How serious is HSBC's online banking flaw?

Security professionals have questioned reports of a 'serious flaw' in HSBC's online banking system.

Researchers at Cardiff University claim to have discovered the flaw which, according to The Guardian, over two years left 3.1 million customers exposed due to a defect in how people access their online accounts.

The vulnerability, which was not detailed in the researchers' report, relies on a hacker using a keystroke logger - a piece of software which records each key a user types on their keyboard.

Graham Cluley, senior technology consultant for antivirus company Sophos, told silicon.com: "Unless Cardiff gives some more information, it's a non-story - there's no meat on this. Because of The Guardian's story, customers are going to be worried, HSBC annoyed and no one is any wiser."

Professor Antonia Jones, a researcher at Cardiff University, was not available to comment on the matter.

To access HSBC's banking website, users are required to enter an alpha-numeric password, a date of birth then a personal identification number (PIN).

Cardiff University claims that any account can be broken into within nine attempts of hacking the website, though first the hackers would need to plant a keystroke logger on the victim's PC.

Cluley said: "They could gather [PIN] digits in up to nine attempts but it doesn't seem a very effective way of doing this."

HSBC said the flaw has not been exploited and it would be "interested to hear any expert commentary on the security of its personal internet banking service".

"It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim. It is therefore not likely to be a profitable way for criminals to behave," the bank said in a statement.

Alan Phillips, CEO of security company 7Safe, said there are ways to avoid keystroke loggers nabbing PIN numbers and passwords. One method is to use an on-screen keyboard in Windows XP or one provided by the online bank when typing in confidential details.

"There are some ways around keyloggers," he said. "Other banks like Credit Agricole have their own on-screen keyboards. This way you can't get hit by a keystroke log. The other way is with a drop-down box. Barclays do that."

But Sophos' Cluley argued keylogging software can beat on-screen keyboards. "Any keylogger is likely to be part of a more complex piece of spyware. That allows the hacker access to everything on your PC, such as monitoring the screen and mouse clicks. Similarly, drop-down boxes are not immune to hackers grabbing information from them."

Richard Starnes, president of the Information Systems Security Association UK, questioned how researchers first stumbled on the flaws.

"I'd be interested to know what the exploit is and how Cardiff happened upon the flaw. And what was that interaction between Cardiff and HSBC?"

Cluley offered further precautions for PC users.

"If you have antivirus [software], the latest Microsoft patches and a firewall, you're taking most of the right steps. The other thing to do is not open unknown attachments," he said.

ZDNet UK's Tom Espiner contributed to this report.