HSBC and Abbey send clear message to phishermen

HSBC and Abbey have broken ranks with other UK banks and decided not to participate in a national push to supply online banking customers with two-factor authentication devices. 

While most of the major banks are laying plans to introduce an assortment of random-number generating systems as a supplement to basic password controls, HSBC and Santander subsidiary Abbey have decided to sit on the sidelines. 

Defending its stance to Finextra, HSBC says it is already satisfied with existing online safeguards and that its online losses are minimal. 

The UK move to supply consumers with Chip and PIN card readers at home is non-mandatory. At an economic level, the refuseniks will have weighed up the costs of supplying consumers with free card-readers against the level of losses they are prepared to sustain.  They may also take a view that the number generators are nothing more than a stop-gap device, incapable of protecting customers from more sophisticated 'man-in-the-middle' attacks.

Of course, consumers who are uncomfortable with the levels of security in place can always vote with their feet and move their online accounts to banks with more obvious safeguards in place. 

The fraudsters will do the same in reverse, modifying their behaviour and concentrating their efforts on institutions with less elaborate controls. 

This is supported by evidence presented in this paper, ‘Closing the phishing hole’, by Ross Anderson, professor of security engineering at Cambridge University.

Speaking at a recent conference in the US, Anderson observes that in the UK, one single bank took £30m of the £35m phishing losses sustained in 2006. According to investigators, the phishermen target this bank because of its lax internal controls, and above all its poor record of asset recovery: apparently it recovers only about 60% of stolen money compared with 75–95% for its competitors.  

The pattern is clear, says Anderson: “Rapidly rising fraud, with losses concentrated on banks that subject their online customers to fewer controls and that have less effective asset recovery teams.”

To be clear, neither of these assumptions necessarily applies to HSBC and Abbey.

But it's all about perceptions. The UK payments body Apacs has in the past done a decent job in moving the industry forward and presenting a strong united front to customers and the criminal fraternity. HSBC and Abbey's failure to play ball shatters the illusion of unanimity and sends out confusing mixed signals about the confidence of the banking industry in its ability to protect customer accounts from crime.