Luckily, they are quite easy to defeat.
The HSBC field is a simple HTML password field, and the only thing protecting against typing in your security key is that a function fires to stop you on easy keyDown event on the field.
Thanks to greasemonkey, I've written a simple script which replaces the default keyDown function with one that does nothing, allowing you to treat the field as you would a normal password field.
Install for Greasemonkey
function init() {
var oldPassInput = document.getElementById("password");
if(undefined != oldPassInput){
oldPassInput.setAttribute("onkeydown", function(e){})
}
}
window.addEventListener('load', init, false);
