told her she should use her secure key from the end of July to log in to her account, but she has never received one in the post.  For the past two weeks she has been unable to access her account.  Another customer, Ben Sullivan, received his device three weeks ago. Ben, from Southend, Essex, made his first attempt to use it last week but says he had to register the device first and then set it up using various ‘security questions’.  To access the device Ben then had to enter a code, his date of birth and a separate PIN.  ‘I'm not very pleased about it’, he says. ‘It was a lot of hassle to get it up and running.’”

Yep, it’s a pain and there's already a Facebook Community gathering to Scrap the HSBC Secure Key.

So what’s the solution?

Well I keep coming back to mobile phones.

First and most important, the mobile can be used as a Secure Key device.  It's exactly the same as the pad that the banks are distributing, but it's something that youre bound to always have with you, unlike the Secure Key device.

Not only are you far more likely to have your mobile with you when you’re out and about, but the bank can geolocate you to check it’s you and your phone when a card is used, thus ensuring card and security device are held together.

Most people raise the issue of mobile security, but that's a null argument these days as, If you lose it, most people will have protected it with a mobile PIN code to start with anyway.   As a result, you have two PIN entries to make – one for accessing the phone and one for the Secure Key access – before the OTP is generated.

Now to the clever bit.  Phones are also rapidly becoming biometric devices.

Voice Commerce, for example, use the phone to get a voice biometric for authentication; Bank Inter use the smartphone for iris recognition; and Apple patented their finger-swipe unlock on the iPhone as a biometric last year.


So the idea of continuing with clunky, chunky, monkey wrench solutions to online security is so last century …


About Chris M Skinner

Chris M Skinner

Chris Skinner is best known as an independent commentator on the financial markets through his blog, the Finanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal’s Financial News. To learn more click here…

Check Also

Financial services of the future will be open sourced and real-time

I recently  presented in Miami and BBVA were kind enough to summarise what I said …

  • Lee

    Banks seem to have it both ways with online banking. I would like to know if they trust their own secure banking systems or not.
    I recently moved house. I’ve got accounts with Barclays, Santander, Halifax and HSBC (business account). Surely, once I’ve logged in successfully to my online banking account the bank trusts that it IS me that’s logged. So I attempted to change address online.
    Santander – Success, although even I consider their online banking to be inherently the least secure. Takes just a 5 digit number to log in for me and when you click “Log Out” the next page that loads asks you to confirm, and you’re still logged in.
    Halifax – I could download a change of address form and post (yes, POST) it to them to change my address.
    Barclays – Required both myself and my wife to attend the bank with two forms of ID, ridiculous.
    HSBC – My wife’s personal account address was to their credit changeable online, my business account required me to visit the branch, whereupon I was not asked for any ID or even my bank card. I just had to fill in a change of address form. Two days later I had confirmation through the post to my new address and presumably no double-confirmation going back to my old address. Shambles.

  • Tereza

    And when you’re power-hungry smartphone’s battery is dead??

  • I saw an article earlier in the week which seemed to hit the nail on the head. http://www.computerweekly.com/Articles/2011/08/15/247618/Swift-proposes-identity-management-system-to-banks.htm

  • BankSimple has a clever/friendly (smart) phone 2-factor security layer, but that’s the advantage of having the corporate DNA of a tech company and no legacy anything.

  • What is curious is that we know how to do this in other countries. The pattern seems to be quite consistent; the Europeans figure out how to do it securely, the Americans figure out how to make money, and the Brits kind of flipflop between.
    The work for mobile-phone-as-authenticator started in Europe around 2006, as the MITB thing scared everyone. In the event man-in-the-browser took a lot longer to emerge, but now it’s here, those who acted with due diligence are in fine shape. Those who ignored the research and warnings are … in a mess.
    Why is that?

  • Chris Yaldezian

    Banks have been experimenting with this type of thing for years. I remember ABN doing it with the e.dnetifier…back in 2002.

  • Cars

    Australian banks have had 2FA deployed for about 4 years using mobile phones and based on online events (e.g. payments, transfers, personal detail changes). In the last 12-18 months this has moved into the online merchant space in coop with teh major schemes (e.g MasterCard).

  • Will H

    What would be cool is integrating it into the payment card (using e-ink of something similar).

  • Durga

    Mobile Phone as a second factor lost its grace with invasion Zues malware for mobile devices.

  • Lee Qin Wei

    Interesting take on brand alignment HSBC… Just thought of sharing with you guys… http://bit.ly/wzpJ6C