Re: Optional
"Actually, I respect not wanting to disclose personal banking information, but it's pretty vague and useless"
I don't mind disclosing the bank. Not naming them was probably just instinctive - I wouldn't name a client's bank (at least not when specifically mentioning the client), so I expect that's rubbing off on me personally, IYSWIM. (Plus, if HSBC are doing it, I suspect others will follow)
"so I'm just going to go ahead and say that this is HSBC we're talking about. Their security has just taken a notable step backwards with this. Phone app and passeprd might be more convenient if you don't have the key fob on you, but it is NOT as secure."
Quite so.
What annoys me, though, is that they did away with the use of a password in the first place, adding in the silly security question in its place.
I tend to suggest to people that if a system doesn't offer a password as an option, and a question like that instead, treat that as a password prompt. I then have to stress the need to make sure it's unique because - not being a password from the site's point of view - I wouldn't like to bet on it being salted and hashed.
Speaking of which... I'm by no means a security expert, but I know more than most people I know, but one thing which has been bugging me of late:
'Please enter the 3rd, 5th and 8th letters of your password [ _ ] [ _ ] [ _ ]'
I see this on some banking websites. Surely, if you can enter a selection of characters and have them validated against your password, that means the password can't be salted and hashed?