Anger grows over HSBC's online banking 'Secure Key'

30 August 2011, 14:20   By Julia Kukiewicz

A YEAR and a half after its launch, HSBC's online banking security gadget Secure Key is still getting a kicking.

hsbc bank branch
Credit: Ttatty/

Secure Key is meant to protect against online fraud by requiring current account and credit card customers to enter a uniquely generated PIN number to log in.

But, after a botched roll-out, the device has proved fragile and susceptible to error and the bank's account holders have taken to Facebook, Petition Buzz and other sites to express their anger at the little calculator that couldn't.

The long running battle seems to be picking up pace - although HSBC have still failed to respond substantially to the complaints.

What's the problem?

HSBC Secure Key: second level authentication

Most financial services providers, as we review here, including Barclays and Nationwide have managed to introduce second level authentication for their online banking services without driving their customers mad.

It makes sense to have a system that doesn't rely on passwords which, inevitably, end up being written down or personal information, which can be easily obtained.

The problem is compounded if, to make them more secure, passwords are changed frequently. The more difficult to remember; the greater the chance they'll be noted down.

When Which? last looked into the safest online banking services HSBC came fifth.

The consumer group used the presence of a security device as a benchmark for success: the top four banks all used the devices.

"Customers are the first line of defence against online crime and can do a huge amount to ensure their accounts are safe from cyber criminals," said Chris Pilling, the head of HSBC's customer security development, at Secure Key's launch.

"Keeping your PIN and passwords secret is vital and this is why we have added the Secure Key to our range."

However, some aspects of the new security device were botched while others clearly hadn't been thought through from the perspective of customers.

Slow roll-out

HSBC didn't do themselves any favours by seemingly botching the roll out of Secure Key in March last year, leaving many unable to log in to their online bank accounts because they hadn't received a device.

Second PIN code

When they did get them, HSBC customers found three major flaws with the device.

First, it required a second PIN code to get the unique six digit passcode to access online banking, as opposed to using the card's normal ATM code as other banks do.

HSBC argued that a second PIN made Secure Key safer than rivals' card readers because PINs could be guessed or 'shoulder surfed' by fraudsters.

Many customers disagreed not least because having two PINs means having to remember two and increasingly the likelihood that they'll be written down or, if not written down, forgotten.

The latter is a particular problem in combination with the second fault.

hsbc secure key logon steps

Steps to log on to HSBC's online banking using Secure Key

Mandatory for login

At launch, HSBC immediately made Secure Key a mandatory part of logging in to online banking.

The little keys are tied to a particular person, too, leaving many households with several devices to keep track of.

With other banks, it's possible to skip the unique number process and log in with personal information and online banking PIN numbers alone, ideal if you're away from home or the device is lost or broken.

According to some reports, HSBC have been just as slow to replace the devices as they were at rolling them out in the first place which, given that there's no other way to log in, leaves consumers internet banking-less altogether.


Finally, the devices are reportedly too fragile to be carried around without smashing.

In light of the points above, this is a problem.

Will the revolt work?

For thoroughly irritated HSBC customers the next question is: are HSBC going to get rid of, or at least fix, Secure Key?

Answer: unlikely.

HSBC have spent millions on their newest gadget not only on the development and deployment of the technology itself but on marketing it and sending out details to HSBC customers.

What it could do, however, is initiate a number of small fixes which could alleviate the problems above.

A robust casing for the devices could help those that claim they're too fragile to take out, for example, and simply allowing customers to bypass the system, at least sometimes, and use a password to log in would leave many much less aggravated.

However, both solutions would mean HSBC spending much more money and losing face. It remains to be seen whether making their customers unhappy is incentive enough for them to do either one.

Comments (32)

Get insider tips and the latest offers in our newsletter

independent comparison

We are independent of all of the products and services we compare.

fair comparison

We order our comparison tables by price or feature and never by referral revenue.

charity donations

We donate at least 5% of our profits to charity, and we aim to be climate positive.