HSBC's dual-password logon

Recently, I was shocked by the HSBC's dual password logon to its Internet banking services. For this scheme, the authentication page requires users to give the first password in the exact string sequence while for the second password, users are only required to input 3 characters and the positions of which characters to be inputted are random. I have a screen capture to illustrate.



Malware-infected keyloggers can capture all the key strings including usernames, 1st password, and any inputted characters of the 2nd password. What a hacker needs to do is to find the position in the screen and inject the known characters in order to get access. I am of the view that this protection scheme is much weaker than using security tokens. HSBC advises that this is to give more convenience to the users given that some users might not bring their tokens with them all the time.

I myself would not use this kind of authentication.