HSBC accuses rivals of security 'arms race'

HSBC has criticised competitors using two-factor authentication, claiming that such tactics encourage hackers to target banks that haven't implemented similar measures.

Speaking at the Gartner IT Security Summit 2006, Brendan Pickering, group head of fraud technology at HSBC, accused rival banks of getting into an "arms race" approach to authentication.

Pickering argued that security measures such as two-factor authentication would "generate considerable revenues for the vendors, but are unlikely to resolve fraud and security problems for more than a limited time period".

Two factor authentication relies on two forms of identification to better establish online identity — usually a password and a passcode which can be generated using an algorithm.  

Barclays announced in August that it would roll out two-factor authentication next year, while Lloyds TSB completed a two-factor token trial in July.

Pickering argued that such tactics would only serve to focus attackers on to online banks that do not distribute them. HSBC does not have a consumer two-factor authentication scheme.

"Phishing and Trojan attacks have caused a number of banks to deploy [two-factor authentication] tokens. The deployment of such tokens, on their own, will in the short term redirect the attackers' efforts towards banks which do not deploy them," said Pickering at the Gartner security summit in London.

"Deployment of tokens alone will do no more than buy some time in a game of beggar thy neighbour," he added.

Pickering predicted that attacks would switch to real-time phishing, where hackers use information harvested contemporaneously to launch an immediate attack.

"In the UK many of the big banks have announced authentication schemes. The reason we haven't seemed to have done much is we haven't had the problems some of the other banks have. We've done authentication trials, but in the personal space we don't see much need to launch [a scheme]," said Pickering.

HSBC intends to address security questions through a "portfolio of controls applied at a number of different points in the service". Currently HSBC has a rules-based system for determining when transactions are suspect, but would like to move to a model-based system.

While tokens are currently widely used, research firm Gartner predicted on Tuesday that one-time passwords, especially delivered to phones via SMS, would become even more popular than they are at present.

Smart tokens, in the form of smart cards or smart USB tokens would also become used more often, while public key infrastructures will become more popular when combined with one-time passwords for mobile use, according to Ant Allan, research vice president at Gartner.