I'm not familiar with the HSBC widget specifically, but such devices generate a pseudo-random number sequence which, while it looks random (and would pass virtually all the mathematical tests for randomness), actually is an entirely predictable sequence (when you know the **algorithm** and **key**).

One method is to move on to a new number each time you press the button. Obviously the bank's computer won't let you use the same number twice, and it will likely accept the next number or a number a few down the sequence from the one it last saw (the button might have got pressed in your pocket etc). If you press the button too many times between logging in the site may refuse your number, then you're stuck!

The other method is to automatically advance the number with time, typically once every minute. I have an RSA security key to log into my work computer from home this way. The clock on the widget doesn't have to be perfectly accurate since they will accept a number a couple either side of the "correct" one (a 6-digit number has 1million combinations, so allowing 5 or 6 at any one time still isn't much of a weakness), and the bank's computer can gradually figure out whether your widget runs fast or slow, and tweak its future expectations accordingly.

The bar code on the back of the widget may contain part of the unique key to the sequence. Part of the key is probably known only to the bank - otherwise 'anyone' who knew the algorithm could generate the sequence just given the barcode ;-)

Putting a radio-controlled (MSF60/DCF77) clock inside would be overkill, and add unnecessary expense.