Key Hsbc _top_ | Secure

Report: Secure Key HSBC 1. Executive Summary The "Secure Key" is a proprietary Two-Factor Authentication (2FA) hardware and software device used by HSBC to secure online banking, mobile banking, and telephone banking services. It functions as a security token generating One-Time Passwords (OTPs) that are valid for a short period (typically 30 to 60 seconds). This device is a critical component of HSBC’s global security infrastructure, designed to combat identity theft, phishing, and unauthorized account access.

2. Overview and Purpose The HSBC Secure Key is an implementation of RFC 6238 (Time-Based One-Time Password Algorithm). Its primary purpose is to provide a second layer of security beyond the standard username and password (or PIN). Key Objectives:

Identity Verification: Ensures the person logging in possesses the physical device associated with the account. Transaction Authorization: Used to authorize payments to new payees, changing account details, or amending standing orders. Mitigation of Credential Theft: Even if a hacker steals a customer’s username and password, they cannot access the account or move money without the physical Secure Key.

3. Types of Secure Keys HSBC has utilized different forms of the Secure Key over the years, varying by region and technological progression. A. Physical Secure Key (Hardware Token) secure key hsbc

Description: A small, battery-powered device resembling a calculator. Form Factor: Usually gray or black with a small LCD screen and a numeric keypad. Variants:

Standard Secure Key: Generates a code with the press of a button. Digital Secure Key: Requires the user to input their online banking password or partial account details into the device to generate a response code.

Status: Being gradually phased out in favor of digital versions in many markets, though still prevalent for business banking. Report: Secure Key HSBC 1

B. Digital Secure Key (Software Token)

Description: A feature integrated directly into the HSBC Mobile Banking App. Functionality: Replaces the physical plastic device. It uses the smartphone’s internal clock and security enclave to generate codes. Activation: Requires a one-time setup linking the app to the specific bank account (often using a QR code or activation code sent via mail). Advantages: Convenience (one less item to carry); push notification integration for seamless approval.

4. Technical Functionality How It Works (The Challenge-Response Mechanism): This device is a critical component of HSBC’s

Seed Record: During enrollment, a unique cryptographic "seed" is shared between the bank’s server and the Secure Key (hardware or app). This seed is the basis of all future codes. Time Synchronization: The device and the server maintain strict time synchronization. Generation: When the user requests a code, the device takes the current time and the seed record, applying a cryptographic hash function (typically HMAC-SHA-1) to generate a 6 to 8-digit number. Validation: When the user enters this number online, the bank’s server performs the same calculation. If the numbers match, access is granted.

Usage Scenarios: