HSBC fires shot at two-factor authentication

The Gartner Summit is supposed to be a place to hear innovative thinking. But one banker appears to think it's still 1995.


Every now and then someone who should know better says something so stupid you have to wonder aloud. Is he/she being serious?

One of those moments arrived this week on reading a story published on ZDNet this week, which had obviously sprinted back from the Gartner IT Security Summit in London faster than did Pheidippides from the battle of Marathon.

Incredible news. HSBC’s Brendan Pickering reckons that two-factor authentication is securing some banks by inviting criminals to target banks that haven’t implemented the technology. It’s a zero sum game.

Lloyds TSB and Barclays have plumped for two-factor while HSBC, not coincidentally, hasn’t.

"Phishing and Trojan attacks have caused a number of banks to deploy [two-factor authentication] tokens. The deployment of such tokens, on their own, will in the short term redirect the attackers' efforts towards banks which do not deploy them,” he was quoted as saying. "Deployment of tokens alone will do no more than buy some time in a game of beggar thy neighbour."

That a bank with profits as gargantuan as HSBC can use the word “beggar” in any context is an offensive form of slumming it. That said, let’s take an opinionated angle on the facts. Internet scamming is probably now the most global industry on earth. There is no other I can think of where criminality is so incredibly devolved, literally taking in every country on earth, regardless of normal economic measures such as GDP, and proximity to markets.

It is a topsy-turvy economic model that has been founded on three huge opportunities:

1. The interconnectivity offered by the Internet, which makes it possible to find and exploit private information and financial resources at approaching the speed of light.

2. The appalling levels of security, most prominently the security chaos that is modern banking.

3. The inability of legislators and police forces to do anything about it quickly enough.

There would be no fraud if the opportunity to steal wasn’t there, and it is the banks that have helped provide it with complacent “we’ll sort it later” attitudes to security.

The point about two-factor authentication, and indeed any investment in security, is not that it will stop the criminals forever, but that it increases the effort required by them, and thereby forces them to invest time and money. It buys a bit of time.

To suggest that it merely moves the problem elsewhere is only true if the industry has not taken onboard this point in the first place. It is not really an argument at all. It is rank stupidity dressed up in a suit and tie.

In fact, HSBC has a better record than these reported comments would suggest, at least if you are a business customer. As we reported in April it has rolled out anti-phishing tokens for this layer of its customers.

But this is not merely about HSBC protecting itself from fraud. It is about undermining a criminal industry that can now generate profits to spread even further, to diversify into new forms of crime that don’t directly affect HSBC, and start to consume ever larger amounts of honest money.

Global crime is now one of the three big issues facing the world, the other two being political violence and climate change. Of course, if you were sitting in an air-conditioned office insulated by layers of security guards, this might not have dawned on you. But it will, one day.

Find your next job with computerworld UK jobs

"Recommended For You"

France drags its feet on online security Hackers target banks business accounts