HSBS UK – Mobile-friendly security from the start

It goes without saying that we are all using mobile more and more to manage our lives. To support this transformation, businesses need to do more than just design mobile browser-friendly pages and smartphone apps: they need to make all of the customer-facing business processes “mobile-friendly.”

One process often over-looked is answering those “account security questions” required to gain access to (or assistance with) your account. Too many businesses manage this is a way that completely falls apart when you are likely to need this most (in an airport, department store of other busy place far from your home or office).

The routine model of most companies is to ask you to provide personal identifying information (PII), such as your mother’s maiden name, social security number. Verbally sharing the answers to these is fine when you are in the privacy of your home or office. Sharing them in public, where you can be easily overheard, is an invitation to identity theft. Typing them over a smartphone is also less than ideal, especially when you are holding bags or waiting at a checkout counter.

Some companies try to get around this by using strong passwords. However this too is an item that you would never want to speak out loud in public. It is also likely be something hard to type on smartphone keyboard or flip-phone keypad.

The answer is to consider the mobile use-case from the start and to design a process that works equally well anywhere: at home, in public, on your PC or on any telephone. HSBC (United Kingdom) does a really good job with this. This is not a surprise as HSBC is a very global company and use of mobile for business transactions is much more widespread in Europe in Asia than it is in the US. HSBC uses a two-part system for authentication, where both parts are completely numeric (enabling easy entry anywhere by keypad or voice recognition) AND both are items that are completely useless to anyone who overhears them in public (a magic combination):

  • The first item you use is your account number. This is fully numeric and it is the same number you give others who need to give money to you (i.e., it is something you are not afraid someone else will hear).
  • The second item is a numeric PIN (Personal Identification Number). However, it is a PIN that is never used in its entirety. The IVRS, computer or call centre agent speaking to you over the phone will never ask you your PIN: they will only ask you a series of questions like “What is the third digit of your PIN? What is the sixth?” As a result, anyone overhearing you (unless you are silly enough to have your phone on speaker) will not gain any information they can use to crack your account (before triggering a fraud alert and security lock).

This simple design works really well everywhere (it even translates well across multiple languages). It is not only easy to use. It is something that you feel comfortable using in public.

We need more solutions like this to make our mobile lives easier.

Post Topics:
, , , , , , , , ,

Share your thoughts