Anger grows over HSBC's online banking 'Secure Key'

hsbc secure key

A YEAR and a half after its launch, HSBC's online banking security gadget Secure Key is still getting a kicking.

Secure Key is meant to protect against online fraud by requiring current account and credit card customers to enter a uniquely generated PIN number to log in.

But, after a botched roll-out, the device has proved fragile and susceptible to error and the bank's account holders have taken to Facebook, Petition Buzz and other sites to express their anger at the little calculator that couldn't.

The long running battle seems to be picking up pace - although HSBC have still failed to respond substantially to the complaints.

What's the problem?


HSBC Secure Key: second level authentication

Most financial services providers, as we review here, including Barclays and Nationwide have managed to introduce second level authentication for their online banking services without driving their customers mad.

It makes sense to have a system that doesn't rely on passwords which, inevitably, end up being written down or personal information, which can be easily obtained.

The problem is compounded if, to make them more secure, passwords are changed frequently. The more difficult to remember; the greater the chance they'll be noted down.

When Which? last looked into the safest online banking services HSBC came fifth.

The consumer group used the presence of a security device as a benchmark for success: the top four banks all used the devices.

"Customers are the first line of defence against online crime and can do a huge amount to ensure their accounts are safe from cyber criminals," said Chris Pilling, the head of HSBC's customer security development, at Secure Key's launch.

"Keeping your PIN and passwords secret is vital and this is why we have added the Secure Key to our range."

However, some aspects of the new security device were botched while others clearly hadn't been thought through from the perspective of customers.

Slow roll-out

HSBC didn't do themselves any favours by seemingly botching the roll out of Secure Key in March last year, leaving many unable to log in to their online bank accounts because they hadn't received a device.

Second PIN code

When they did get them, HSBC customers found three major flaws with the device.

First, it required a second PIN code to get the unique six digit passcode to access online banking, as opposed to using the card's normal ATM code as other banks do.

HSBC argued that a second PIN made Secure Key safer than rivals' card readers because PINs could be guessed or 'shoulder surfed' by fraudsters.

Many customers disagreed not least because having two PINs means having to remember two and increasingly the likelihood that they'll be written down or, if not written down, forgotten.

The latter is a particular problem in combination with the second fault.

hsbc secure key logon steps Steps to log on to HSBC's online banking using Secure Key

Mandatory for login

At launch, HSBC immediately made Secure Key a mandatory part of logging in to online banking.

The little keys are tied to a particular person, too, leaving many households with several devices to keep track of.

With other banks, it's possible to skip the unique number process and log in with personal information and online banking PIN numbers alone, ideal if you're away from home or the device is lost or broken.

According to some reports, HSBC have been just as slow to replace the devices as they were at rolling them out in the first place which, given that there's no other way to log in, leaves consumers internet banking-less altogether.

Fragile

Finally, the devices are reportedly too fragile to be carried around without smashing.

In light of the points above, this is a problem.

Will the revolt work?

For thoroughly irritated HSBC customers the next question is: are HSBC going to get rid of, or at least fix, Secure Key?

Answer: unlikely.

HSBC have spent millions on their newest gadget not only on the development and deployment of the technology itself but on marketing it and sending out details to HSBC customers.

What it could do, however, is initiate a number of small fixes which could alleviate the problems above.

A robust casing for the devices could help those that claim they're too fragile to take out, for example, and simply allowing customers to bypass the system, at least sometimes, and use a password to log in would leave many much less aggravated.

However, both solutions would mean HSBC spending much more money and losing face. It remains to be seen whether making their customers unhappy is incentive enough for them to do either one.

Comments

1
18 October 2015
Stanly

I think HSBC is doing a great job in the Banking security. I'm moving away from Citibank because they do not have this security device. If you cannot deal with some inconvenience then do not use online banking. Security and convenience is a MUST trade off. Forget about the Mobile phone authentication, "Do you trust your phone?". Who knows what apps are running and tracking the phone. If you really want a TRUSTED device and secure, use the external device and deal with the inconvenience or go back to the old days.

ST

2
25 September 2015
Nick O'Teen

Got it all set up after an intense 30 minutes, just logged on and did a "bank-to-bank" transfer of my entire balance to my faithful credit union, as soon as it goes through I will close this silly account.

3
2 March 2015
Seni

Hi, I use this device both on personal and business accounts since they were introduced and I never had any problems. It's easy to use and it works all the time!

4
18 October 2014
Chrissie

After two very frustrating periods spent on the phone, I wrote a letter ... then thought I'd try one more time. My unique access code, despite being copied and pasted into the box, kept coming up with 'incorrect number'. The last time I put it in (still copied and pasted) it worked. Then came the tussle with the secure key. After four goes, I did get a number and eventually, could see my account. Hallelujah! Do I really have to go through all that each time? I somehow don't think I'll be a customer for very long!

5
6 October 2014
bridgecross

I just received mine and I'm not even activating it. It's the last straw. I'll be moving my business to another bank.

6
7 July 2014
jane

Security device hell this is. Overcomplication and downright stupid process flow design.

7
1 February 2014
Alexandre

We are in 2014... in France... and the HSBC secure key is making me crazy... even their Customer Service is not reachable, why? because too many customers are complaining in the same time.

8
9 August 2013
cam

I got mine a month ago, and closed my account today. There is much too many steps involved in making a simple transaction. I signed up with ING who send a simple SMS code every time I want to transfer rather than HSBC's 'enter a pin, enter the number, enter a pin again, enter the number again'. It was the final straw that finally got me away from the worst bank in the world ... I feel liberated.

9
12 July 2013
willneedham

HSBC should have gone down the route of mobile phone app / authentication.

The secure key is a completely idiotic idea and not intune with what people want. It's impractical and inconvenient.

The sooner HSBC admit their mistake and dump it, the better. The fact they have invested millions in this is not a reason to continue.

I need to find a new bank which gets it right.

10
26 June 2013
fabienpenso

I had the worst experience with HSBC Secure Key, I detailed at <a href="http://blog.penso.info/2013/06/18/hsbc-secure-key/" rel="nofollow">http://blog.penso.info/2013/06...</a> and I feel sad because as you say Julia, I'm pretty convinced they won't step back or improve it.

11
15 May 2013
Rob

Internet banking is a huge convenience, but also a huge risk. Internet fraud is rife and we all pay for it in the end. A hardware key goes a long way to reducing the risk. To paraphrase David, if you use the internet for financial transactions, passwords and PINs are a way of life at the current level of technology. The "old way" might have been more convenient, but given that people have a tendency to write down PINs, this single layer of security was far from adequate. Many people have little idea of the risks of computer use. The greater the functionality, the greater the opportunity for the hacker.

I cannot comment on the fragility of the devices as I rarely carry mine around; I would never use an insecure wi-fi connection or an internet cafe for financial transactions. If we want the convenience of internet banking, the mandatory use of a hardware key would seem a small price to pay.

7 March 2015
Chris

Using an insecure wifi connection isn't actually a problem - you still have https security.

12
15 March 2013
David

These objections seem trivial when weighed against the threat of online fraud. Having to remember a second PIN code is an existing issue - as a web user you are required to remember many passwords - the solution is to use password management software, ideally installed on a USB drive. People need to take responsibility for their own security.

13
14 March 2013
Mark

HSBC are bringing these out in Australia now. We already use an online security device that generates random numbers but now these stupid keypads. I will be leaving for sure.

14
27 February 2013
Diego baulo

I hate the new secure key from HSBC. I've already had 2 break just by carrying them in my pocket! Having a different password all the time is also annoying especially as most people have to use passwords in most walks of their daily life. The old Internet banking was much easier and hassle free and this looks like an attempt to change something that didn't need mending. Get rid asap please, I wrote this whilst ordering my 3rd secure key!

15
27 May 2012
Thomas

If I cannot login to my Internet banking in order to make a payment, and therefore miss a deadline incurring a late payment fee, surely HSBC must be financially responsible for the late payment fee. If their new T&amp;C's remove their liability from the equation, then it can be said that by introducing the secure key as it is: (unreliable), it imposes a greater, more likely financial liability to the customer, which in itself is a contradiction for the alleged reasons of the introduction of the secure key.

Please read our full disclaimer for important information that relates to the service we provide and your use of this site.

We aim to provide free reviews and comparisons of consumer products and to keep our editorial content as objective as possible. To keep the site free, we are paid by some providers when new customers take products after they've clicked on our links. We don't allow our editorial content to be affected by those links, however we may not include all of the products available in the market. Finally, we do not submit or process any applications for any products or services and we cannot guarantee that any product or service listed on this website will be available to you. Credit providers make the final decision on whether an application for credit will be accepted.

If you would like to get in touch with us you can contact us here.