/ Money

Online banking – do we want safety over convenience?

Secure reader for online banking

Are you willing to swap a bit of speed and convenience when banking online if it means the process is safer? There’s always some trade-off, but some banks are dealing with the problem better than others…

When it comes to financial fraud, consumer protection in the UK is fairly good.

The onus is on banks and other financial providers to create systems that will protect their customers. So, for those of us unlucky enough to become a fraud victim, our bank or lender should be there to pick up the bill.

Given the balance of responsibility, it’s no wonder that banks have invested heavily in creating securer online banking facilities in recent years.

Who enjoys jumping through security hoops?

But for every extra security check, there’s a trade-off in terms of customer convenience; something that some banks have dealt with better than others.

Almost all banks now require you to use a card reader or small key pad to generate a security number when you log in to your online banking facilities; a hoop that few people enjoy having to jump through.

HSBC, which has been my bank for more than 15 years, became the latest to introduce its own version of this technology earlier this year. So customers like me can no longer access our accounts online without the help of a small device that’s easy to lose and never with you at the moment you need it.

Unfortunately, unlike many of its rivals, HSBC has not provided customers with an alternative way to log in to their accounts when they don’t have their ‘Secure Key’ device to hand. Other banks who have adopted similar technology only insist on customers jumping through these extra hoops when they’re using their online banking facilities to carry out a transaction.

For those who simply want to check their balance and look at statements, it’s possible to log in using ordinary passwords and security questions.

Banks need to find a better balance

I wouldn’t mind about the inconvenience if I felt that HSBC’s new technology was lifting its online security to a new level. But, as our online banking security report in Which? magazine shows this month, HSBC remains average for banking security, with a score of just 58%, and still has plenty of room for improvement.

In fact, all the banks have a long way to go. Nationwide, which topped our tests, only achieved a score of 69%.

There is always a balance to be struck between security and convenience, but that balance has not been achieved quite yet. Internet banking has become increasingly inconvenient without becoming markedly more secure. It’s time for our banks to have a rethink.


I’ve been using internet banking both with UK and Continental Banks now for several years and it’s a real bonus.
I can understand the need for security measures but quite honestly, these new electronic keys are a pain, i travel to and from the continent regularly and these small keys have to be carried around and kept safe.
Woe betide you if you mislay the key (usually when you desperately need to log on) the hassle that follows is very off putting. Personally, i would prefer less gadgets and a return to memorising the codes

Internet Banking says:
20 August 2011

HSBC providing lots of security in e-banking providing digital signature in e-checks. N lots of protocols to send important data via network in different different layers…

omotn says:
21 August 2011

HSBC has produced an advertisement featuring a puzzle box which completely frustrates its owner and denies access to the savings. Bit like their security system really.

Dr B C Conochie says:
21 August 2011

For a number of years I have been using a random 6 figure number generator supplied by Lloyds to access my account on line.It lives in a drawer near to my PC and as I never use a mobile phone to access my account it is always readily available. The number changes every 30 seconds, so I think this must be a very secure method of operating one’s account on line.

Peter Hulse says:
23 August 2011

Yes, I have the same thing from HSBC. It works fine, so long as you accept the limitations of effectively doing all your financial business from one computer.

But I don’t understand how HSBC’s system knows the number that has been generated. Perhaps not so random?

They are not “real” random numbers just pseudo-random numbers. 2 devices can be synchronised so that they produce the same series of pseudo-random numbers as long as both know the seed number ( PIN) that is being used.

Bob Payne says:
26 August 2011

Really good security should require something you have, something you know and something you are. Unless every device used to access systems has finger print or iris readers we cannot do the last of these. However we should not stint on the first two. Just requiring passwords and other data to be typed in does not give adequate security. You must add something like a card reader to read your banking debit card to give anything like satisfactory security. It annoys me intensely that the banks have yet to get together and agree on a common standard for such devices.

Clive says:
9 September 2011

I am amazed that Nationwide tops the poll. I have moved my personal banking to First Direct and my business banking to HSBC.
The problem with Nationwide is that often you have to use the card reader to confirm every transaction which was driving me to distraction. It got to the point where we’d had enough and despite many emails and complaints to Nationwide they weren’t interested in listening.
In our opinion the security at First Direct is good and at HSBC is excellent.
If Nationwide top the poll for security then Which have got it very wrong.

Robert says:
10 September 2011

Received a new card in connection with my Tesco savings account, had to phone them to get it activated, which is fair enough. They launched into a long explanation of their new security system which requires a new PIN and password. But I kept getting passed around and had to identify myself four times. I think this is ludicrous, I’ve always been a fan of Tesco but now I’m considering closing my account. I mean, twenty minutes on the phone, I really have better things to do.

trott3r says:
20 September 2011

Do users of non windows machine really need this since we are not infected by viruses etc?

ie Linux and Mac to a large extent along with other OSes

i dont like having more hoops to jump through when i dont use such a computer.

No computer system is invulnerable to viruses, whether they be Mac/Linux or anything else. Anything produced by one man can be broken by another (and given that Linux is open source I would say that the ability is even greater than for, say, Windows which in theory at least has some form of protection).
The only reason that Windows is the main interest for hackers and crackers is that it is generally the first option for PC buyers, particularly the less technically minded 90%. If you have a Linux system you probably have some technical knowledge so may be less likely to fall for attempts to load malware.
Windows’ market share brings with it the greater risk of being attacked. This does not mean that it is impossible that other systems will be infected.
The only way to categorically ensure that your computer cannot be infected after purchase is to never ever connect it to another device or load software/data from some form of external media. And even then, you can’t be totally sure that something extra hasn’t been loaded at the manufacturing stage or (getting paranoid) in the shop which sold it to you.

Yes, perhaps I am extra cautious (and I have used Apple & Mac systems) but I’d rather pay a modest amount and accept a small performance cut to reduce the risk that my system will be compromised at some point in the future which would cost me a lot more in just time alone.

trott3r says:
22 September 2011

Yes i agree no computer is invulnerable but linux has a better user account/root account setup than windows seems to have and is less likely to be infected.

I agree that novice users are easier targets and are more likely to use windows rather than linux but there are plenty of novice mac users that are just as easy to target.

To me this keypad system should be optional rather than being forced on more experienced users like me who are very unlikely to infected.

Another reason for me to leave HSBC along with their laughable complaints procedure.

trott3r wrote “To me this keypad system should be optional rather than being forced on more experienced users like me who are very unlikely to infected.”

Fair enough – as long as you also waive any right to compensation from the Bank in the case of any fraud which could otherwise have been prevented.

We are all fallible and make mistakes – a bit of technological inconvenience is to be welcomed if it saves us from ourselves!!

As use of the keypad is part of HSBC’s Terms & Conditions, you are doing the right thing in moving your business to another bank whose requirements meet your needs.

I agree absolutely, Russell. Fraud costs money and ultimately other customers will pay the costs of investigation and any reimbursement of funds.

Peter says:
27 March 2012

Lets remember that most of us use banks to hold OUR cash. The modern system of financial transactions makes it almost imperative that we have a bank account, but the Banks are making money by USING OUR cash. They have a duty to secure it but passing that responsibility back to us is simply a way of minimizing their liability in looking after OUR cash securely.
When I want to use Internet banking I have to go through a secure log on procedure just to open my computer. There is a second lair of security when I access the bank’s website. Then I have to provide them with three or four separate items if secure data. At this point I think I have been sufficiently responsible in helping them to protect MY cash and I’d like to be able to access my information without the added foolishness of having to secure each transaction with a card reader. It becomes Kafka-esk when they require the card reader just to get into their website – making mobile Internet banking too cumbersome for words.

I find the enhanced First Direct security process a complete pain. It is two stage, but the problem is, like many people i have other accounts and this one requires two separate passwords and it won’t accept the ones i normally use. With other 80 passwords to manage, i find almost all other Online Banking services easier and so after 25 years with First Direct i shall leave them. I think they have been taken over by process orientated computer programmers, as opposed to being customer orientated

I use internet banking frequently, including making online payments. I’m always very careful about checking bank account and sort code details before committing a payment, but I consider it very risky, as there is no check on the validity or accuracy of your entry. The name of the account entered is not used and if 2 digits are reversed and the result is an valid account then you may have a struggle to get your money back. I seem to recall many years ago entering bank details into a computer system with a check digit. This used a simple algorithm to perform a specific calculation on individual digits from the account number entered to produce a single digit result This result was then compared on entry with the check digit – usually the last digit of the account number. It was a simple way of catching mis-keying and it worked. Why isn’t it used now in internet banking?

I was told years ago that it’s vital to log out of a secure site to close the session properly. It’s not good to simply shut down the page or browser as there may still be an open link with the site. If this is the case why are logout buttons/links so difficult to find on many sites?

That’s a very good point, Ilew. I frequently have trouble finding the log-out command – presumably because they do not want you to leave the site but that’s hardly a serious concern nowadays. Amazon’s log-out is particularly obscure. It’s at the bottom of a long list of options on a dropdown menu under “Hello John . . . Your account” where it says “Not John? Sign Out”. I just want to click and close, not play hunt the symbol. Some sites, like Nationwide, ask you if you really mean it. Why? . . . If I had made a mistake I would just sign in again.

If you aren’t active on your Nationwide site for a short while it automatically logs you out. Personally, with fat fingers I can hit the wrong buttons (that bl**dy Caps Lock too often) so I don’t mind being asked if I want to log out. M&S banking also do that. It is little effort to click “yes”.

I agree about Amazon – not obvious where to find it and you don’t want others taking advantage – particularly near Christmas to see what you’ve ordered.

Yes Malcolm, I am in favour of the automatic closedown after a few minutes of inactivity. I have no serious objection to being asked whether I am sure I want to leave; as you say it is effortless and I know the question is coming so my mouse is poised to pounce upon it.