HSBC accuses rivals of security 'arms race'

By Tom Espiner, ZDNet.co.uk, 19 September, 2006 18:00

Topics

NEWS

HSBC has criticised competitors using two-factor authentication, claiming that such tactics encourage hackers to target banks that haven't implemented similar measures.

Speaking at the Gartner IT Security Summit 2006, Brendan Pickering, group head of fraud technology at HSBC, accused rival banks of getting into an "arms race" approach to authentication.

Pickering argued that security measures such as two-factor authentication would "generate considerable revenues for the vendors, but are unlikely to resolve fraud and security problems for more than a limited time period".

Two factor authentication relies on two forms of identification to better establish online identity — usually a password and a passcode which can be generated using an algorithm.

Barclays announced in August that it would roll out two-factor authentication next year, while Lloyds TSB completed a two-factor token trial in July.

Pickering argued that such tactics would only serve to focus attackers on to online banks that do not distribute them. HSBC does not have a consumer two-factor authentication scheme.

"Phishing and Trojan attacks have caused a number of banks to deploy [two-factor authentication] tokens. The deployment of such tokens, on their own, will in the short term redirect the attackers' efforts towards banks which do not deploy them," said Pickering at the Gartner security summit in London.

"Deployment of tokens alone will do no more than buy some time in a game of beggar thy neighbour," he added.

Pickering predicted that attacks would switch to real-time phishing, where hackers use information harvested contemporaneously to launch an immediate attack.

"In the UK many of the big banks have announced authentication schemes. The reason we haven't seemed to have done much is we haven't had the problems some of the other banks have. We've done authentication trials, but in the personal space we don't see much need to launch [a scheme]," said Pickering.

HSBC intends to address security questions through a "portfolio of controls applied at a number of different points in the service". Currently HSBC has a rules-based system for determining when transactions are suspect, but would like to move to a model-based system.

While tokens are currently widely used, research firm Gartner predicted on Tuesday that one-time passwords, especially delivered to phones via SMS, would become even more popular than they are at present.

Smart tokens, in the form of smart cards or smart USB tokens would also become used more often, while public key infrastructures will become more popular when combined with one-time passwords for mobile use, according to Ant Allan, research vice president at Gartner.

Talkback

What a spectacularly stupid argument! They might as well ask why the other banks keep their money in safes - it's just encouraging thieves to steal it from the ones that leave money lying about on the floor.

20 September, 2006 10:39 Reply

I notice that their only concern is how they look, not the safety of their customers' money. And I notice their blindness that does not realise that their very statement reveals that they are behind the game, and asleep at the wheel.

20 September, 2006 13:51 Reply

Utter nonsense, they are already issuing Token for business customers. It seems like they should look at what they are doing internally before slating others!

20 September, 2006 18:02 Reply

Pickering's arguments are a horrible, and would make me close my account with HSBC if I had one.

20 September, 2006 22:24 Reply

I have to agree with the other comments. Surely the banks have a duty of care to give their customers the best protection they can, as quickly as they can.

If some banks are able to react quickly, then they should do it... If a bank can't react quickly to changes in security tactics, they shouldn't berate the others for caring for their customers, they should put efforts into making sure they can offer the same sort of protection for their own customers.

21 September, 2006 06:46 Reply

Careless Hsbc support Fraud on one hand and speak against it on the other.

Recently I read where in an India centre a guy detected major flaws in Hsbc systems. Instead of checking it out Immediately, they did not bother for two months. Reason: managers wanted the credit, the guy eventually left in disgust.

This is Hsbc, they speak of world-class service and top management indulge in cheap tactics. These managers even falsely took action against him hoping to blackmail him into revealing, when he did not and stood his ground they very quickly accepted his resignation against all norms fearing their illegal actions would get out.

They could have saved hundreds of millions of pounds as the story says.

Hsbc top guys are busy massaging thier egos with that stiff upper lip and a supercilious smile, a legacy of the British.

Why do they need authentication, so blame hackers for their internal mess-ups.

24 September, 2006 06:14 Reply

After reading Mansur's comment, Hsbc does not do its duty to its customers. It thinks it is doing them a favour. Fat Cat managers, corrupt and useless rule hsbc.

24 September, 2006 06:38 Reply

Of course he is entirely correct! The fact remains that Banks are entirely cavalier with customers data and money.
Do not forget that they are first and foremost businesses which seek to minimise costs and maximise profits. Any form of security is seen as unnecessary cost until the fraud tipping point is reached. Chip and PIN was only introduced when the level of fraud was so great that the Banks could no longer sustain absorbing the cost and public opinion meant there was a loss of confidence in the plastic card.
Telephone and internet banking are seen as a way to maximise profits. Online is preferable as this does away with the need for call centres as the customer inputs the details rather than a member of staff.
The issue is that the means of authentication employed thus far is weak beyond description.
This chap is stating the obvious and whinging because HSBC will now get hit by fraudsters or have to absorb unanticipated cost.
I suggest he gets back to the office and deals with it.

25 September, 2006 09:10 Reply

Yes he ought to get back and deal with it.
If Im not wrong it was was plugging some loopholes that this guy advise would have done, minoe investment.

How come Hsbc screwed up on this one, unless they talk more than they do things. Looks like any other shit company with politics and daggers drawn.

25 September, 2006 12:04 Reply

How could Hsbc India be so corrupt minded they penalise a employee for refusing to tell his manager details of security flaws in their UK systems.

It is but natural to take credit for their work, I'm reading here it says two managers took action to blackmail him into parting with the info. Even top mangement have not rectified situation!!

So is this the world-class that they claim, no doubt their India service is pathetic, they dont understand and are repetitive. This is why, retain losy guys throw out good guys who know their value.

26 September, 2006 11:01 Reply

Big talk by Hsbc, India Hsbc same as any cheap company. Snatch credit forget to block the security holes. How can they penalise an employee for not revealing details to a manager. Agree with you vicky, i got quite a shock.

World class Hsbc throws out good guys retains, is that not what India is famous for - CORRUPTION. We have to disconnect and redial as english of most guys in India is very bad or they simply can't understand the problem. Now we know, they have a bunch of useless managers and arse kissing useless reps.......Cheapos

3 October, 2006 06:40 Reply

Post your comment

In order to post a comment you need to be registered and logged in

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ