HSBC accuses rivals of security 'arms race'

HSBC accuses rivals of security 'arms race'

Summary: Banks that have chosen to beef up their authentication systems are exposing unprotected rivals to attack, the financial services group claims

TOPICS: Security

HSBC has criticised competitors using two-factor authentication, claiming that such tactics encourage hackers to target banks that haven't implemented similar measures.

Speaking at the Gartner IT Security Summit 2006, Brendan Pickering, group head of fraud technology at HSBC, accused rival banks of getting into an "arms race" approach to authentication.

Pickering argued that security measures such as two-factor authentication would "generate considerable revenues for the vendors, but are unlikely to resolve fraud and security problems for more than a limited time period".

Two factor authentication relies on two forms of identification to better establish online identity — usually a password and a passcode which can be generated using an algorithm.  

Barclays announced in August that it would roll out two-factor authentication next year, while Lloyds TSB completed a two-factor token trial in July.

Pickering argued that such tactics would only serve to focus attackers on to online banks that do not distribute them. HSBC does not have a consumer two-factor authentication scheme.

"Phishing and Trojan attacks have caused a number of banks to deploy [two-factor authentication] tokens. The deployment of such tokens, on their own, will in the short term redirect the attackers' efforts towards banks which do not deploy them," said Pickering at the Gartner security summit in London.

"Deployment of tokens alone will do no more than buy some time in a game of beggar thy neighbour," he added.

Pickering predicted that attacks would switch to real-time phishing, where hackers use information harvested contemporaneously to launch an immediate attack.

"In the UK many of the big banks have announced authentication schemes. The reason we haven't seemed to have done much is we haven't had the problems some of the other banks have. We've done authentication trials, but in the personal space we don't see much need to launch [a scheme]," said Pickering.

HSBC intends to address security questions through a "portfolio of controls applied at a number of different points in the service". Currently HSBC has a rules-based system for determining when transactions are suspect, but would like to move to a model-based system.

While tokens are currently widely used, research firm Gartner predicted on Tuesday that one-time passwords, especially delivered to phones via SMS, would become even more popular than they are at present.

Smart tokens, in the form of smart cards or smart USB tokens would also become used more often, while public key infrastructures will become more popular when combined with one-time passwords for mobile use, according to Ant Allan, research vice president at Gartner.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Careless Hsbc support Fraud on one hand and speak against it on the other.

    Recently I read where in an India centre a guy detected major flaws in Hsbc systems. Instead of checking it out Immediately, they did not bother for two months. Reason: managers wanted the credit, the guy eventually left in disgust.

    This is Hsbc, they speak of world-class service and top management indulge in cheap tactics. These managers even falsely took action against him hoping to blackmail him into revealing, when he did not and stood his ground they very quickly accepted his resignation against all norms fearing their illegal actions would get out.

    They could have saved hundreds of millions of pounds as the story says.

    Hsbc top guys are busy massaging thier egos with that stiff upper lip and a supercilious smile, a legacy of the British.

    Why do they need authentication, so blame hackers for their internal mess-ups.
  • After reading Mansur's comment, Hsbc does not do its duty to its customers. It thinks it is doing them a favour. Fat Cat managers, corrupt and useless rule hsbc.
  • I have to agree with the other comments. Surely the banks have a duty of care to give their customers the best protection they can, as quickly as they can.

    If some banks are able to react quickly, then they should do it... If a bank can't react quickly to changes in security tactics, they shouldn't berate the others for caring for their customers, they should put efforts into making sure they can offer the same sort of protection for their own customers.
  • Pickering's arguments are a horrible, and would make me close my account with HSBC if I had one.
  • Utter nonsense, they are already issuing Token for business customers. It seems like they should look at what they are doing internally before slating others!
  • What a spectacularly stupid argument! They might as well ask why the other banks keep their money in safes - it's just encouraging thieves to steal it from the ones that leave money lying about on the floor.
  • I notice that their only concern is how they look, not the safety of their customers' money. And I notice their blindness that does not realise that their very statement reveals that they are behind the game, and asleep at the wheel.
  • Of course he is entirely correct! The fact remains that Banks are entirely cavalier with customers data and money.
    Do not forget that they are first and foremost businesses which seek to minimise costs and maximise profits. Any form of security is seen as unnecessary cost until the fraud tipping point is reached. Chip and PIN was only introduced when the level of fraud was so great that the Banks could no longer sustain absorbing the cost and public opinion meant there was a loss of confidence in the plastic card.
    Telephone and internet banking are seen as a way to maximise profits. Online is preferable as this does away with the need for call centres as the customer inputs the details rather than a member of staff.
    The issue is that the means of authentication employed thus far is weak beyond description.
    This chap is stating the obvious and whinging because HSBC will now get hit by fraudsters or have to absorb unanticipated cost.
    I suggest he gets back to the office and deals with it.
  • Yes he ought to get back and deal with it.
    If Im not wrong it was was plugging some loopholes that this guy advise would have done, minoe investment.

    How come Hsbc screwed up on this one, unless they talk more than they do things. Looks like any other shit company with politics and daggers drawn.
  • How could Hsbc India be so corrupt minded they penalise a employee for refusing to tell his manager details of security flaws in their UK systems.

    It is but natural to take credit for their work, I'm reading here it says two managers took action to blackmail him into parting with the info. Even top mangement have not rectified situation!!

    So is this the world-class that they claim, no doubt their India service is pathetic, they dont understand and are repetitive. This is why, retain losy guys throw out good guys who know their value.
  • Big talk by Hsbc, India Hsbc same as any cheap company. Snatch credit forget to block the security holes. How can they penalise an employee for not revealing details to a manager. Agree with you vicky, i got quite a shock.

    World class Hsbc throws out good guys retains, is that not what India is famous for - CORRUPTION. We have to disconnect and redial as english of most guys in India is very bad or they simply can't understand the problem. Now we know, they have a bunch of useless managers and arse kissing useless reps.......Cheapos