Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

HSBC Online Banking Security Flaw Analyzed

Posted by timothy on Thu Aug 10, 2006 11:33 AM
from the roight-guv'nor-jes-sign-roight-here dept.
Security IT
greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

HSBC Online Banking Security Flaw Analyzed 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Nine attempts? (Score:5, Interesting)

    by Kerr (889580) * on Thursday August 10 2006, @11:35AM (#15881343)
    As a HSBC internet banking user, I can safely say you'd be locked out long before your ninth attempt, hell; four locked me out when I last forgot my IB code. Being locked out is something you can only fix by visiting your local branch and using your password to unlock the account again.
    The number of attempts is not given, but the automatic lockout is at least covered at their security page [hsbc.com]
    Sorry Cardiff University, no bank hax for you today.

    • Re:Nine attempts? (Score:4, Informative)

      by BabyDave (575083) on Thursday August 10 2006, @11:45AM (#15881466)
      I think it means that after the victim has had 9 successful logins, the h4x0r has enough info to successfully login themselves.

    • Re:Nine attempts? (Score:5, Informative)

      by LiquidCoooled (634315) on Thursday August 10 2006, @11:48AM (#15881489) Homepage Journal
      This is not a problem of trying 9 times to break in, this is a problem of somebody RECORDING whilst you enter your correct details into the account.

      As you know, with HSBC, you are asked to specify 3 digits from your security key (which is 6-8 characters long)

      This is fine and stops people shoulder surfing to get it once, but if someone keeps recording you they will have all they need.

      I actually had more of a shock in the past when I managed to man in the middle the HSBC login, but after speaking to them (they called me back literally within seconds of me mailing them) it was cleared up and my worries were put to rest (there is a ~2 minute timeout where if you steal the cookies from someones machine who has logged in but not logged out where you can technically get at the information - this might have changed since, but it used to be the case)
    • That IB code's stupid. I have to keep a copy around for copying and pasting. What's the point of making it so awkward? HSBC Canada just uses the last 10 digits of my bank card. Maybe I use it so much more than my HSBC UK IB number that I've managed to memorise it, but really it's no less secure in my case. At least I can call HSBC's telephone banking this side of the Atlantic when the account is locked out for web access.

      I'd be interested to hear people's suggestions for a system that will remain secur

  • Why pick on HSBC? (Score:4, Insightful)

    by Anonymous Coward on Thursday August 10 2006, @11:39AM (#15881391)
    So IF my computer has a keylogger and IF my logins are recorded as few as 9 times, THEN the dishonest individual has my security code and can access my account. Whereas, at another bank which asks for a username and passcode, the dishonest individual with the keylogger only needs me to log in ONCE to have the run of my account. So why is this news?
    • It's news because some people might have thought that this bank has better security than one which only asks for username and password.If you're choosing an online bank, it is important to know which ones are secure and which are not.

  • uhhh... (Score:4, Insightful)

    by nFriedly (628261) <nathan...friedly+shashdot@@@gmail...com> on Thursday August 10 2006, @11:40AM (#15881402) Homepage Journal
    The attack relies on a keylogger being installed on the victim's machine.
    Uhm.. yea. That attack will get you into about any bank website.. ever.

  • Keylogger required (Score:5, Insightful)

    by aminal (122974) on Thursday August 10 2006, @11:40AM (#15881404)
    So if i have a keylogger on my machine and i log into my online bank, it will log the details i put in and comprimise my online banking?

    no shit sherlock.

    • Re:Keylogger required (Score:5, Insightful)

      by z0idberg (888892) on Thursday August 10 2006, @12:09PM (#15881713)
      The point isn't that a keylogger can capture your password. It's that they have tryed to implement a method of entering your 6 digit pin in a way that would stop a keylogger from revealing it, but the way they have done it actually allows a keylogger to figure it after relatively few times of logging in, hence creating a false sense of security.

      The PIN is 6 digits, they ask for three of these six digits at any one login (e.g. type the 1st, 3rd and 4th digits of your pin). Because they always ask in ascending order (i.e. never 4th, 2nd and 1st) then after 9 login events the keylogger can figure out the number. All they had to do (and all they have to do now) is ask for the digits in any order and this problem goes away. The keylogger would eventually know which numbers are in your 6 digit pin but never what order, and as there is a 3 (or 4 ?) tries lockout then they wont be able to get in unless they are very lucky guessers.

      I have HSBC internet banking and it never actually dawned on me how obvious this problem is, I don't think I ever noticed that they only ever ask in ascending order, but thats the beauty of it I guess.

  • The majority of online systems (Score:4, Insightful)

    by Timesprout (579035) on Thursday August 10 2006, @11:41AM (#15881408)
    will be 'flawed' if you get a keylogger on my pc since the majority rely on me supposedly knowing something you dont, until the logger records it for you that is.

  • So what's the best real solution to the problem? (Score:4, Interesting)

    by mcrbids (148650) on Thursday August 10 2006, @11:51AM (#15881511) Journal
    Ok, so I replied with a joke a few minutes ago... but I think this warrants more intelligent discussion.

    As a vendor of a web-based, access-restricted product, keyloggers are a real issue. I've been considering setting up client-side SSL certificates in order to restrict access to only machines that have been "set up" in order to deal with the problem of keyloggers. Are there better solutions?

    Does this bank have something that's: A) Easy to use, B) doesn't require painful machine-by-machine setup, and C) significantly improves security?

    If so, I just might be interested!
    • My ingdirect.com.au savings account has a login method that would stop any keyloggers.

      You type in your account id (keylogger can pick this up obviously), then you are presented with an on screen keypad where you enter your pin number with the mouse. 4 digit pin number ( easy to remember), the numbers are in a different location on the on screen keypad every time. The only way any spyware can capture this would be with screen captures on every mouse click. I am not sure there are many spywares that go to the
    • The only good way to beat keyloggers is some sort of per-machine file. One of the best things I've seen is where you have to pick a certain file off your computer and upload it every time you log in (e.g. a picture of your kids) in addition to a password. So even having the PW is useless without this extra file. This does require some setup - during account establishment the user has to go and select this file (and make sure its on read-only so no one can edit it and destroy account access).

      Thats the best m

  • How to trick key loggers (Score:4, Funny)

    by Rik Sweeney (471717) on Thursday August 10 2006, @11:52AM (#15881519) Homepage
    I'm quite worried about key loggers so I always enter my password incorrectly the first two times and then input it successfully the final time. This ensures that my password is as secure as possible.

    More so if I screw up the last attempt and have to request a new password.

    Another simple solution is to keep your password in a text file and copy / paste it in.

    Or your password could just be ******* that would work a treat...

  • Fud... or at least, way overhyped (Score:4, Informative)

    by deego (587575) on Thursday August 10 2006, @12:03PM (#15881649) Homepage
    I am a hsbc customer, and it requires an extra login with a new password for "risky stuff" such as online bank transfer. This one needs you to type in a different password on a virtual keyboard via mouse clicks.

    This is the one researchers have probably defeated, that too when they have a keylogger installed on *my* computer.

  • A similar problem exists in meatspace (Score:4, Interesting)

    by Bigboote66 (166717) on Thursday August 10 2006, @12:16PM (#15881766)
    In the U.S., most places have taken to just displaying the last 4 digits of your credit card number on the receipts they give back to you. However, on a recent trip to Europe (Finland & Russia, actually), I noticed that the receipts there seem to favor a scheme where a random set of digits appear each time (e.g. XXXX-XXX1-234X-XXXX). If you're like me, you often accumulate a bunch of these receipts in your pockets as you travel; some people may just dump the days wad of receipts in a trash can. A fortunate dumpster diver may stumble onto a wad of receipts that allow him to reconstruct the credit card number. I'm not sure why the people that implemented that latter scheme thought it was preferable.

    -BbT

  • HSBC Security Flaw, 1 login attempt (Score:3, Funny)

    by neonprimetime (528653) on Thursday August 10 2006, @12:28PM (#15881883)
    This just in...
    Another HSBC Security Flaw has been found. If you are logging into your account, and somebody is looking over your shoulder while you're doing it, odds are they can determine your username & password after only 1 successful login attempt.

  • How to fix this (Score:3, Interesting)

    by Bryansix (761547) on Thursday August 10 2006, @12:33PM (#15881940) Homepage
    Keyloggers would defeat the security at most online banking websites. I know it would defeat www.wamu.com which uses only a username and password. And yes, HSBC has taken better measures on some of their websites but this still does not protect against keyloggers.

    So who should we look to for an answer? ING Direct [ingdirect.com]! They use a two step process to log in. The first is a non-descript customer number. This step would be defeated by a keylogger or if someone had some mail stolen. Step two is to ask you to answer a pair of personal questions only you know the answer to. Still this could be defeated by a keylogger. The third step is pure genius though. First of all the page displays an image and phrase that you pre-selected. While a keylogger might pick up this phrease during account setup it would not pick up the image. If the image is not present, you are instructed not to enter your PIN number. Then the entering of the PIN number is via a keypad that you click with your mouse. Each number corresponds to a random letter that changes everytime you log in. If you choose you can type in the letter that corresponds to each number for that log in. In this case the data a keylogger might capture would be useless. This is the best security feature on the website and ensures almost nobody except the account owner can ever log in. Of course if the PIN is compromised then the whole system breaks down but a smart user will never have a compromised PIN.

  • Wierd... (Score:3, Funny)

    by Random Utinni (208410) on Thursday August 10 2006, @12:48PM (#15882097)
    Anyone else see the irony in the following ads Google inserted following this story?

    HSBCDirect Online Savings
    Earn 5.05% APY* at HSBC! You Don't Need to Switch Banks
    HSBCdirect.com

    HSBC Safe Online Banking
    Free Digital Security Code Device with all HSBC Account. Get it Now!
    www.hsbc.co.in


    Google's out to hijack my machine! ; )
    • This isn't a security flaw. If you have a key logger, you have everything for any bank site, or any other site for that matter. I wonder who disclosed this? Perhaps a competitor? Cause it's the stupidest thing I've ever heard.
      • HSBC had a virtual keyboard feature. A keylogger would not work with that. You use the mouse to enter letters on it. Maybe the virtual keyboard only has 9 positions, and maybe they are recording mouse movements?
    • No, HSBC, this is a problem.

      Since when are banks required to protect themselves against people who have keyloggers on their computers? Not really much one can do IMHO if there's a keylogger present...

      I guess the only way around it is to have a pin pad and use the mouse to enter in your pin code as well as your pass code.

      W00t. Three tiered logins. Fun stuff.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.