HSBC Online Banking Security Flaw Analyzed

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

Nine attempts?

As a HSBC internet banking user, I can safely say you'd be locked out long before your ninth attempt, hell; four locked me out when I last forgot my IB code. Being locked out is something you can only fix by visiting your local branch and using your password to unlock the account again.
The number of attempts is not given, but the automatic lockout is at least covered at their security page [hsbc.com]
Sorry Cardiff University, no bank hax for you today.

Re:Nine attempts?

I think it means that after the victim has had 9 successful logins, the h4x0r has enough info to successfully login themselves.

Re:Nine attempts?

It relies on a fricking keylogger. If anything, this is a validation of two factor authentication...It'd be after one attempt with a regular password system.

Re:Nine attempts?

This is not a problem of trying 9 times to break in, this is a problem of somebody RECORDING whilst you enter your correct details into the account.

As you know, with HSBC, you are asked to specify 3 digits from your security key (which is 6-8 characters long)

This is fine and stops people shoulder surfing to get it once, but if someone keeps recording you they will have all they need.

I actually had more of a shock in the past when I managed to man in the middle the HSBC login, but after speaking to them (they called me back literally within seconds of me mailing them) it was cleared up and my worries were put to rest (there is a ~2 minute timeout where if you steal the cookies from someones machine who has logged in but not logged out where you can technically get at the information - this might have changed since, but it used to be the case)

Why pick on HSBC?

So IF my computer has a keylogger and IF my logins are recorded as few as 9 times, THEN the dishonest individual has my security code and can access my account. Whereas, at another bank which asks for a username and passcode, the dishonest individual with the keylogger only needs me to log in ONCE to have the run of my account. So why is this news?

uhhh...

The attack relies on a keylogger being installed on the victim's machine.

Uhm.. yea. That attack will get you into about any bank website.. ever.

Keylogger required

So if i have a keylogger on my machine and i log into my online bank, it will log the details i put in and comprimise my online banking?

no shit sherlock.

Re:Keylogger required

The point isn't that a keylogger can capture your password. It's that they have tryed to implement a method of entering your 6 digit pin in a way that would stop a keylogger from revealing it, but the way they have done it actually allows a keylogger to figure it after relatively few times of logging in, hence creating a false sense of security.

The PIN is 6 digits, they ask for three of these six digits at any one login (e.g. type the 1st, 3rd and 4th digits of your pin). Because they always ask in ascending order (i.e. never 4th, 2nd and 1st) then after 9 login events the keylogger can figure out the number. All they had to do (and all they have to do now) is ask for the digits in any order and this problem goes away. The keylogger would eventually know which numbers are in your 6 digit pin but never what order, and as there is a 3 (or 4 ?) tries lockout then they wont be able to get in unless they are very lucky guessers.

I have HSBC internet banking and it never actually dawned on me how obvious this problem is, I don't think I ever noticed that they only ever ask in ascending order, but thats the beauty of it I guess.

The majority of online systems

will be 'flawed' if you get a keylogger on my pc since the majority rely on me supposedly knowing something you dont, until the logger records it for you that is.

Re:The majority of online systems

Safe words, rings, and chains.. is this HSBC or S&M?

Keylogger?

[quote]The attack relies on a keylogger being installed on the victim's machine.[/quote]

Isn't this a vulnerability in *any* user/pass interface on any computer in the world?

security through obscurity?

A spokesperson for HSBC is quoted in the article as having said:

"The reality is that it would be more profitable for that fraudster to concentrate his or her efforts elsewhere."

A single compromised user could mean a payoff of tens of thousands of dollars for a determined "fraudster." Particularly if that fraudster resides in a third-world country, that could be enough to live for years. Moreover, having to concentrate efforts on only one attack minimizes a fraudster's exposure to risk--a single instance is much harder to identify than a systematic effort.

No, HSBC, this is a problem. With the prevalence of malicious software on today's internet, keyloggers are a very real threat. Alternative systems can eliminate this vulnerability. Use them.

Not surprised they are clueless

I am not surprised they are this clueless - they also bounce spams to the nominal "From" address after accepting the message - so if a spammer forges a "From: joe@example.com", guess where they send the spam bounce message to?

I've repeatedly tried to contact them to tell them to stop that, but they continue. If they cannot clear up a simple problem like this when they are told about it, do you really expect them to correct a DESIGN FLAW like TFA quickly?

What, they can't type?

Ok, so we have a keylogger on the victim's machine, ostensibly to lift the login name and password. Then, we have an "attacker" who tries 9 times to type it in?

Is it just me, or are we dealing with a fundamentally stupid attacker?

If I use a keylogger to lift a login/pw, it shouldn't take more than 3 or 4 attempts to get it right.... perhaps I'm just a smarter attacker than most?

So what's the best real solution to the problem?

Ok, so I replied with a joke a few minutes ago... but I think this warrants more intelligent discussion.

As a vendor of a web-based, access-restricted product, keyloggers are a real issue. I've been considering setting up client-side SSL certificates in order to restrict access to only machines that have been "set up" in order to deal with the problem of keyloggers. Are there better solutions?

Does this bank have something that's: A) Easy to use, B) doesn't require painful machine-by-machine setup, and C) significantly improves security?

If so, I just might be interested!

How to trick key loggers

I'm quite worried about key loggers so I always enter my password incorrectly the first two times and then input it successfully the final time. This ensures that my password is as secure as possible.

More so if I screw up the last attempt and have to request a new password.

Another simple solution is to keep your password in a text file and copy / paste it in.

Or your password could just be ******* that would work a treat...

No surprise it's HSBC

My wife is a former customer of HSBC, because they were nothing but a pain. She had put some money in a savings account with them and sent her an ATM card which she destroyed, not wanting to be tempted to withdraw the money at any time. They claim to have sent her a pin for her online banking account, but she never received it, and when she called them up to try and get it reset so she could log in, they refused, even though she could provide them with all the relevant identification information. This went on and on until finally she told them to simply cancel the account, which they stated they could do, but they could not simply transfer the money back to the account from which they'd originally taken it, and would instead send her a check.

Their customer sevice stinks, so why should their tech be any different?

No flaw here.

If you have a keylogger on your computer, you've got bigger issues. Odds are they got all your info when you signed up for the bank.

Fud... or at least, way overhyped

I am a hsbc customer, and it requires an extra login with a new password for "risky stuff" such as online bank transfer. This one needs you to type in a different password on a virtual keyboard via mouse clicks.

This is the one researchers have probably defeated, that too when they have a keylogger installed on *my* computer.

In other news....

"The attack relies on a keylogger being installed on the victim's machine." In other news... "Burglar breaks in to house with key"

A similar problem exists in meatspace

In the U.S., most places have taken to just displaying the last 4 digits of your credit card number on the receipts they give back to you. However, on a recent trip to Europe (Finland & Russia, actually), I noticed that the receipts there seem to favor a scheme where a random set of digits appear each time (e.g. XXXX-XXX1-234X-XXXX). If you're like me, you often accumulate a bunch of these receipts in your pockets as you travel; some people may just dump the days wad of receipts in a trash can. A fortunate dumpster diver may stumble onto a wad of receipts that allow him to reconstruct the credit card number. I'm not sure why the people that implemented that latter scheme thought it was preferable.

-BbT

US System is Different

As a US HSBC customer, the security that I see is different than the article describes.

The login process is fairly typical (username, password only), but in mid-July 2006, they changed the process so that they are entered on separate pages. I do not understand how this improves security, because the username is echoed back on the password-entry page. There are no additional interactive anti-replay attack features--the username/password form seems to have been simply split to two pages.

The biggest security feature that I have casually identified is that on the Online Bill Payment page, it is necessary to do a second authentication using a Java-based on-screen keyboard (which must be clicked with a mouse). This avoids a simple keystroke logger but is not beyond other attacks (for instance, it would be somewhat easier to shoulder-surf).

HSBC Security Flaw, 1 login attempt

This just in...
Another HSBC Security Flaw has been found. If you are logging into your account, and somebody is looking over your shoulder while you're doing it, odds are they can determine your username & password after only 1 successful login attempt.

Why passwords?

I have wondered before why U.S. banks use weak security measures, such as password authentication, for online banking. When I opened an account, the clerk at the bank even wrote down my password and told me to change it when I log on the first time.. My bank in Switzerland uses a smart card for authentication. When you open an account the give you a card reader and a smart card. When you want to log on, you have to type in your account ID (something like 10 digits) and they show you a 8-digit number, you then insert the card into the reader an enter you password (in the card reader). After this you enter the 8-digit number in the reader, it then calculates another number which is used for authentication. For a more detailed description, see http://www.xiring.com/xiring-banking/pdf/Case_stud y_UBS.pdf [xiring.com] I think this system is far superior to password based authentication, because only my smart card can generate a number for authentication and the smart card permanently locks down if you enter the wrong password for three times. So, are there any banks in the U.S which use a similar system and if not, why?

How to fix this

Keyloggers would defeat the security at most online banking websites. I know it would defeat www.wamu.com which uses only a username and password. And yes, HSBC has taken better measures on some of their websites but this still does not protect against keyloggers.

So who should we look to for an answer? ING Direct [ingdirect.com]! They use a two step process to log in. The first is a non-descript customer number. This step would be defeated by a keylogger or if someone had some mail stolen. Step two is to ask you to answer a pair of personal questions only you know the answer to. Still this could be defeated by a keylogger. The third step is pure genius though. First of all the page displays an image and phrase that you pre-selected. While a keylogger might pick up this phrease during account setup it would not pick up the image. If the image is not present, you are instructed not to enter your PIN number. Then the entering of the PIN number is via a keypad that you click with your mouse. Each number corresponds to a random letter that changes everytime you log in. If you choose you can type in the letter that corresponds to each number for that log in. In this case the data a keylogger might capture would be useless. This is the best security feature on the website and ensures almost nobody except the account owner can ever log in. Of course if the PIN is compromised then the whole system breaks down but a smart user will never have a compromised PIN.

In other news...

Researchers at WeAreARealSchoolHonest University have discovered a method to unlock any combination lock within 12 attempts, the potential thief needs only to have a 24/7 video camera pointed at the lock in question....

The Grand Solution

1) Make sure computer doesn't have keylogger/trojan/spyware/windows on it

2) Do life-endangering work (i.e log into account with life savings in it)

3) Logout

4) Beer

Wierd...

Anyone else see the irony in the following ads Google inserted following this story?

HSBCDirect Online Savings
Earn 5.05% APY* at HSBC! You Don't Need to Switch Banks
HSBCdirect.com

HSBC Safe Online Banking
Free Digital Security Code Device with all HSBC Account. Get it Now!
www.hsbc.co.in

Google's out to hijack my machine! ; )

Emigrant Direct has a similar issue

Emigrant Direct recently implemented a two-step logon process, where you first supply your username, followed by your password and answeres to two random security questions. Unfortunately, you're supposed to type the two answers into regular textboxes instead of masked password boxes, exposing your information to any shoulder surfers.

The moment a keylogger is in your system, you lost

No matter what kind of security mechanism you have, the moment a keylogger is acting as a man in the middle, the security is flushed down the tubes (I bet someone will find a witty joke... I'm waiting).

Banks here are using one time pads, quite sophisticated ones that are complicated enough to puzzle quite a few of honest users simply wanting to use their online banking service. And that's still no increased security. As long as the midm attack is possible, and that will be the case as long as there are not black box machines that can do NOTHING but actually communicate with the bank, without the possibility to install anything on them, this won't change. No matter what kind of security you implement.

To turn keyloggers useless

I recently accessed the Bank of Brazil's [bancobrasil.com.br] online system, and they have a pretty neat way to turn keyloggers useless: they use a Java Applet that displays the valid digits you can use in your password, and you actually have to click on each key in order to enter your password (if you don't see the numbers, click the contrast "+"). Keyboards do not work on the password field.

Most of the online banking sites in Brazil apply a similar technology, to prevent their account holders to fall victim of keyloggers, which was extremely high just a couple of months ago.

And besides the main site's password, each user has a secondary password that is used when performing financial transactions such as transfers, payments, etc.

Security checks, and requirements

I find this all pretty funny, especially the requirement of the keylogger, because it hits home pretty close. A web application I wrote and deployed to production about a year ago and now support was finally put through a third-party security check a few weeks ago. The results were fine for the most part. The application is more or less rock-solid since it is secured through Kerberos, hardened against sql injection, and invulnerable to cross-site scripting attacks.

What the company did list as issues (and severe issues mind you) was the fact the application displayed signs of being vulnerable to cookie stealing, and session hijacking through man-in-the-middle attacks, that the server type was sent in the http headers, and that ports 110 and 25 were open on the web server. Well, my complaint is that the security report listed the application problems first, and give them a higher score of criticality, which made everything else, including the open ports 1) seem less sever, and 2) seem as though they were application problems and not network problems, which is what they really are. The business people flipped out and thought the sky was going to fall, since there is some sensitive information stored in this system. Rather than breaking out champagne and celebrating the fact the system was secure against 99.9% of the attacks that would possibly be thrown at it, they lamented issues that weren't application issues. Now understand, I don't manage the servers this application runs on. I merely wrote the application. I don't know what all kind of shit the people who do manage it might have changed.

The funniest thing is, in order to successfully run any cookie stealing, or session hijacking, you (the hacker) had to already have access to not one, but two windows accounts on the domain! The only way to get those was to either work there and have an account, brute-force the username/password, or social-engineer someone out of theirs. And, in order to successfully run the man-in-the-middle attack, you would have to have penetrated the LAN, or hacked someone's computer at their home.

I began to run damage control, explaining how these exploits were possible, why they weren't application issues but network issues, and explaining lots of terms like ARP spoofing, cache poisoning, and how to avoid those things. I remarked that the open ports issue should be rated more highly than the MITM issues, and I also detailed how virtually every web application ever written was similarly vulnerable to these attacks in one way or the other, only to wind up being told that can't possible be true, how I'm extremely arrogant, and how I think I know everything! One person even threatened to have me removed from the project, the cocksucker.

At any rate, the requirement of the keylogger reminded me of the extenuating circumstances needed to exploit this application here: network penetration, not one but two valid accounts, and specialized knowledge of the application.

It's weird. You try to help people and do your job, and they hate you for it. I think I've been doing this for just too damn long.

Another exploit...

It's possible to get EVERYONE'S login details! All you have to do is crack into their database and reverse any hashes! OH SH!! STOP THE PRESSES!

wow

Wow, hack into your bank account within 9 attempts, using a keylogger? Amazing. Amazing how stupid a person would have to be to take so many attempts to get into someone's bank account *WITH* a keylogger.

Oh, really?

Since I'm using HSBC online banking, I froze when I saw the headline.

Now I am laughing.

Will we also see headline saying "All online banking system have flaws" (without adding '...assuming you have keylogger on your machine')?

HSBC HK Security System

I don't know about the UK's one, but in Hong Kong, we login using a small hardware device. It will generate a six digit code for you to login (after entering your username and password). HK newspaper said that the code is changed every 5 second.

different authentication

i am an hsbc customer and have access to internet banking. though i am not uk based, aside from the regular username and password, you will have to enter a six digit number generated by a token given.

this is a different method from the one mentioned and will probably have no effect against key loggers. although i read somewhere that phishing sites are now able to mimick a bank website and instantly login to the account as it is phished. however, the main feature that the bad guys forget is that account transfers are not permitted if the destination account has not yet been enroled (even bills payment i believe.) in other words, i must strickly go to the branch and fill out a form to allow money transfers to a particular account. so it will be a no go if they will siphon everything in my account (though they will be able to see transaction history but i don't think they will spend that much time and effort figuring out a pattern.)

Re:a better way

Lloyds TSB use drop down menus to bypass keyloggers.

Yeah, it's not a bad solution to the problem, I think. It also asks for the same set of characters until you get it right, so even if you only knew the first half of the secret word, you couldn't keep refreshing until it asked for chars 1, 2 and 3.