HSBC Insecurity Hype
The Guardian has the story:
One of Britain's biggest high street banks has left millions of online bank accounts exposed to potential fraud because of a glaring security loophole, the Guardian has learned.
The defect in HSBC's online banking system means that 3.1 million UK customers registered to use the service have been vulnerable to attack for at least two years. One computing expert called the lapse "scandalous".
The discovery was made by a group of researchers at Cardiff University, who found that anyone exploiting the flaw was guaranteed to be able to break into any account within nine attempts.
Sounds pretty bad.
But look at this:
The flaw, which is not being detailed by the Guardian, revolves around the way HSBC customers access their web-based banking service. Criminals using so-called "keyloggers" - readily available gadgets or viruses which record every keystroke made on a target computer - can easily deduce the data needed to gain unfettered access to accounts in just a few attempts.
So, the "scandalous" flaw is that an attacker who already has a keylogger installed on someone's computer can break into his HSBC account. Seems to me if an attacker has a keylogger installed on someone's computer, then he's got all sorts of security issues.
If this is the biggest flaw in HSBC's login authentication system, I think they're doing pretty good.
Posted on August 14, 2006 at 7:06 AM • 53 Comments