HSBC Insecurity Hype

The Guardian has the story:

One of Britain’s biggest high street banks has left millions of online bank accounts exposed to potential fraud because of a glaring security loophole, the Guardian has learned.

The defect in HSBC’s online banking system means that 3.1 million UK customers registered to use the service have been vulnerable to attack for at least two years. One computing expert called the lapse “scandalous”.

The discovery was made by a group of researchers at Cardiff University, who found that anyone exploiting the flaw was guaranteed to be able to break into any account within nine attempts.

Sounds pretty bad.

But look at this:

The flaw, which is not being detailed by the Guardian, revolves around the way HSBC customers access their web-based banking service. Criminals using so-called “keyloggers” – readily available gadgets or viruses which record every keystroke made on a target computer – can easily deduce the data needed to gain unfettered access to accounts in just a few attempts.

So, the “scandalous” flaw is that an attacker who already has a keylogger installed on someone’s computer can break into his HSBC account. Seems to me if an attacker has a keylogger installed on someone’s computer, then he’s got all sorts of security issues.

If this is the biggest flaw in HSBC’s login authentication system, I think they’re doing pretty good.

Posted on August 14, 2006 at 7:06 AM53 Comments


Gary in DC August 14, 2006 7:22 AM

I took a quick look at HSBC – they ask for the “1st, 4th and last” digits of the user’s PIN, along with date of birth. Presumably this is to inhibit keylogger-enabled replay attacks.

Perhaps something in the system that rotates which digits are requested fails – a typical 6-digit PIN would require more than 9 attempts to crack, even if three digits had been captured by the keylogger.

Also interested in how the other banking sites are somehow immune to this – some kind of scratch-off-pad with a second authentication code?

MB August 14, 2006 7:31 AM

If the user is required to enter a numerical code and the system keeps asking for the same code even after entered false, a keylogger can be used to automatically generate the remaining 10 options before the user enters the last digit and presses enter. If this is what the article is about then many other online banks are suffering from the same problem. Many systems counter this by locking the account after few false tries but the odds are still good for the attacker’s point of view.

Lisa August 14, 2006 7:42 AM

Some banks also counter it by having part of the login process be done through mouse clicks on images rather than by typing. HSBC direct actually employs this, not in their login process, but in order to access the “bank-to-bank transfer” section of their site (at least in some of their accounts, I can’t speak for all).

What I find interesting is that they recently began employing what looked like two-factor authentication, but all they really did was put the login on one page and the password on a second page. But I think they’re doing this as a step towards real two-factor auth, so hopefully it will get better soon.

PSB August 14, 2006 7:49 AM

The problem is that they will ask for the 1st, 4th and last digits repeatedly on failure (so the entire PIN is a non-issue) – from what I understand, the keylogger issue is a red herring. The individual who identified the flaw contacted HSBC, who dismissed it; he took it to Cardiff Uni who verified it (team of researchers indeed!). He isn’t a crypto researcher, just a relatively ordinary bod with only a passing interest in computers… Currently he is being ordered to sign an NDA with HSBC.

Andrew Brown August 14, 2006 8:05 AM

Ah! at last, an explanation. I’m an HSBC customer, so naturally I have an interest. The real flaw is then that it is asking, in effect, for a three-digit PIN, since the three digits from the security code are the same on any particular login attempt. As far as I remember, though, you only get three attempts, so that’s not a huge problem. And, as the man said, if you have a keylogger on your system, then you’re in trouble whateve the bank does.

PSB August 14, 2006 8:09 AM

I was fairly surprised to see him with a copy of the Grauniad on the day… Not being a customer of HSBC, I hadn’t been aware of the 3 attempt limit (although if they’re like NatWest, reactivation doesn’t reset the PIN or password).

Jim August 14, 2006 8:11 AM

Maybe it’s just a honeypot. Make it look easy. Attract a bunch of malicious users and two bit thieves. Perhaps let a few get away with some funds and track the funds as the move through the network. They let them have five or ten grand and trace the funds for intelligence purposes. It’s easier to trace than cash taken during an armed robbery, which eventually resurfaces and tells a tale. Plus you get the money back with interest. The bank isn’t dumb.

There is no branch of detective science which is so important and so much neglected as the art of tracing footsteps.

Pete August 14, 2006 8:25 AM

Yes, it was pretty depressing to see how the British press ran with this. Slashdot linked to a reasonable analysis of the actual security issue:

So their password entry mechanism has considerably less effectiveness than they’d expected (due to some flaws in the algorithm), which means that an attacker needs to capture between 5 and 9 logons from a user in order to build up their entire password. Nice bit of analysis. But from that to “left millions … exposed to potential fraud” and “scandalous”? Wow.

If this password mechanism was the only security control to protect their bank accounts then we should all be worried, but like all of the banks they have been aware of phishing etc. for several years and will have been developing other controls (delays, transaction monitoring, etc.).

The other depressing part in this sea of FUD was the HSBC spokesman who said that “this was not a viable route for fraudsters” (BBC).

Ed August 14, 2006 8:43 AM

An interesting question is what is the optimum sample size for a secondary password of any given length?

Clearly the bigger the sample the more difficult to guess but shorter the sample the more intercepts required for guaranteed replay.

I had occasion some years back to research this and drew a complete blank. Maybe this was the topic of the research.

Does anyone have a formula giving likelihood of being able to authenticate after n intercepts (assuming that there is no hang-man short cut)?

Jim August 14, 2006 8:55 AM

It sounds so easy to exploit, I think I won’t try it. If you get in and make off with millions of dollars, you may find that the account wasn’t real and you just transferred millions of dollars or pounds that you can’t convert into cash. All you have is a transaction record and a bunch of bank dicks waiting for you to collect the funds. You got away with nothing and are planning a vacation with all that money. You aren’t as smart as the bank. It always looks easier than it is. Bank fraud is a bad idea on so many levels. The computer makes it seem easy, when in reality it’s not a good way to make a living loopholes and all.

Jerome Lacoste August 14, 2006 8:57 AM

Talking about online bank access security, 2-3 weeks ago, a friend of mine logged into the stock management section of his bank site for the first time of his life, from his computer. Once logged in he found out he was logged under someone else’s account and could perform all actions (including money transfer).

He reported the issue, but got no feedback since. They didn’t answer his last email. He has no idea whether the problem is fixed.

His bank is the biggest in Norway.

He took a screenshot. I told him, if it was me, I would have given it or even sold it to the first interested tabloid…

Giacomo August 14, 2006 8:57 AM

I think this came up as a “natural reaction” to recent boasts by HSBC that they were moving to two-factor auth (that CoopBank already does at least since 2003, by the way).

You want the hype? You’ll get hype back…

Patroklos Argyroudis August 14, 2006 8:58 AM

Bank of Ireland has a very similar authentication system. Since the exploitation of the “vulnerability” assumes that an attacker has already installed a keylogger on the target system, I fully agree with Dr Schneier that this is in essence a very trivial issue. It has been blown out of proportion by journalists that don’t understand the problem.

Kirit August 14, 2006 8:59 AM

My bank here in Thailand has a neat system that I’ve not seen elsewhere.

When you log in through the web interface the server automatically sends you a one time password via SMS (i.e. to your phone). You then use that to get access.

roperipe August 14, 2006 9:11 AM


Neat security measure, though it wouldn’t work in the US, where some wireless carriers (Cingular) charge for incoming SMS messages.

Leif Nixon August 14, 2006 9:12 AM

I have a problem with the “Seems to me if an attacker has a keylogger installed on someone’s computer, then he’s got all sorts of security issues” argument (whether or not it is actually applicable in this case). What happened to the defense-in-depth doctrine?

My bank uses a client-side certificate plus PIN for authentication. That system is proof against simple keyloggers. Without the certificate the PIN is of no use.

Of course, in my case it’s a soft certificate, so the attacker could dig it out from my Firefox profile directory, but there are better hard token based systems deployed by other banks.

Given the state of home computer security these days, it’s rather reasonable to design your Internet bank authentication scheme with keyloggers in mind.

Brian August 14, 2006 9:52 AM

There are a lot of banks who are fielding systems similar to HSBC’s to deal with key loggers. The banks aren’t stupid, they know that these systems are seriously flawed. These systems are designed to buy time until a better solution can be deployed.

Transactional authentication can deal with the problem. The banks are working on finding ways to deploy transactional auth at reasonable cost.

Aside: think your hardware certificates are so secure? if the attacker is running arbitrary code on your machine, they could just wait for you to log in, then use your browser session to steal the cash. Don’t invest money in hardware certificates. They are OK for now, but if hardware certs become widespread so will trojans designed to exploit them. Invest in transactional authentication.

Jim August 14, 2006 10:00 AM

This is funny.
“a friend of mine logged into the stock management section of his bank site for the first time of his life, from his computer. Once logged in he found out he was logged under someone else’s account and could perform all actions (including money transfer).”

Possible causes:
Set it and forget it technology.

Windows automation. The doors are all open too.

Active X control, X being an unknown function.

Bad patch applied on Tuesday, to patch bad patch last week. Needs patched again. Patch the patches.

User used pop-up saying something was wrong to make something go wrong. Account gets published as an ad for free money. Everbody clicks and gets rich.

Account gets Google hacked. Password and account is now public domain. Thanks Russian university students. Information wants to be free. Don’t transfer funds, buy Google ads and resell. Disappear in a crowd, the Net is so big. It’s a good fence with open gates. Who you gonna call?

Jungsonn August 14, 2006 11:06 AM

Who’s problem is this?
i don’t think the bank is problem holder.
And it makes me wonder: PINS are never stored, the only one who knows the PIN is you.

My local bank states clearly in it’s TOS: we are not responsible for your online access and financial transactions with our online banking service.

I can’t agree more.

jmr August 14, 2006 11:26 AM


While I don’t think it’s a good idea to try to access a banking site with a keylogger (knowingly or, more likely, unknowingly) installed on your computer, I hardly see that as authorization for disgorging all your funds into the hands of a thief. And oh, btw, the bank knows your PIN. So, really, according to how you describe their TOS, if they expose your PIN, you are responsible for any online account transfers that take place. Does this make sense?

No, it does not. I think there’s really something to be said for the idea of switch to a cashless society when it comes to reducing and eliminating fraud. I don’t really like the tracking aspects that are explicit in recording every financial transaction, but I can’t think of a solution that both prevents or detects and reverses money from moving illegally and also protects records from being audited by arbitrary parties.

Any ideas?

I have one idea:

Batch all transactions over a period of time (say, one month or one quarter). Require an explicit review of the transactions using face-to-face authentication technology (can I see your driver’s license please?). At that meeting, the transactions can be finalized and discarded as authentic.

I know there are ways to attack this. Let’s hear them at try to improve.

blah August 14, 2006 12:24 PM

Drop down without the `value’ attribute set can help – the user doesn’t type the value he/she must select it using the mouse – I’ve seen this used by various banks.

gobruce! August 14, 2006 12:30 PM

thank heavens someone is speaking sense on the matter at last.

keystroke loggers mean many bets are off. one time passwords are a solution if the risk is deemed genuinely high. which it doesn’t seem to be yet…

i am surprised the grauniad didn’t run with the horror story that keystroke loggers can capture online retail site passwords with a 100% success rate! imagine all the shoes and books and groceries those criminals could order on your accounts!

Brian August 14, 2006 12:54 PM


“Drop down without the `value’ attribute set can help… the user doesn’t type the value he/she must select it using the mouse”

So now I go to your bank, type in your account number, and the bank offers me a drop down list of passcodes of some type to choose from? With those passcodes somehow derived from your real password?

Your bank is spewing out clues about your password? How on the good earth can this be described as “helping”?

I must be misunderstanding, nobody would actually do that.

Chris August 14, 2006 1:14 PM

I have a HSBC account and it would be more secure against keyloggers than my Egg account which has only one authentication page that always requires the same data.
One “bad” thing HSBC do is that of the selected digits from your pin they ask for they always require the furthest left first and furthest right last. This must make guessing after keylogging easier. I would be interested to know how much easier but my maths is no where near good enough for that.

Drake Wilson August 14, 2006 2:14 PM


“Aside: think your hardware certificates are so secure? if the attacker is running arbitrary code on your machine, they could just wait for you to log in, then use your browser session to steal the cash.”

If you have a hardware security token with a processor that can do crypto operations you can require that it sign off on every operation performed, with its tamper-resistant private key. So you don’t have a session ID that can do everything, you have a private key box that does specific things when the user presses the button (on the token) verifying that he wants the transaction (being displayed on the token) to go through.

Is this what’s meant by “transactional authentication”?

Brian August 14, 2006 3:26 PM


Yes, that’s transactional authentication. The critical point in the example you gave is that the transaction details are being displayed on the secure token. That way, even if the computer is compromised, the user can see what is about to happen.

There are hardware certificates out there that don’t do that step. Instead, they are used only to authenticate the user to the web site. Those don’t actually prevent the trojan horse from doing Bad Things, because the trojan can “ride” on the authenticated session. (I don’t know of any trojans doing this yet, but if these kinds of hardware tokens become popular you can bet the trojan horses will follow the money.)

There are other folks who are doing transactional authentication via SMS text messages, or phone calls. You don’t actually need fancy cryptography for this to be effective. You need a separate, secure channel, since the computer is no longer trusted.

Rob Mayfield August 14, 2006 6:08 PM

@Kirit re SMS

NAB here in Oz have introduced a similar system, but the SMS isnt required to complete log in – it’s required for completion of EACH transaction to an account outside your own linked accounts (as I understand it). The password is ‘randomly generated’, but there are no details as to it’s length or composition. Users are also encouraged to call a number and register for the service, but I don’t know the details of how the users mobile number is verified against them.

Theres also some obvious issues around phone company employee access to SMS information and people passing on mobile numbers if the phone is a company phone or recycling the number etc (I’ve heard plenty of cases of people storing passwords on mobiles, so it potentially becomes a single factor system again through lack of care).

I’m still not registered; if I havent agreed to using the service I can’t be held accountable for any exploits.

Greg August 14, 2006 6:57 PM

A friend here just signed up with HSBC UK after moving from Finland and was pretty disappointed in the “three random digits of your PIN” security. He pulled out his Finnish bank card and showed me the back where there are hundreds of OTP passphrases. Each time he logs in the login screen tells him which one to enter. When the card’s used up they send a new one.

And I think the “if you have a keylogger you have bigger problems” is also an issue of perspective. For many people “internet access” still means internet cafes and shared computers in libraries and schools. For users like that there is a world of difference between a plain username-password login sequence where every time you log in you give up everything an attacker needs to gain complete access and a system like a OTP passphrase.

The HSBC system just seems like a botched attempt at real security. If it’s no better than a passphrase system then all it does is give people a false sense of security and makes them more vulnerable since they’re more likely to use their bank account on a shared computer.

Pete August 14, 2006 9:05 PM

@Jim – thanks for the Quit Slashdot tip; much appreciated!

@Rob Mayfield – NAB’s approach of an SMS authentication for external payments is also used by a number of other banks (I know of ASB in NZ, DBS in Singapore). Strong authentication at the time of a transaction is more difficult to attack than when its at logon only.

While there are a bunch of security limitations around SMS transmission, it is a separate channel from the PC and hence its very difficult for an external attacker to correlate – the major risks of a family member who has your phone.

I doubt that NAB could hold you responsible even if SMS were being used; in Australia the Electronic Code of Conduct limits the liability for online banking customers. The main tradeoff is convenience – SMS is not a guaranteed delivery service, and messages sometimes have major delays.

JasonGTN August 14, 2006 10:59 PM

I think it’s partly a condition of “Zeitgeist” and media outlets to eager to publish the ‘perceived’ failures of enterprises not yet in the limelight. That is my fear, with all of this recent disclosure publicity, organizatons and enterprises can get a get-out-of-jail-free card if they have a scapegoat to blame after they discover a problem. Then the real issue can be swept under the rug as a failure of an (group of) individual(s) not the company. Nice out for the big 1000. In the “early days of disclosure” it seemed more catastrophic, a whole 18 months later it seems more like yesterday’s soap (or sit-com depending on how you see it) I can only hope the industry is honest and orgz learn from the exercises and continue to grow. I feel for the people who take the blame who may not deserve it, because this is not an easy game. Some deserve to be called in on the carpet, some do not. I hope the industry can evolve to help illustrate where the true failures are (people or programs). It seems we are getting there and this thread helps re-inforce that.

Hayden A. Douglas August 15, 2006 4:03 AM

When I use my online bank and they require me to enter my 4 digit pin, I tend to drag and drop digits from my account no/sort code. This doesn’t seem to appear in the clipboard, so a trojan wouldn’t see it? Unless of course they were recording mouse movements/clicks as well…

blah August 15, 2006 8:11 AM


Drop down without the `value’ attribute set can help… the user
doesn’t type the value he/she must select it using the mouse”

So now I go to your bank, type in your account number,
and the bank offers me a drop down list of passcodes of
some type to choose from? With those passcodes
somehow derived from your real password?

Your bank is spewing out clues about your password?
How on the good earth can this be described as “helping”?

I must be misunderstanding, nobody would actually do that.

The drop-down boxes contain all possible values that a password may contain. As an example:

Blockhead August 15, 2006 9:59 AM

Just what the security world needed: An effective chicken little who will desensitize the public to the real threat.

I do wonder about the motive behind Cardiff and the person who report it in the first place. Same goes to the shoddy investigative report work. Hearsay is a waste of time.

jforbes August 15, 2006 10:22 AM

Dissapointing to see the Guardian hyping this up – their technology coverage is usually quite good.

I wonder how many banks would be vunerable to keyloggers? For my Smile account I have to type in full account details (Sort Code & Acc No.)s plus a static 4 digit PIN, then answer one of approx 5 questions of the ‘memorable dat’ type. A key logger would gain access pretty quickly!

Jungsonn August 15, 2006 1:56 PM

Yeah right… well, i still don’t see the problem for the bank itself, because the transactions are being made by keyloggers copying codes through keystrokes by clueless people.

So the issue or problem is the consumer who is clueless about security ( or use defacto password protection on his / her pc.) or just log off their account when they go to the bathroom, that’s why these things are invented to protect you.

Brian August 15, 2006 2:21 PM

I agree that poor computer administration on the consumer’s side is one of the root causes of the problem. However, banks can’t blame the customer, for a couple of reasons.

1) Liability. It’s possible they can be held liable for fraud. I’m not sure of this, but given the amount of money they are pouring into fraud prevention measures, I think there must be some legal impetus.

2) Customer satisfaction. Imagine if your account got hacked and all of your money got transferred to Kajikistan, and then your bank told you it was your fault? Would you bank online any longer? Banks want your online business. Fraud is the price they pay for that business.

3) Widespread malware infestation. By anybody’s estimates, a huge percentage of the computers that are used to browse the web have malware installed. It’s just not realistic to assume that the client machines are going to get fixed, so the banks are trying to find server-side mechanisms to cope with the untrusted clients.

Horrible, isn’t it?

David Waters August 15, 2006 4:42 PM

This is why banking systems and any other secure browser based system should have two factor authentication. You say well they have a keylogger installed security is broken, think internet cafe when travling for pleasure I don’t take a computer so when I need to access my funds I need to use an untrusted computer e.g. internet cafe. In such a situation the management or any customer may have installed a keylogger (softwear or hardwear) that would be very difficalt to detect. Or managment may have installed a HTTPS transparent echoing proxy (Man in the middle attack on HTTPS with a certificate signer trusted by the computer in the internet cafe see for an honest HTTPS transparent echoing proxy (the certificat naem is the product name but could just as easily be the site name or all information copied from the true certificat).

Banking sites need either one time use scratch pads, time based key, challenge response or other two factor authentication.

Till then phishing , keyloggers (phisical or virus born) and other such attacks will be easy and common.

My bank uses two factor authentication using a physical device from RSA (RSA SecurID 700). On it is a six digit number that changes every 60 seconds.

Banks need to get with it and go two factor.

Andrew August 15, 2006 6:14 PM

The stupidity of banks cannot be underestimated.

I have just received an email from Lloyds Bank in the UK, my ‘August Service Update’. Now I have NO way of knowing whether this is a legitimate email, except the lack of spelling mistakes (which tend to occur in the spam versions)….

I have copied the text below because of the sheer idiocy of it. Can anyone spot HOW you would know this was not a phising email ? (Note: There were images in the email, but I have not copied those across)

Please read : Important message about email security
We want you to recognise a fraudulent email if you receive one. We’ll always greet you personally (by title and surname). Plus, to make it harder for fraudsters to imitate our emails, we’ll always quote the last 4 digits of your current account number: ****2207

“It’s great to know your bank takes Internet security so seriously. It gave me that extra confidence I needed to bank online.???

Rhonda Idoniboye

We’re dedicated to helping you stay secure online with Lloyds TSB BankSecure – our programme of security initiatives. Together with the UK government, the National Hi-tech Crime Unit and leading businesses, we’ve created a website full of expert advice and helpful tips to assist you in staying secure online – Get Safe Online.
At Get Safe Online you’ll find expert advice on how to:

Keep your Internet banking security information safe
Avoid bogus or ‘spoof’ website and email scams
Check that you’re using a secure internet connection
Protect your computer from viruses, spyware and hackers
Visit our security pages to make sure you are up-to-date with your security and then test your knowledge with our quick security quiz.
Are you missing out?
We like to keep you up-to-date with new services, rates and offers. That way, you can make the most informed decisions on your money.

Online Banking Guarantee
We guarantee to refund your money in the unlikely event you experience fraud with our Internet banking service – as long as you’ve been careful, for example, by taking reasonable steps to keep your security information safe. We protect you with safeguards that meet industry standards. Visit our security pages.

If you receive an email that doesn’t feature your name and the last four digits of your current account number, then don’t click on any links it may contain – please forward it to us immediately for investigation at then delete it.

We will never send you an email asking for your security information or log on details, or direct you to a web page that asks for this information

Important information
Select this link if you no longer wish to receive emails from Lloyds TSB Bank plc about our products and services.
If you have concerns about the validity of this email, please call us on 0870 901 2342 (7am-10pm, Mon-Fri; 8am-6pm, Sat-Sun). Calls may be monitored and recorded.
There are times when some functionality is limited due to system updates. However, you will be informed of this on-screen. For more information about availability, please see our help pages at
This email is intended only for the above addressee. It may contain confidential information. If you are not the addressee you must not copy, distribute, disclose or use any of the information in it. If you have received it in error please delete it and immediately notify the sender.
The Lloyds TSB privacy policy can be viewed here.
Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachment will not adversely affect its systems or data. No responsibility is accepted by Lloyds TSB Bank plc in this regard and the recipient should carry out such virus and other checks as they consider appropriate.
Lloyds TSB Bank plc, 25 Gresham Street, London, EC2V 7HN. Registered in England and Wales, number 2065. Telephone No: 0207 626 1500.
Lloyds TSB Scotland plc, Henry Duncan House, 120 George Street, Edinburgh, EH2 4LH. Registered in Scotland, number 95237. Telephone No: 0131 225 4555.
Authorised and regulated by the Financial Services Authority and signatories to the Banking Codes. Members of the Financial Services Compensation Scheme and Ombudsmen.

Jimi August 15, 2006 7:01 PM

The banks aren’t dumb. The people they hire are another story. If I ran a bank, I would outsource all IT functions to a company that could handle the task. They do this with ATM’s. Banks are good at physical security, like documents vaults and buildings. When it comes to the Internet banking, I’m not so sure. Bruce would know more about this.

Jimi August 15, 2006 7:06 PM

I have seen universities with great computer science departments and rotten computer security. They aren’t dumb institutions, they just have other priorities like the banks.

Brian August 15, 2006 8:51 PM

@David Waters

Think your two-factor auth solution is so secure? It’s better than plain passwords, but if those 2FA solutions become popular, trojans are going to beat them. All they need to do is wait for you to login, then they can do whatever they want with your account. I’m curious to see whether 2FA ends up being a good enough fraud prevention measure that the banks won’t pay extra for transactional auth.


Thanks for posting that e-mail from Lloyds. Interesting that they claim to guarantee the account against internet fraud, though I they do qualify that with some very large loopholes. The banks are not stupid. Unlike some other industries (like software), banks pay dearly for shoddy security practice. They know exactly how much fraud costs them, and they take steps to keep that fraud within acceptable levels.

1234567890 August 16, 2006 9:22 AM

I’m still convinced that they can have the best security since kryptonesian passwords 😉
but the weak link is the consumer behind his windows 98 account full of holes.

No amount of security on the side of the bank can prevent illegal access anytime. So it would be better to educate the consumer, and to inform him what can happen when he doesn’t update his OS, or his browser etc.

I do think the banks need to take responsibillity on this one, so that they’ve done everything to inform the consumers of the risks, and be so to say less liable.

That’s the human factor security in my eyes.

anonymous August 16, 2006 9:48 AM

explanation : “When you logon to HSBC banking you are asked for your date of birth and for three digits from your security number. The three digits you are asked for are randomly selected by HSBC but the digits requested only seem to change after a successful login. Also the instructions that tell you which digits to enter are sent over HTTPS and we will assume are invisible to the attacker. Now for the important part: the digits are always requested in the order they appear in the security number. For example you might be asked for digits 1, 2 and 3 in that order, but you would never be asked for digits 3, 2 and 1 in that order. This leads to the vulnerability…

Let us use a random example, assume that an HSBC customer uses the security number 4921576876, we have a keylogger running on his machine and have now watched him login to HSBC 22 times seeing the following partial security codes: 416, 458, 496, 286, 925, 976, 487, 476, 157, 987, 476, 576, 217, 915, 178, 976, 491, 476, 428, 915, 917 and 176.

From the data above we can estimate how often we expect each digit to appear in the users security code. We would expect to see each digit in the security code a total of (|dataset| x |partialcode|) / |availabledigits| = (22 x 3) / 10 = 6.6 times. For example we saw the number 6 ten times in total, so would expect it to appear in the security code 10 / 6.6 = 2 (0 d.p.) times. Using this strategy we can deduce the following frequencies for each digit in the security code: 0 x 0, 1 x 1, 1 x 2, 0 x 3, 1 x 4, 1 x 5, 2 x 6, 2 x 7, 1 x 8, 1 x 9. This statistical analysis has introduced some uncertainty and we may need to come back to these distributions if the procedure below leads to errors.

Now we can start to piece together the original code. Let’s start with the digits that only appear once, the code contains a single 1: 1. It contains a single 2 and the partial 217 tells us that the 2 comes before the 1: 21. Similarly there is a single 4 and we know from 416 that it is before the 1 and from 428 that it is before the 2: 421. There is a single 5 and the same method tells us that it comes after the 1: 4215. Similarly we can deduce the positions of the single 8 and 9: 492158. Now we need to deal with the sixes and sevens, some uncertainty is introduced here but the state space stays manageably small. There is definitely a 7 after the last 8 (because of 487): 4921587. The other 7 comes either immediately before or immediately after the 5 but we cannot tell which. The first 6 could appear anywhere after the 9 (from 496), and the second six could appear anywhere after the 1 (from 416) but if you chart all the possible locations they can be seen to be statistically more likely to appear after the 57/75 so let us assume this.

Based on the above (which assumes our frequency distribution to be correct) we claim that the code begins with 4921 is then followed by 57 or 75 and is then followed by 6876, 8766, 8676, 6687, 8667 or 6867 (all of the possible arrangements of the sixes at the end of the code). This gives us only 12 possible codes and indeed does contain the correct code: 4921576876.

The original link for this explanation :

Octothorpe August 17, 2006 2:08 AM

The HSBC flaw is perfectly simple, and a magnet for any security-sceptic folk that don’t like banks much. The site prompts for a partial password. The flaw is that the same characters are requested until the correct ones are entered. Also, to make it even easier, the characters are asked for in position order.

If I install a keyboard logger that transmits characters to my remote location I see everything typed. When I see a internet bank id and date of birth the next three characters are the partial password. But I don’t know the positions requested.

What I do is go to HSBC’s site and try to log on but stop when prompted for the partial password. I note down the character positions requested and log off. The next time the user logs on I get three new characters. But hang, on. The question hasn’t changed since I noted it down earlier. Bingo, I’ve got the characters and positions. Do this a couple more times and I’ve cracked it.

Super stuff. But hang on, wouldn’t a screen scraping Trojan mean I could do this for all internet banking accounts?

It’s not much of a flaw and does, as the bank says, require a great deal of attention to be given to one account and for you to have enough control of the users computer to install a trojan and keep it there.

About the press coverage, what the media consistently fail to understand is that the criminal world operations on the same effort/reward model that everyone else does. Why knock off one account in a sophisticated manner when blatantly asking someone to give me their entire password works 1 in every ‘n’ times I try …and I don’t even have to try very hard. In any case, if I want some clever stuff done I’ll get a PhD student in an emerging economy to knock something up for me for next to no money.

When I see an article with the headline “Bank blames spouses who betray their partners trust for rise in divorce linked frauds” then I’ll know that the Guardian (and others) have a degree of perspective on the relative (pardon the pun) likelihood of security compromises.

arctanck September 7, 2006 7:40 AM

HSBC business accounts customers in the UK are now required to go through two-factor authentication, with one of them coming from a 6-digit security device given by HSBC, before they can login to their account. This type of two-factor authentication has been rolled out by HSBC in the far east for a while already to personal customers. So I suppose the 3-digit passcode authentication will be succeeded fairly soon…

HSBCCustomer September 30, 2006 7:42 AM

So when are normal HSBC customers going to get the 6 digit Security device?, that i guess is an RSA secure ID keyfob devcice.

Big Dad April 6, 2007 5:56 PM

HSBC in Mexico now uses an eight digit OTP in addition to a selection of three digit from your password. The three digits are always in the same order but the digits requested differ on each separate log in.

Nomad May 22, 2008 1:36 PM

My wife’s HSBC Internet banking account was hacked by another HSBC Bank customer at the HSBC Malaysia’s PJ Branch.

The amount was RM 29,925 plus in 28 May 2005. Till today they have not returned money unconditionally.

My wife sued and we go to trial in October 2008. They claim their system is 100 percent safe. Then what happened to my wife’s money.

They refuse to compensate her with expenses incurred around RM 24k plus. This was incurred due to HSBC’s defective protocols. My wife was asked to travel from Bangkok to Kuala Lumpur to present in person the matter. The worlds Local Bank could not even provide an inkling of service.

She had to travel with a 2 year old breast feeding daughter, 6 months pregnant and our 10 year old special needs child at the time.

We had to fly even though we told them so and that my wife would risk mis carriage etc.

Eventually they told us not to leak it out to the press or lodge a police report. We made a police report.

Now they are not willing to pay us compensation. We refused their initial offer of paying us the lost money and only RM 35 plus as “good will” interest and to say we would not sue them or indemnify them against liability. We chose not to accept their offer. We sued.

They have been trying all sorts of legal gymnastics and are very very arrogant.

I want victims to voice out and publicise this issue. HSBC is a bully.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.