HSBC deploys 'simple' anti-fraud measure using the phone

News
By Asavin Wattanajantra
published

Rather than fiddle around with authentication devices like card readers, HSBC customers will be able to prove who they say they are just by speaking into the telephone.

HSBC has implemented a new anti-fraud measure to authenticate online users attempting certain transactions against the bank's online accounts, simply by using the telephone.

The new Authentify system will use out-of-band' authentication, which here means using the phone to verify the identity of a user involved in the transaction. This is opposed to other banks such as Nationwide, who have used two-factor' authentication, which usually involves devices generating one-time passcodes.

Nick Staib, Senior Manager of Digital Security at HSBC, spoke to IT PRO about the new system. He said that the bank considered the notion of two-factor authentication to be fundamentally flawed

This was because although the passcode could be generated from a device or token which was perfectly fine, it could still be typed into a computer that was compromised by malware.

The out-of-band process involves user specific details being entered into the telephone separately from the internet side of the exchange, which means that the authentication process is isolated from internet threats.

The system will be used when a customer makes a payment to somebody that they have never sent money to before.

The system works like this. HSBC provides users with an on screen code.

The customer provides their phone number, waits for the phone to ring, answers the call and speaks the onscreen code into the handset.

Staib said of Authentify: "I don't believe that there are many other companies who offer this, and they have worked with other companies we respect in the past."

"As a user, I believe that PayPal uses this mechanism, and I believe that Halifax were in discussions with them as well."

Of HSBC's future plans for online security he said that there was obvious difficulty in revealing what the future was. However, he said: "I think everybody in this business knows that it isn't an arms race, but a dynamic threat environment.

"We do not just rely on this mechanism. We adopt a layered approach to security. We try to do the work ourselves so our customers don't have to do it."

Asavin Wattanajantra