HSBC Insecurity Hype
The Guardian has the story:
One of Britain’s biggest high street banks has left millions of online bank accounts exposed to potential fraud because of a glaring security loophole, the Guardian has learned.
The defect in HSBC’s online banking system means that 3.1 million UK customers registered to use the service have been vulnerable to attack for at least two years. One computing expert called the lapse “scandalous”.
The discovery was made by a group of researchers at Cardiff University, who found that anyone exploiting the flaw was guaranteed to be able to break into any account within nine attempts.
Sounds pretty bad.
But look at this:
The flaw, which is not being detailed by the Guardian, revolves around the way HSBC customers access their web-based banking service. Criminals using so-called “keyloggers” – readily available gadgets or viruses which record every keystroke made on a target computer – can easily deduce the data needed to gain unfettered access to accounts in just a few attempts.
So, the “scandalous” flaw is that an attacker who already has a keylogger installed on someone’s computer can break into his HSBC account. Seems to me if an attacker has a keylogger installed on someone’s computer, then he’s got all sorts of security issues.
If this is the biggest flaw in HSBC’s login authentication system, I think they’re doing pretty good.
Gary in DC • August 14, 2006 7:22 AM
I took a quick look at HSBC – they ask for the “1st, 4th and last” digits of the user’s PIN, along with date of birth. Presumably this is to inhibit keylogger-enabled replay attacks.
Perhaps something in the system that rotates which digits are requested fails – a typical 6-digit PIN would require more than 9 attempts to crack, even if three digits had been captured by the keylogger.
Also interested in how the other banking sites are somehow immune to this – some kind of scratch-off-pad with a second authentication code?