By Dan Ilett, 10 August 2006 11:00
NEWS
Security professionals have questioned reports of a 'serious flaw' in HSBC's online banking system.
Researchers at Cardiff University claim to have discovered the flaw which, according to The Guardian, over two years left 3.1 million customers exposed due to a defect in how people access their online accounts.
The vulnerability, which was not detailed in the researchers' report, relies on a hacker using a keystroke logger - a piece of software which records each key a user types on their keyboard.
Graham Cluley, senior technology consultant for antivirus company Sophos, told silicon.com: "Unless Cardiff gives some more information, it's a non-story - there's no meat on this. Because of The Guardian's story, customers are going to be worried, HSBC annoyed and no one is any wiser."
Professor Antonia Jones, a researcher at Cardiff University, was not available to comment on the matter.
To access HSBC's banking website, users are required to enter an alpha-numeric password, a date of birth then a personal identification number (PIN).
Cardiff University claims that any account can be broken into within nine attempts of hacking the website, though first the hackers would need to plant a keystroke logger on the victim's PC.
Cluley said: "They could gather [PIN] digits in up to nine attempts but it doesn't seem a very effective way of doing this."
HSBC said the flaw has not been exploited and it would be "interested to hear any expert commentary on the security of its personal internet banking service".
"It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim. It is therefore not likely to be a profitable way for criminals to behave," the bank said in a statement.
Alan Phillips, CEO of security company 7Safe, said there are ways to avoid keystroke loggers nabbing PIN numbers and passwords. One method is to use an on-screen keyboard in Windows XP or one provided by the online bank when typing in confidential details.
"There are some ways around keyloggers," he said. "Other banks like Credit Agricole have their own on-screen keyboards. This way you can't get hit by a keystroke log. The other way is with a drop-down box. Barclays do that."
But Sophos' Cluley argued keylogging software can beat on-screen keyboards. "Any keylogger is likely to be part of a more complex piece of spyware. That allows the hacker access to everything on your PC, such as monitoring the screen and mouse clicks. Similarly, drop-down boxes are not immune to hackers grabbing information from them."
Richard Starnes, president of the Information Systems Security Association UK, questioned how researchers first stumbled on the flaws.
"I'd be interested to know what the exploit is and how Cardiff happened upon the flaw. And what was that interaction between Cardiff and HSBC?"
Cluley offered further precautions for PC users.
"If you have antivirus [software], the latest Microsoft patches and a firewall, you're taking most of the right steps. The other thing to do is not open unknown attachments," he said.
ZDNet UK's Tom Espiner contributed to this report.
Comments
There are 11 comments. Join the discussion
1. Marc
Hmm, surely any user's access to any "secure website" -- not just HSBC -- is vulnerable in this way? I fail to see how the issue is limited to HSBC account holders alone.
2. Casey S. Potenzone
Being a specialist in the banking and online security industry, I've got to say this is more evidence of the press pushing drama then actual threat. The flaw is not HSBC, its in the anti-virus and security software. If you have a key logger on your computer, most likely the person(s) receiving the output can get into your accounts. There are a few solutions capable of stopping such threats, and <a href="http://wiki.unilocusa.com/Online_Banking">one of them is what I do for a living</a>.
If you really want to take a good look at a serious threat to the online banking industries, take <a href="http://wiki.unilocusa.com/CitiBusiness_VASCO_Breach">a look at this</a>. The "man-in-the-middle" attack against Citibank and one time passwords is putting a serious chill down the spines of all online bank administrators and security engineers.
Casey S. Potenzone
3. Warren Swaine
A serious flaw has been discovered in Bank security systems which could lead to millions of people having their their accounts plundered and used for funding drug dealing, terrorism or even buying a can of Tennants Super.
Our rent a quote security consultant P.R. Guff told us, "armed with a simple knife it has been demonstrated that anyone is able to obtain the personal PIN number of any bank customer and empty their account in seconds. Unless the banks starts taking this issue seriously and employ armed security guards to patrol the streets near cash points, we will have to advise people to stay in doors, twitch the curtains every few minutes and call the Police if they see any suspicious behaviour."
4. anonymous
I was skeptical when I read this in the Guardian. I use 1st Direct rather than HSBC no way would a keystroke logger get anyone into my account. I also use Smile and if a keystroke was on my machine it would get enough information to breach my account in about 5 attempts!
Shame to see the Guardian induging in scaremongering.
5. Andy Law
I'll tell you what the flaw is...
Imagine that your victim knows a four digit number. Imagine that the victim is asked for 2 of those four numbers each time they log in. Imagine that they are asked for those numbers in position order i.e. first and third NOT third then first. How many samples of two of the digits do you need to guess the four digit code?
Solutions:
1) longer pins or the use of passphrases and selected characters from that - like first direct do
2) ask for characters in non-sequential order
3) both of the above
6. Paul Tomlinson
As a customer of HSBC I was quite confised by the report as I actually find it more secure than some of the other banking websites. This is because you require a user id, you date of birth. Then you have a x digit password, but they basically ask you for say the 1st, 3rd and last character. This question changes each time you go to log on. So a keystroke logger would have to rely on a user logging on many times before they had all of the characters.
7. David Gaskill
Maybe HSBC should adopt the same approach to security in the UK as they do here in Hong Kong.
I have a security number generator device, small enough to go on a key-ring, which has a six digit LCD display and a button. After I have entered my account name and password I press the button and enter the security code number which is displayed.
I get a different number every time I press the button and the number generator has a serial number on the back which I had to input during the account set-up procedure.
It seems to me that the security offered by this device is extremely high - the only disadvantage is that I have three HSBC accounts each with a different security code generator and it's easy to pick up the wrong one...
David
8. Harold Fuchs
I doubt that this is a serious flaw. An individual's PIN can be between 6 and 10 digits long. When you log on you are asked, in *words* for, say, the "third, fifth and last" digits, or, another example, the "second, seventh and ninth" digits. You type in the three digits. Even if the keylogger logged what you typed, it would have no idea where those digits were positioned within the PIN - unless it can *read* the request which, as I said, is in *words*.
I'm not saying it's uncrackable; nothing is. But I seriously doubt that anyone's computer is infected with not only a key logger but also a screen scraper and a word reader.
It's truly a shame that the people who claim to have discovered this "flaw" have chosen not to follow the usual rules of "full disclosure" so that other experts can evaluate their claims in a calm, scientific manner. Instead, the Cardiff team have merely stirred up yet more FUD (Fear, Uncertainty and Doubt) in an area where we really could do with less.
I would be quite happy to participate, with the Cardiff folk, in a simulated trial where I invent a PIN, they provide a web page that simulates HSBC's logon procedure and some software for me to install on my computer and they guess my PIN. £10 says they can't; and certainly not in 9 tries.
And no, I am not an employee of HSBC and never have been; nor are any of my friends or relations; nor am I being paid in money or kind for these comments; nor am I being threatened in any way.
9. Joe Philips
I also read the news about HSBC online security flaw with some worry at first as I though that it must be something to do with the way the website actually transmits data.
However when i realised that it was all down to the fact that the hacker had to wait until you'd used ever number from your security code, i knew i was in no real danger.
I'm not a hacker nor an expert in the system, but as Dan Ilett said, how likely is it that the hackers know what order your numbers come in, and how do they know when you've used all of them - it can be anywhere between 6 and 10 numbers so it's unlikely they'll even know when you've used them all.
I know one thing for certain - i'll continue to use the HSBC website without any concern.
10. anonymous
This really is a non-story because as most security minded PC owners know that their internet banking accounts are constantly under threat from keyloggers, trojans, spyware and a whole host of malware planted throughout the internet by criminals and their cohorts.
That is why I, and most people I know, run at least two or three anti-spyware apps, a firewall and anti-virus software.
There really can be no excuse for a PC owner performing internet banking not to adequately protect his/her PC from the dangers and traps that are out there.
11. Kev Hill
surely any account can be gotten into fairly quickly if you've put a keylogger on the target pc???