Security experts downplay severity
By Dan Ilett
Published: 10 August 2006 11:00 GMT
Security professionals have questioned reports of a 'serious flaw' in HSBC's online banking system.
Researchers at Cardiff University claim to have discovered the flaw which, according to The Guardian, over two years left 3.1 million customers exposed due to a defect in how people access their online accounts.
The vulnerability, which was not detailed in the researchers' report, relies on a hacker using a keystroke logger - a piece of software which records each key a user types on their keyboard.
Graham Cluley, senior technology consultant for antivirus company Sophos, told silicon.com: "Unless Cardiff gives some more information, it's a non-story - there's no meat on this. Because of The Guardian's story, customers are going to be worried, HSBC annoyed and no one is any wiser."
Professor Antonia Jones, a researcher at Cardiff University, was not available to comment on the matter.
To access HSBC's banking website, users are required to enter an alpha-numeric password, a date of birth then a personal identification number (PIN).
Cardiff University claims that any account can be broken into within nine attempts of hacking the website, though first the hackers would need to plant a keystroke logger on the victim's PC.
Cluley said: "They could gather [PIN] digits in up to nine attempts but it doesn't seem a very effective way of doing this."
HSBC said the flaw has not been exploited and it would be "interested to hear any expert commentary on the security of its personal internet banking service".
"It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim. It is therefore not likely to be a profitable way for criminals to behave," the bank said in a statement.
Alan Phillips, CEO of security company 7Safe, said there are ways to avoid keystroke loggers nabbing PIN numbers and passwords. One method is to use an on-screen keyboard in Windows XP or one provided by the online bank when typing in confidential details.
"There are some ways around keyloggers," he said. "Other banks like Credit Agricole have their own on-screen keyboards. This way you can't get hit by a keystroke log. The other way is with a drop-down box. Barclays do that."
But Sophos' Cluley argued keylogging software can beat on-screen keyboards. "Any keylogger is likely to be part of a more complex piece of spyware. That allows the hacker access to everything on your PC, such as monitoring the screen and mouse clicks. Similarly, drop-down boxes are not immune to hackers grabbing information from them."
Richard Starnes, president of the Information Systems Security Association UK, questioned how researchers first stumbled on the flaws.
"I'd be interested to know what the exploit is and how Cardiff happened upon the flaw. And what was that interaction between Cardiff and HSBC?"
Cluley offered further precautions for PC users.
"If you have antivirus [software], the latest Microsoft patches and a firewall, you're taking most of the right steps. The other thing to do is not open unknown attachments," he said.
ZDNet UK's Tom Espiner contributed to this report.
Hmm, surely any user's access to any "secure websi...
Marc
Being a specialist in the banking and online secur...
Casey S. Potenzone
A serious flaw has been discovered in Bank securit...
Warren Swaine
I was skeptical when I read this in the Guardian. ...
Anonymous
MS Exchange/Windows XP Technical Support - Birmingham, West Midlands. My client is looking to add a Technology Officer to there current IT set up. ...
Software Packaging Technician required for busy Investment Bank to be responsible for the maintenance of the Desktop Build and software deployment. ...
This successful Company are looking for someone from a GIS background who has good IT support /IT Training skills who is degree educated(Computer ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Tim Ferguson
On a new Voyager, tackling fraud and the intellectual challenge
Interview: Nationwide IT director, Peter Stafford
Nick Heath
David Lister on smart grids and why he left RBS
Interview: National Grid CIO
Andy Jones
Why banks will push ahead with offshoring
Comment: Even if they don't want to
Catherine Stagg-Macey
Legacy IT holding back insurers
Comment: Economic crisis means finance giants must step lively
Julian Goldsmith
The City fund manager with no IT department
Q&A: How asset management is embracing the cloud...
Peter Cochrane
Peter Cochrane's Blog: How tech can solve the banking crisis
Bring on a machine-based economy