HSBC's bankrupt security thinking

Imagine a government information film that said only bad people buy locks because this encourages thieves to go after the lockless. Imagine then the protests from public and law enforcers alike at such dangerously twisted thinking. But then, no organisation could be that clueless.

Or so we thought. HSBC proved us wrong this week, when it attacked rival banks for introducing two-factor authentication. By introducing stronger protection for their customers, it argued, banks such as Barclays were unfairly singling out rivals such as HSBC as easier pickings for hackers and criminal gangs.

To normal people, that's as perverse as imposing a penalty charge that breaks an overdraft limit, then imposing a penalty for that too. In other words, it's frighteningly normal — for bankers. This kind of thinking stems from the endemic short-sighted, profit-fixated culture that characterises retail finance. Clearly, at HSBC, customer protection comes somewhere below outsourcing support abroad and just above the rights given to cleaning staff, an annoyance that only becomes worse if someone else takes it seriously.

HSBC's competition has realised that secure customers are more likely to hang around, and the competitive advantage of this approach has started to hit home. But a truly customer-centred approach to security would see the banks and other financial institutions working together to create a secure environment, one where the sector as a whole regains the reputation for safety that it once held in the pre-electronic era.

If companies we trust to protect our hard-earned money are to stand a chance against the ruthless innovations of cybercriminals, then they must stand together. HSBC should be agitating for this, not complaining about some hacker influx looking for an easy mark. If it doesn't, it should ready itself instead for a mass exodus of the community which ultimately governs its fortunes — its customers.