Dodgy HSBC Authentication

Posted April 24, 2017; 2 min read

I don’t trust HSBC’s method of authentication for their online banking website. Well, at least not one of them.

HSBC allows two forms of authentication. The first involves using a keypad that hopefully provides similar security to Google Authenticator or Duo. This provides the highest level of privilege to your bank account and lets you pay new people.

The other form of authentication is the one I (and others) take issue with. HSBC lets users log onto their online banking (with fewer privileges) when they provide the answer to a memorable question and certain characters of their password. HSBC (and others) do this in order to protect against key loggers.

HSBC's Online Authentication Page

The problems

The solution

Firstly, don’t answer your secret questions correctly! Instead, get your password manager to generate a random string and use this as the answer to your secret questions. The real answers to most security questions (e.g. Who was your first employer?) are probably public knowledge and if not, they could have already been compromised.

Secondly, it is especially important not to reuse your HSBC password anywhere else. If HSBC experiences a password breach, your password might be recoverable (as it is not hashed) and attackers could access other accounts that use the same password.