HSBC to issue security tokens to its customers

denthomp

Sent this to servicequality@hsbc.com today after asking to opt out over the phone which apparently you cannot do:

Dear Sirs,

My details as follows:
Name
Acc No: ****
Sort Code: ****

I have been an HSBC account holder for around 25 years. I have used your internet banking since it was first introduced and found yours to be far easier and clearer to use than any other bank or credit card website I have used. As such it is regrettable that I feel I will no longer continue to use your services due to the introduction of your secure key.

I spoke to an HSBC representative this morning to express my concerns, and asked if I could opt out of this scheme but was told it was mandatory.

Here are the reasons I do not want to use the new Secure Key:

• I have never had a single security issue whilst using HSBC online or otherwise and see no reason I should have a problem in the future.
• Inconvenient – I log on from home, work and families homes so this would mean carrying the secure key with me at all times meaning there is a chance of losing it and not being able to log on at all and it is another thing to have to remember to take with me.
• My partner has one as well so there’s a chance they will be mixed up.
• No one other than myself has access to my current log in or password and this is not kept anywhere other than in my head so it is already secure enough.
• At a time when interest rates are so low I would much prefer my bank to offer customers better rates rather than spending what must be a huge amount of money producing, implementing and posting these devices in a glossy card holder.

Please advise me as to whether this is something I can opt out of and continue to use HSBC online in the future.

Otherwise I will be taking my business elsewhere over the coming months. I expect I am not your only customer that is not happy with this, so should you stop using the secure key due to customer loss/technical problems in the future please do let me know so I may consider carrying out my internet banking with you again.


Sincerely,

grimsalve

I contacted HSBC about these Secure Keys a while back when it was first announced. The woman I spoke to said there is a way to opt out - by agreeing to not use the online service any more :mad:

I had the warning letter last week but not received my key yet (I'm guessing once the key has been sent then the online system will keep nagging you to upgrade and then eventually force you to). I usually only access HSBC online from home anyway so I don't think it will make that much difference to me - I don't think I'll bother carrying the key with me everywhere I go.

I'm not keen on this new system but I guess I'll get used to it eventually, changing to another bank just sounds like too much hassle.

I am concerned that this new system is potentially putting even more liability on the customer though.

john_duncan_2

Well, just got mine.

Didn't ask for it. Didn't want it. Can't opt out of it.

I can however change my account and let somebody who listens to me, earn some interest on my money.

Bye HSBC!!!

NFH

denthomp wrote: »

I have never had a single security issue whilst using HSBC online or otherwise and see no reason I should have a problem in the future.

You've missed the point. It's not about whether you've had a security issue, but whether HSBC have experienced security issues. They are protecting their own interests more than they are protecting yours. HSBC are absolutely right to introduce two-factor authentication but they are wrong to require it simply to log in. Two-factor authentication should be required only to make outgoing payments, and probably only payments to new payees. That's where you should be focussing your complaint.

john_duncan_2

efundz1 wrote: »

I quite like the idea of us all claiming to be overseas, however I am sure they could monitor login via IP addresses, but I cant see why we couldnt through a concerted effort create some kind of petition... anyway I do hope like others that they reconsider the need to make its use compulsory for internet banking and simply offer an opt out option with restricted access and transaction privileges as with Barclays and the basic login access!

Well, if any of you think it might just make a difference... here is a petition that I have set up. I'll see how it goes and forward the results to the relevant parties of the HSBC (should we all agree to do so!)..

Sign up (or not) here.. (note: I've had to split up the web address as I'm not allowed to post links... just delete the spaces in between)


petitionbuzz .com / petitions / hsbc

boxrick

john_duncan wrote: »

Well, if any of you think it might just make a difference... here is a petition that I have set up. I'll see how it goes and forward the results to the relevant parties of the HSBC (should we all agree to do so!)..

Sign up (or not) here.. (note: I've had to split up the web address as I'm not allowed to post links... just delete the spaces in between)


petitionbuzz .com / petitions / hsbc

I googled "petitionbuzz hsbc" and it was second link down.

heloid

masonic wrote: »

Surely all they'd need to to is bounce a customer over to a verification page when they set up a new bill payment or modify their personal details. Seems no reason why it would be more difficult to hook in a verification page at that stage rather than at login.

Never this simple.
For one, they might be using an out of the box application which they can't just change simply without a 3rd party or the security mechanism would need to be wholly rewritten to accommodate because it never had this in mind at the start.

If it were possible to make the changes there is a whole lot more business analysis required to sort out where and when you are authenticated to do what (and for how long), you have to do full regression testing as well as testing the new functionality to make sure you don't break anything existing, etc etc.

Putting an extra step in the existing authentication negates all of that and uses the existing session security, one use case scenario changed, relatively minor testing and bam, you're done.

Banks are completely risk averse and won't make changes unless they really have to (look at first directs internet banking for instance).

If some senior manager told me to implement the secure tokens as cheap/quickly as possible (aka, just get it done) I know what I would do (speaking as a software IT project manager).

masonic

heloid wrote: »

Never this simple.
For one, they might be using an out of the box application which they can't just change simply without a 3rd party or the security mechanism would need to be wholly rewritten to accommodate because it never had this in mind at the start.

If it were possible to make the changes there is a whole lot more business analysis required to sort out where and when you are authenticated to do what (and for how long), you have to do full regression testing as well as testing the new functionality to make sure you don't break anything existing, etc etc.

Putting an extra step in the existing authentication negates all of that and uses the existing session security, one use case scenario changed, relatively minor testing and bam, you're done.

Banks are completely risk averse and won't make changes unless they really have to (look at first directs internet banking for instance).

If some senior manager told me to implement the secure tokens as cheap/quickly as possible (aka, just get it done) I know what I would do (speaking as a software IT project manager).

But they are already doing what I suggested by reauthenticating the customer when they set up a new payee as well as asking for those details at login. All I'm saying is don't do it at login. Surely that is simpler?

john_duncan_2

Nice to see some people are signing the petition.

I think "Sharky Oleary" might has missed the point! Real names need to be put on an official petition and the comment "don't contact me" is not relevant to HSBC (or is it?!?!?)..I kind of get the feeling that comment may have been directed at the petition host...i.e. me.. If so, a little rude in light of the fact that it's an open petition and I have opened this as a little bit of help for others and gain nothing from it...

Toreador

NFH wrote: »

They are protecting their own interests more than they are protecting yours.

Exactly.
But the amount of money I put their way, I want a bank that will protect my interests as much as their own.
I could put up with the inconvenience if they paid some interest on my account!