Essentially the flaw consisted of being able to authenticate through the mobile app using characters that are not in your password (i.e the wrong password).

I raised this withe HSBC via twitter and this was the response.

"Hi ValkyrieUK, my name's Claire and I'm from the Digital Complaint's Team. Thanks for getting in touch about the concerns you have with our app. We're aware customer's can enter additional characters on to their password and it will be accepted as a successful log on. We don't classify this as a security risk, as your password must still be entered correctly for it to be accepted. I'll certainly record your feedback about this matter though and would like to apologise for any concern caused. Kind regards, Claire"

How can this be correct? They clearly are not following a well proven authentication standard, possibly some kind of REGEX involved.