Expert Questions HSBC’s Online Banking Security Measures

Introduction of new security software and the decision to allow customer ID’s to be saved in the browser have come under scrutiny by security experts

Questions have been raised over some of the security measures introduced by HSBC to protect online banking customers, including the decision to allow ID information to be saved.

In a statement released this week, HSBC announced that it has introduced a security application called Rapport from tech company Trusteer – based in the US and Israel – for download by its customers. Despite being frequently described as “new software” in the HSBC statement, Rapport is already being used by several other banks including RBS, Alliance and Leicester and Natwest, according to Trusteer.

Commenting on the availability of Rapport to its customers, HSBC’s digital security manager Nick Staib said that downloads of the software had surpassed expectations. “I am delighted that so many customers share our interest in keeping personal and banking details safe,” he said. “Rapport is software that I use myself and I am happy recommending to friends.”

According to Trusteer and HSBC, Rapport works by “locking down browsers to prevent unauthorised access to web pages and to the confidential information that flows through the browsers”.

But despite the recommendation by HSBC, and Trusteer’s own claims, security experts have questioned some previous claims about the software. Consultant for rival security specialist Sophos, Graham Cluley said he wouldn’t comment on how effective Rapport was but referred to an earlier blog posting about RBS’s claims for the software.

Cluley raised concerns about claims made about Rapport posted on RBS’s website when the bank rolled out the software last April. Sophos concerns related to a comparison of anti-virus software from Okie Island Trading Company (OITC) – which describes itself as an engineering company – which Sophos claimed were not accurate or representative.

“If you dig a little deeper into the methodology used by OITC to come up with the results – published by RBS on their page promoting a security add-on called Rapport – then you actually find that the methodology is flawed, and that these test scores are about as useful as a chocolate teapot,” Cluley wrote on his blog at the time.

Cluley also questioned HSBC’s decision to allow banking customers to save their user ID on their browser. Rather than entering the ID every time they access the site, user’s can choose to have their browser remember the code.

“Certainly I wouldn’t feel comfortable if my online banking password was being remembered for me in this fashion,” he told eWEEK Europe UK. “A home computer may not be ‘public’ or ‘shared’, but it can still be stolen or a dodgy workman might have access to it. My suspicion is that security and usability have once again had a wrestling match, with those who want less support calls from forgetful consumers winning.”

Responding to the concerns, a spokesperson from HSBC’s security team said that the user ID wasn’t part of security measures but merely for identification. “The user name is not a password – it is simply a (unique) reference by which the customer can tell us who they are,” the spokesperson explained. “They then ‘prove’ who they are (‘authenticate’) by supplying the expected random character challenge.”

The spokesperson also claimed that the risk of the ID being stolen by keylogging software was greater than the chances of a home PC being accessed by someone other than the owner. “The second point is that the threat from key grabbing malware is greater these days than from a second user of the PC (eg domestic fraud) exploiting the fact that they may not need to enter another person’s IB number,” the spokesperson said. “Bearing this in mind, not typing in the User ID means not exposing it to this new risk. So what appears riskier becomes the safer option.”

Despite concerns from rivals such as Sophos, Rapport has received a “Best Of The Web” award from the Online Banking Report publication in 2008. “Due to its flat-rate pricing, quick installation process and seemingly low impact on computer performance, Rapport is a good candidate for rolling out to your entire customer base, at least for large financial institutions,” Jim Bruene, editor & founder of Online Banking Report (OBR) is reported to have said.

OBR also examined Rapport and other banking security software in a 2008 report, New Techniques for Secure Online Finance, in which it concluded: “the problem with all these solutions is that they saddle the user with extra work and the bank with extra tech support. That’s why banks are unlikely to mandate their use. However, for the 20 percent or more of the market willing to do a little extra work for greater peace of mind, these solutions hold real promise”.

HSBC Customers were unable to access online banking facility or use ATM cash machines in January, after the bank confirmed it had suffered a problem with its mainframe computer.