Security Through Absurdity

HSBC has always seemed to be the weirdest when it comes to logging in to their banking site.  To log in, you have a username, a password, and a security key – essentially, two passwords.  I’ve had an HSBC account for some time, and their little Java applet where you would enter your security key using the mouse was lame as hell.  If someone is watching over your shoulder, you can type your password pretty quickly and people probably won’t get it.  But if you’re clicking the mouse letter-to-letter, that’s as obvious as hunting and pecking your password with a single finger.

I have to assume it’s to prevent password capture from keyloggers, which is noble in its intent, just lame in its execution.  So HSBC changed up their login to something even more ridiculous. You still have your security key, but now, you enter random characters from it.


Can this be any more insane?  The first time, I couldn’t even log in.  I was stepping through my key letter by letter, counting the boxes and to be honest, I was using the wrong letters anyway.  I wouldn’t have made that mistake on the old login, because it was a keyboard pattern I was familiar with.

I think I understand the reasoning.  They want to inject some humanized processing of the security word.  What will be their next version of the login?  “Enter your security key… backwards.”  “Enter your security key… replacing all the letter A’s with underscores.” “Enter your security key… using capitals for lowercase and vice versa.”

Comments are closed.