Please enter the first, fourth and second last characters of your security key

The Rapid Traveler previously recommended HSBC’s Online Savings Account as a backup to Schwab High Yield Investor Checking. It has no ATM fees or foreign exchange fees when used at HSBC ATMs, and they have perhaps the widest global ATM network. Reader Rita added the caveat that the rates in countries with volatile currencies are not always the best.

HSBC’s website for several months has posted notices of an impending move away from virtual keyboard entry of online security keys (in addition to regular typing of username and password). Virtual keyboards require mouse clicks on an on-screen keyboard to defeat automated break-ins.

The new system came out and it is a mind-testing doozy. Eight lines appear, displaying improperly in Firefox 8, corresponding to the number of characters in the security key. The instruction is to, “Please enter the first, fourth and second last characters of your security key.” “Second last” is curtly British, rather than the American “second to last,” but grammar aside, The Rapid Traveler had to scratch his head to work out the correct responses. His next temptation was to pick a much simpler security key. The reaction to change to a simpler key is natural but defeats the purpose of the exercise.

HSBC Security Key

They forget to test in FireFox 8

Increase inconvenience and end-users respond by lowering their security. If this system becomes widespread, which seems quite unlikely, logging-in can at least be a quick mental exercise in between the crossword and Soduko. Hopefully, before it comes to that, some HSBC executives will try to log in to their own accounts: the virtual keyboard return would not be far off.

This hassle is peanuts compared to online access to Chinese bank accounts. Tales for another day, but let’s just say that if The Rapid Traveler’s computer expires he will need to fly back to China to download, within China’s borders (or perhaps via a VPN), a new digital certificate to log in to one of his accounts, and that is just the start of the fun.

Readers, what crazy bank online security have you encountered?

Rapid Travel Chai newsletter ¦ Twitter ¦ Facebook ¦ Instagram

  • Colleen

    My pet peeve has to do with the recent trend toward “security questions.” Some make sense because they’re unchangeable (maiden name, first school, first car, etc.) But the ones about “favorites” send me ballistic. Favorite restaurant? Favorite singer? They must be nuts, as these can and likely will change over time.

  • Richard

    1. surprised they didn’t use “penultimate”, brits love that word.

    2. VPN would work if a HK IP address would work. All the major VPN players have HK IPs but it’s rare to see to see one, umm, how to say it, elsewhere on the mainland.

    3. Sudoku rocks! 🙂

  • nulle

    it is always a balancing act in terms of security:

    convenience vs. security

    or in the bank’s case:

    how much fraud before it kills us versus spending the money to propering upgrade, test, and secure their online services

    or

    C-Suite Greed vs. Their responsibility to shareholders and/or customers.

    🙂

  • JohnnieD

    The first time I tried to log into my online acct and couldn’t. When I looked I closer I noticed the new login setup—–how stupid… I won’t have to worry about this much longer since my branch of HSBC was one of about 190 branches that were sold to First Niagara..let’s hope they have abetted method of securely logging in………….