Dodgy HSBC Authentication

Posted April 24, 2017; 2 min read

I don’t trust HSBC’s method of authentication for their online banking website. Well, at least not one of them.

HSBC allows two forms of authentication. The first involves using a keypad that hopefully provides similar security to Google Authenticator or Duo. This provides the highest level of privilege to your bank account and lets you pay new people.

The other form of authentication is the one I (and others) take issue with. HSBC lets users log onto their online banking (with fewer privileges) when they provide the answer to a memorable question and certain characters of their password. HSBC (and others) do this in order to protect against key loggers.

HSBC's Online Authentication Page

The problems

  • Your password is not hashed and salted (the industry standard).
  • You cannot easily use a password manager.
  • Memorable questions and answers are bad. They are easy to guess (check my LinkedIn to determine my first employer) and if they are leaked, you cannot change them without lying (similarly to how you cannot change your fingerprint).
  • It potentially reduces the strength of your password as attackers need only guess three characters (once they have your memorable answer).

The solution

Firstly, don’t answer your secret questions correctly! Instead, get your password manager to generate a random string and use this as the answer to your secret questions. The real answers to most security questions (e.g. Who was your first employer?) are probably public knowledge and if not, they could have already been compromised.

Secondly, it is especially important not to reuse your HSBC password anywhere else. If HSBC experiences a password breach, your password might be recoverable (as it is not hashed) and attackers could access other accounts that use the same password.