It's been a year since the Hong Kong Monetary Authority (HKMA) mandated two-factor authentication for online transactions. One possible approach is a "hard token" such as the devices HSBC mailed out to its customers about a year ago, but not all financial-sector IT experts are convinced.

"We're not sure yet if a hard token is the best way to go," said Ng from Dah Sing Bank. "In absolute security terms they are pretty good, but there are alternatives: some companies sell services or software that enable your mobile phone to act as a token. So during transactions the mobile phone is sent a PIN or a temporary key that you enter on your PC or whatever device you're using to authenticate and approve the transaction."

"We use the e-cert right now to enable e-banking," said Ng, "but we also acknowledge it is not ideal. It's too difficult to use and users cannot carry it with them...I think to try and change or improve the e-cert right now would not be easy...that's why the tokens have appeared."

Leung said that there are four types of high-risk transactions for online banking, and his bank decided to use the Hong Kong Post Office's e-cert (an electronic certificate embedded in Hong Kong's SIM card-equipped smart ID cards) scheme.

However, the HKPO has backed off the e-cert approach due to, among others, lack of acceptance by the general public. Leung added he was disillusioned by the entire e-cert experience and his bank would consider other solutions such as hard tokens generating one-time-password (OTP). "I'm disappointed [with the e-cert]," he said, "I feel we were somewhat led down the wrong path by the concerned entities."