HSBC fights phishing with authentication token

The bank is ditching digital certificates in favour of password tokens, at least for its business customers

Banking giant HSBC announced on Monday that it is rolling out a two-factor authentication programme for its UK business customers.

The tokens used in the program will be distributed to 180,000 HSBC Business Internet users in the from May, the company said in a statement.

Business customers will use the single use security codes alongside their user ID and password to authenticate their online transactions.

The tokens all have slightly different algorithms that generate different numbers every thirty seconds, according to Mervyn Northam, head of Business Internet banking at HSBC. The back-end computer system tracks which code will be generated by each token depending on the time of day.

"Say your token has algorithm number 79, and it's 1305. The system will know the precise number you are on, and the numbers either side. The tokens aren't specific to certain customers when they are sent out, and each has a barcode which clients use to register the token," said Northam.

Encryption between the front-end and the back-end computer systems means that even if the front-end were compromised, no useful information could be gained by hackers, Northam claimed.

The technology has been rolled out in Hong Kong for a year, and has also been launched in the US. This is because both are smaller markets for HSBC, so it is easier to deploy new technologies, explained Simon Wainwright, head of business banking at HSBC.

"In the UK we have the largest business customer base, and so we had to make sure it worked first time," said Wainwright. "We're not risk averse, but we're risk cautious. Security levels have to be as high as possible without getting in the way of business."

The tokens will replace the existing HSBC system of digital certificates, where individual computers are certified and authorised for transactions.

"This will be more secure than digital certificates, which themselves are remarkably safe," said Wainwright. "A ridiculously small number of customers with digital certificates were stung by phishing scams," he added.

The head of business banking said that "the customer experience was not as good as it could be" with digital certificates because they could only be set up from one computer, while many people use multiple computers.

"Tokens will provide more access and convenience, and more mobility for our business Internet customers," said Wainwright.

Northam added there was a chance that digital certificates could be compromised to gain information, but stressed that this had never happened to an HSBC customer.

Lloyds TSB trialled two-factor authentication last year, while Alliance & Leicester will roll out its two-factor authentication product later this year.