Two-factor authentication is not well understood
I worry about the perception created by HSBC and Abbey. Its assumed that two factor and tokens are synonymous.
The notion that HSBC and Abbey will become front-line targets for the fraudsters is supported by evidence presented in this paper, ‘Closing the phishing hole’, by Ross Anderson, professor of security engineering at Cambridge University.
Two factor requires that there is a second level of authentication, beyond, username and password. For sure I know Abbey have deployed Passmark- HSBC I am guessing, have, or something similar. Passmark uses the forensics of the customers computer as the 2nd factor. It works like a fingerprint, and is strong enough to be certain in identifying the customer. The bad guys know this.
On the other hand the technology exists to get past tokens.
My take – HSBC and Abbey National have made the right bet between customer inconvenience and bank risk.