Imagine: you walk into your local bank and find it's removed all of its security devices. No guards. No cameras. No plexiglass barriers between you and bank personnel.
The teller says, "Thank you sir for visiting our bank today. I would like to issue you our new security device." First you fill out a form stating that you've received the device, then she hands you a billy club. "Sir, if anyone tries to rob you or the bank, please use your club to defend yourself. Thank you buh bye."
Sound silly? Well, that's how the world's second largest bank has chosen to address problems with its Online HSBC service.
According to antispam and email security firm CipherTrust, HSBC (or more specifically, its customers) is the target of approximately five percent of all phishing attacks worldwide. "Phishing," as HSBC defines it, is "a scheme used by Internet cyber-criminals to 'lure' you into providing your personal and financial information online."
HSBC's anti-phishing site goes on to say that "the fraudsters create email masquerading as banks, credit card companies, online auctions, and department stores looking for you to update personal information."
Instead of utilizing the software and tactics offered by security vendors to upgrade their level and quality of protection, HSBC chose to put the burden on another party: you. Now, every time HSBC customers want to add a new transfer account to their Online HSBC account, they must snail-mail a paper request form, which then takes seven to 14 days to process.
HSBC decided that they should indeed improve their security--and again put the burden on its customers instead of itself. To this end, it is issuing all Online HSBC customers with what it has creatively titled "the Security Device."
"The Security Device has been selected by HSBC as the technology that best meets our customers' need for flexibility and portability, and our business volume requirements," the bank's FAQ on the device says.
The Device is about the size of a large keychain fob. Synchronized with HSBC's server, each time a customer wishes to login, he or she presses the button on The Device to generate a number. At login, the customer enters their username, password, and this number.
The FAQ addresses six questions, but the Grouch has thought of a few more:
1. What if I had a five-year-old at home who thinks seeing the numbers pop up on this thing is really cool, then presses it about 100 times before I realize it and then can't sync with HSBC's server?
2. How long will it take to replace this fine piece of technology when customers lose or break it, especially for those of us that don't live in Hong Kong?
3. Why is this our responsibility and not HSBC's?
HSBC has been trying to rid itself of its non-corporate clients for the last few years now by raising fees, closing branches to create longer lines and great inconvenience, and raising the bar for new consumer customers. Because HSBC owns approximately 70 percent of Hang Seng Bank, in Hong Kong it would prefer to see individuals use those ATMs, and keep the big corporate folks for itself.
The Device, which the Grouch hasn't received yet, doesn't meet his need for flexibility and portability. Being able to open up a secure connection on a browser and login using a password does. Having to fish out the anti-phishing device every time the Grouch wants to login, is a complicated step for most customers that will eventually lead to problems and the temporary inability to access Online HSBC, a service upon which many of us rely for our personal finances.
Here are some alternate solutions: ask to verify information other than the password. Although phishermen ask for a complete set of personal data, the usual forgotten password questions, like pet's name, place of birth, or mother's maiden name are not usually included, and could be used for simple verification.
Also, force passwords to expire. Every 30 days, when the customer logs in, they are alerted that it's time to enter a new password. And for any transaction beyond a certain limit, or to add a new account, the online part of the application or transfer process must be followed by a phone call. These are answers that don't break, don't change, and with which a five-year-old can't tamper, but could understand.
HSBC's service has been invaluable to the Grouch personally, but a clunky solution to a serious problem doesn't develop good security habits in customers, and doesn't lighten the security load for anyone but the bank itself.
Steven Schwankert is a former editor of Computerworld Hong Kong, based in Beijing. He can be reached at firstname.lastname@example.org