HSBC fights phishing with authentication token

HSBC fights phishing with authentication token

Summary: The bank is ditching digital certificates in favour of password tokens, at least for its business customers

TOPICS: Security

Banking giant HSBC announced on Monday that it is rolling out a two-factor authentication programme for its UK business customers.

The tokens used in the program will be distributed to 180,000 HSBC Business Internet users in the from May, the company said in a statement.

Business customers will use the single use security codes alongside their user ID and password to authenticate their online transactions.

The tokens all have slightly different algorithms that generate different numbers every thirty seconds, according to Mervyn Northam, head of Business Internet banking at HSBC. The back-end computer system tracks which code will be generated by each token depending on the time of day.

"Say your token has algorithm number 79, and it's 1305. The system will know the precise number you are on, and the numbers either side. The tokens aren't specific to certain customers when they are sent out, and each has a barcode which clients use to register the token," said Northam.

Encryption between the front-end and the back-end computer systems means that even if the front-end were compromised, no useful information could be gained by hackers, Northam claimed.

The technology has been rolled out in Hong Kong for a year, and has also been launched in the US. This is because both are smaller markets for HSBC, so it is easier to deploy new technologies, explained Simon Wainwright, head of business banking at HSBC.

"In the UK we have the largest business customer base, and so we had to make sure it worked first time," said Wainwright. "We're not risk averse, but we're risk cautious. Security levels have to be as high as possible without getting in the way of business."

The tokens will replace the existing HSBC system of digital certificates, where individual computers are certified and authorised for transactions.

"This will be more secure than digital certificates, which themselves are remarkably safe," said Wainwright. "A ridiculously small number of customers with digital certificates were stung by phishing scams," he added.

The head of business banking said that "the customer experience was not as good as it could be" with digital certificates because they could only be set up from one computer, while many people use multiple computers.

"Tokens will provide more access and convenience, and more mobility for our business Internet customers," said Wainwright.

Northam added there was a chance that digital certificates could be compromised to gain information, but stressed that this had never happened to an HSBC customer.

Lloyds TSB trialled two-factor authentication last year, while Alliance & Leicester will roll out its two-factor authentication product later this year.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Once they do away with Internet Explorer only access to their banking site, then maybe they'd be a bit more risk aware.
  • Why all the fuss when they cause losses themselves. At their India call centres they have such a bunch of useless managers who cant even take the decision to check system errors when informed. I recently read about this and was horrified.

    A employee at their Bangalore call centre recently left as even after one and a half month they did not even bother to verify his two anti-fraud recommendations. Ought to have been checked the very same day going by all the fuss they make.

    If correct Hsbc could have saved millions of pounds in money, time and man-hours.
    Who's going to make up - customers I suppose.
  • Big talk Hsbc, India Hsbc a cheap bank. Snatch credit, forget to block the security holes. ....How can they penalise an employee for not revealing system flaw details to a manager. Agree with you vicky, I got quite a shock.

    World class Hsbc throws out good guys retains, is that not what India is famous for - CORRUPTION.

    We have to disconnect and redial as english of most guys in India is very bad or they simply can't understand the problem. Now we know, they have a bunch of useless managers and arse kissing Useless reps.......Cheapos
  • Another possible fraud by female, never investigated by Hsbc seniors at Bangalore, India.

    When Hsbc came to know one of its female employees was security-compromised, that is she was running around with her pickup driver. He used to call he r 3-4 times a day and particularly after her shift.

    This when employees cannot give thier number to drivers, strictly prohibited. It is known employees are compromised thru the opposite sex. Are you aware by servicing her what info of customers was passed/ leaked out.

    Her name Diana (has 2 names, maiden name given in the Bank, not raised a doubt even after being informed), when this brought to the attn. of senior management, they did nothing, the Asst Vice President just expressed concern butdid not lift a finger. Why waste time attitude, its about UK right- let's go for that party....

    All this took place in the Uk's Bangalore Call Center. She is still moving around with the driver, albeit a bit carefully. It was never verified if anything ever happened, if details were compromised. Hsbc will sing a different song and spend vast amount of its customer money if anything comes to light.

    Mobile statements can be obtained, right.

    Want more info to nail Hsbc, mail me at: