Slashdot Mirror
HSBC Online Banking Security Flaw Analyzed
greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details."
David Nicholson adds links to coverage at CNN and at the Guardian, writing
"The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."
As a HSBC internet banking user, I can safely say you'd be locked out long before your ninth attempt, hell; four locked me out when I last forgot my IB code. Being locked out is something you can only fix by visiting your local branch and using your password to unlock the account again.
The number of attempts is not given, but the automatic lockout is at least covered at their security page
Sorry Cardiff University, no bank hax for you today.
Don't try to outweird me, three-eyes. I get stranger things than you free with my breakfast cereal. -- Zaphod Beeblebrox
Lloyds TSB use drop down menus to bypass keyloggers.
Natwest is probably also vulnerable to the same 'attack' that this article mentions that HSBC are vulnerable to.
So IF my computer has a keylogger and IF my logins are recorded as few as 9 times, THEN the dishonest individual has my security code and can access my account. Whereas, at another bank which asks for a username and passcode, the dishonest individual with the keylogger only needs me to log in ONCE to have the run of my account. So why is this news?
Nathan Friedly
So if i have a keylogger on my machine and i log into my online bank, it will log the details i put in and comprimise my online banking?
no shit sherlock.
Aminal - DRUMMS!!
will be 'flawed' if you get a keylogger on my pc since the majority rely on me supposedly knowing something you dont, until the logger records it for you that is.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
[quote]The attack relies on a keylogger being installed on the victim's machine.[/quote]
Isn't this a vulnerability in *any* user/pass interface on any computer in the world?
My old bank in Australia rolled out an Internet Banking app quite early in comparison to other banks. They actually made you download & install a Java app, which amongst other things provided a little "pop-up window" that would launch when you tried to log on to your account. The window had the image of a regular keyboard, and you'd have to click on each key with your mouse to enter the appropriate letter/number/symbol.
It worked well, but eventually when they re-wrote their banking system the did away with the Java app & the popup window, and went to just regular HTTP+SSL. So you were back to typing in your credentials, and back to being vulnerable from keyloggers.
That's what they get for using Rails!
A spokesperson for HSBC is quoted in the article as having said:
"The reality is that it would be more profitable for that fraudster to concentrate his or her efforts elsewhere."
A single compromised user could mean a payoff of tens of thousands of dollars for a determined "fraudster." Particularly if that fraudster resides in a third-world country, that could be enough to live for years. Moreover, having to concentrate efforts on only one attack minimizes a fraudster's exposure to risk--a single instance is much harder to identify than a systematic effort.
No, HSBC, this is a problem. With the prevalence of malicious software on today's internet, keyloggers are a very real threat. Alternative systems can eliminate this vulnerability. Use them.
Find your friends!
I am not surprised they are this clueless - they also bounce spams to the nominal "From" address after accepting the message - so if a spammer forges a "From: joe@example.com", guess where they send the spam bounce message to?
I've repeatedly tried to contact them to tell them to stop that, but they continue. If they cannot clear up a simple problem like this when they are told about it, do you really expect them to correct a DESIGN FLAW like TFA quickly?
www.eFax.com are spammers
..it turns out people who watch you type in your password can then use your password.
O RLY?
YA RLY!
Slashdot Burying Stories About Slashdot Media Owned
Ok, so we have a keylogger on the victim's machine, ostensibly to lift the login name and password. Then, we have an "attacker" who tries 9 times to type it in?
Is it just me, or are we dealing with a fundamentally stupid attacker?
If I use a keylogger to lift a login/pw, it shouldn't take more than 3 or 4 attempts to get it right.... perhaps I'm just a smarter attacker than most?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Ok, so I replied with a joke a few minutes ago... but I think this warrants more intelligent discussion.
As a vendor of a web-based, access-restricted product, keyloggers are a real issue. I've been considering setting up client-side SSL certificates in order to restrict access to only machines that have been "set up" in order to deal with the problem of keyloggers. Are there better solutions?
Does this bank have something that's: A) Easy to use, B) doesn't require painful machine-by-machine setup, and C) significantly improves security?
If so, I just might be interested!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I'm quite worried about key loggers so I always enter my password incorrectly the first two times and then input it successfully the final time. This ensures that my password is as secure as possible.
More so if I screw up the last attempt and have to request a new password.
Another simple solution is to keep your password in a text file and copy / paste it in.
Or your password could just be ******* that would work a treat...
Summation 2
My wife is a former customer of HSBC, because they were nothing but a pain. She had put some money in a savings account with them and sent her an ATM card which she destroyed, not wanting to be tempted to withdraw the money at any time. They claim to have sent her a pin for her online banking account, but she never received it, and when she called them up to try and get it reset so she could log in, they refused, even though she could provide them with all the relevant identification information. This went on and on until finally she told them to simply cancel the account, which they stated they could do, but they could not simply transfer the money back to the account from which they'd originally taken it, and would instead send her a check.
Their customer sevice stinks, so why should their tech be any different?
GetOuttaMySpace - The Anti-Social Network
If you have a keylogger on your computer, you've got bigger issues. Odds are they got all your info when you signed up for the bank.
My ingdirect.com.au savings account has a login method that would stop any keyloggers.
You type in your account id (keylogger can pick this up obviously), then you are presented with an on screen keypad where you enter your pin number with the mouse. 4 digit pin number ( easy to remember), the numbers are in a different location on the on screen keypad every time. The only way any spyware can capture this would be with screen captures on every mouse click. I am not sure there are many spywares that go to these lengths.
Comment removed based on user account deletion
first I have an HSBC credit card, but not a bank account. I do use the online services for it. I've gotten passwords mixed up before and tried probably about 12 attempts before it DID work, and let me in.
Secondly, why the hell does it take you nine attempts if you have a keylogger installed???
The only good way to beat keyloggers is some sort of per-machine file. One of the best things I've seen is where you have to pick a certain file off your computer and upload it every time you log in (e.g. a picture of your kids) in addition to a password. So even having the PW is useless without this extra file. This does require some setup - during account establishment the user has to go and select this file (and make sure its on read-only so no one can edit it and destroy account access).
Thats the best means I've seen so far to protect against keyloggers.
The Doormat
If you're not outraged, then you're not paying attention.
"The attack relies on a keylogger being installed on the victim's machine." In other news... "Burglar breaks in to house with key"
When I log into HSBC online banking, I only provide a username and then a password. No DOB, no SSN. What exactly is flawed?
Well, you could also use a two-factor authentication system such as RSA SecurID. Many banks are beginning to offer this type of technology as an option.
Maybe HSBC UK is different - but I don't see any of that here All I have to evter to do anything is: Internet bank ID Date of birth 3 random digits of my 6 digit passcode
In the U.S., most places have taken to just displaying the last 4 digits of your credit card number on the receipts they give back to you. However, on a recent trip to Europe (Finland & Russia, actually), I noticed that the receipts there seem to favor a scheme where a random set of digits appear each time (e.g. XXXX-XXX1-234X-XXXX). If you're like me, you often accumulate a bunch of these receipts in your pockets as you travel; some people may just dump the days wad of receipts in a trash can. A fortunate dumpster diver may stumble onto a wad of receipts that allow him to reconstruct the credit card number. I'm not sure why the people that implemented that latter scheme thought it was preferable.
-BbT
As a US HSBC customer, the security that I see is different than the article describes.
The login process is fairly typical (username, password only), but in mid-July 2006, they changed the process so that they are entered on separate pages. I do not understand how this improves security, because the username is echoed back on the password-entry page. There are no additional interactive anti-replay attack features--the username/password form seems to have been simply split to two pages.
The biggest security feature that I have casually identified is that on the Online Bill Payment page, it is necessary to do a second authentication using a Java-based on-screen keyboard (which must be clicked with a mouse). This avoids a simple keystroke logger but is not beyond other attacks (for instance, it would be somewhat easier to shoulder-surf).
This just in...
Another HSBC Security Flaw has been found. If you are logging into your account, and somebody is looking over your shoulder while you're doing it, odds are they can determine your username & password after only 1 successful login attempt.
I have wondered before why U.S. banks use weak security measures, such as password authentication, for online banking. When I opened an account, the clerk at the bank even wrote down my password and told me to change it when I log on the first time.. My bank in Switzerland uses a smart card for authentication. When you open an account the give you a card reader and a smart card. When you want to log on, you have to type in your account ID (something like 10 digits) and they show you a 8-digit number, you then insert the card into the reader an enter you password (in the card reader). After this you enter the 8-digit number in the reader, it then calculates another number which is used for authentication. For a more detailed description, see http://www.xiring.com/xiring-banking/pdf/Case_stud y_UBS.pdf
I think this system is far superior to password based authentication, because only my smart card can generate a number for authentication and the smart card permanently locks down if you enter the wrong password for three times.
So, are there any banks in the U.S which use a similar system and if not, why?
Keyloggers would defeat the security at most online banking websites. I know it would defeat www.wamu.com which uses only a username and password. And yes, HSBC has taken better measures on some of their websites but this still does not protect against keyloggers.
So who should we look to for an answer? ING Direct! They use a two step process to log in. The first is a non-descript customer number. This step would be defeated by a keylogger or if someone had some mail stolen. Step two is to ask you to answer a pair of personal questions only you know the answer to. Still this could be defeated by a keylogger. The third step is pure genius though. First of all the page displays an image and phrase that you pre-selected. While a keylogger might pick up this phrease during account setup it would not pick up the image. If the image is not present, you are instructed not to enter your PIN number. Then the entering of the PIN number is via a keypad that you click with your mouse. Each number corresponds to a random letter that changes everytime you log in. If you choose you can type in the letter that corresponds to each number for that log in. In this case the data a keylogger might capture would be useless. This is the best security feature on the website and ensures almost nobody except the account owner can ever log in. Of course if the PIN is compromised then the whole system breaks down but a smart user will never have a compromised PIN.
Researchers at WeAreARealSchoolHonest University have discovered a method to unlock any combination lock within 12 attempts, the potential thief needs only to have a 24/7 video camera pointed at the lock in question....
Isn't a "keylogger" for a keyboard? Wouldn't you need, like, a "mouselogger"?
So the people using Ethernet can't bank online with your bank? It seems strange to lock out 99% of the population that way.
I don't know it works for USA banks, but here in Brazil we have some solutions, that solves (at least) the keylogger problem:
;-) A table with two rows: the first one with 0-9 numbers and the second with 10 random letters. To access the internet banking, you need to type (in your keyboard) the letters.
:-) This approach have some problems, but it is fully understandable: its *my* money :-)
1) Some banks uses a Java Applet (http://www.bb.com.br), forcing the users to use the mouse to enter the "internet banking password" (generally, just numbers) . Of course, the position of the numbers are random, so, grabbing the mouse path isn't enough.
2) Other banks (http://www.citibank.com.br) uses the simplest and oldest "encryption" solution, but with a special component
3) Even other banks (http://www.itau.com.br) uses a variation of the first: after entering your branch (agency?) number/account number, your first name appears and you enter your password by clicking in the numbers, that are grouped in 2 numbers per button.
Also, some banks uses alternative methods in certain critic operations, like money transfers. Some banks provides you with a "security card", containing about 60 numbers. For each session in the internet banking, before the first "critical" operation, they ask you for the, say, number 26. You, of course, knows this number only if you have one security card. Other banks uses a "computer identification" (I didn't even tried to figure out how), but they provide one 4-number code for each computer you are using. So, if you just bought a new desktop, you need to log in the internet banking, get that number, call the bank-phone (or use an ATM) and inform the number you received in the internet banking. Then, you can use your internet banking from your new desktop
ilex paraguariensis for all
There are a few alternatives. One is to hand a one-time password generator. Ironic is that HSBC in Korea did use one time password before they're forced by the Korean banking regulation agency to switch to an ActiveX based solution that encrypts the traffic with SEED (a Korean encryption algorithm) and takes care of personal certificate-based authentication and signing. Due to its reliance on ActiveX controls (instead of more platform/browser independent solutions like Java signed applets, we need to use MS IE on Windows to do on-line banking. Linux, Mac and firefox/opera users tried to change this situation, but so far we haven't been successful. Another is to make mandatory the use of a smartcard with a personal certificate. Unless a smartcard is stolen, a keylogger couldn't do any harm.
1) Make sure computer doesn't have keylogger/trojan/spyware/windows on it
2) Do life-endangering work (i.e log into account with life savings in it)
3) Logout
4) Beer
The "extra file" could also be an external device where you type in a PIN
or insert your card to get a number required to enter (I have both, and
the old PIN 'calculator' is still valid). This number is generated from a
seed only your device and your bank has, and is valid for about a minute.
A crook would have to be real fast to use a logged passnumber.
Google's out to hijack my machine! ; )
Emigrant Direct recently implemented a two-step logon process, where you first supply your username, followed by your password and answeres to two random security questions. Unfortunately, you're supposed to type the two answers into regular textboxes instead of masked password boxes, exposing your information to any shoulder surfers.
The contest for ages has been to rescue liberty from the grasp of executive power. -- Daniel Webster
The link to the blog is useful. It turns out the fact that the ordering of requested digits is ..ordered (i.e digits 1 3 8, or 3 4 6, but never 8 5 2) for apparently user-friendliness reasons.
Nothing serious though, the keylogger is far more unsettling. If someone has your machine pwned like that, an online account login is only one of your worries, and they are many.
No matter what kind of security mechanism you have, the moment a keylogger is acting as a man in the middle, the security is flushed down the tubes (I bet someone will find a witty joke... I'm waiting).
Banks here are using one time pads, quite sophisticated ones that are complicated enough to puzzle quite a few of honest users simply wanting to use their online banking service. And that's still no increased security. As long as the midm attack is possible, and that will be the case as long as there are not black box machines that can do NOTHING but actually communicate with the bank, without the possibility to install anything on them, this won't change. No matter what kind of security you implement.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I use Windows at home, but I've been planning for install a very basic 'alternative' OS on another partition, and use that for all my online banking and nothing else.
I recently accessed the Bank of Brazil's online system, and they have a pretty neat way to turn keyloggers useless: they use a Java Applet that displays the valid digits you can use in your password, and you actually have to click on each key in order to enter your password (if you don't see the numbers, click the contrast "+"). Keyboards do not work on the password field.
Most of the online banking sites in Brazil apply a similar technology, to prevent their account holders to fall victim of keyloggers, which was extremely high just a couple of months ago.
And besides the main site's password, each user has a secondary password that is used when performing financial transactions such as transfers, payments, etc.
Uncopyrightable: The longest word you can write without repeating a letter.
INGdirect's banking system sets you up with a 4-digit PIN. However, you don't actually enter that number; they have a numeric keypad image that you click on, and a Javascript applet enters letters which correspond to the number on each key. (If Javascript doesn't work for you, you have the option of just manually typing in the letters that correspond to the digits as shown by the image.) These letters change each time that you log in, so unless the keylogger can intercept that image too, it would be useless to know what letters you typed.
Also, INGdirect shows an image and a phrase selected by you when you log in, presumably to foil a man-in-the-middle attack, although I don't know the details.
I'm pretty impressed with INGdirect's cyber security practices: fairly secure yet practical, without needing a USB blood extractor/DNA analyzer dongle. By the same token, when I went to HSBCdirect's site, I was somewhat disappointed by their site. It's not that bad, but you'd expect better from an institution that bills itself as "the world's local bank". Part of this doesn't have to do with cyber security, just stuff like the web site being unclear, the hassle of having to wait for customer numbers in the mail, the delays in signing up for an account only to discover that although I had an "account", I did not yet have an "internet account". HSBC offers a higher interest rate in their savings account, but I'm going to take a very close look at them before I commit a whole lot of money to them.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
I gotta agree. There are real two-factor solutions that make this and other problems go away. Even open source solutions http://sourceforge.net/projects/wikid-twofactor/ that totally remove cost as an excuse for not being secure. Keylog a One-Time-Passcode (OTP) all you want, it's only good once. Add to that that you can generate the code on a separate device (like a phone or pda) for use logging in on your PC and that's pretty tight, even beats a race attack. Top that off with mutual authentication to prevent a man-in-the-middle or DNS attack. Why aren't companies doing this? Instead they roll out flawed systems like the HSBC junk or the pretty pictures tech that is becoming popular. This is a solved problem.
You are the sum of your decisions.
I find this all pretty funny, especially the requirement of the keylogger, because it hits home pretty close. A web application I wrote and deployed to production about a year ago and now support was finally put through a third-party security check a few weeks ago. The results were fine for the most part. The application is more or less rock-solid since it is secured through Kerberos, hardened against sql injection, and invulnerable to cross-site scripting attacks.
What the company did list as issues (and severe issues mind you) was the fact the application displayed signs of being vulnerable to cookie stealing, and session hijacking through man-in-the-middle attacks, that the server type was sent in the http headers, and that ports 110 and 25 were open on the web server. Well, my complaint is that the security report listed the application problems first, and give them a higher score of criticality, which made everything else, including the open ports 1) seem less sever, and 2) seem as though they were application problems and not network problems, which is what they really are. The business people flipped out and thought the sky was going to fall, since there is some sensitive information stored in this system. Rather than breaking out champagne and celebrating the fact the system was secure against 99.9% of the attacks that would possibly be thrown at it, they lamented issues that weren't application issues. Now understand, I don't manage the servers this application runs on. I merely wrote the application. I don't know what all kind of shit the people who do manage it might have changed.
The funniest thing is, in order to successfully run any cookie stealing, or session hijacking, you (the hacker) had to already have access to not one, but two windows accounts on the domain! The only way to get those was to either work there and have an account, brute-force the username/password, or social-engineer someone out of theirs. And, in order to successfully run the man-in-the-middle attack, you would have to have penetrated the LAN, or hacked someone's computer at their home.
I began to run damage control, explaining how these exploits were possible, why they weren't application issues but network issues, and explaining lots of terms like ARP spoofing, cache poisoning, and how to avoid those things. I remarked that the open ports issue should be rated more highly than the MITM issues, and I also detailed how virtually every web application ever written was similarly vulnerable to these attacks in one way or the other, only to wind up being told that can't possible be true, how I'm extremely arrogant, and how I think I know everything! One person even threatened to have me removed from the project, the cocksucker.
At any rate, the requirement of the keylogger reminded me of the extenuating circumstances needed to exploit this application here: network penetration, not one but two valid accounts, and specialized knowledge of the application.
It's weird. You try to help people and do your job, and they hate you for it. I think I've been doing this for just too damn long.
If you can install a keylogger on the victims computer, this is not a vulnerability. Why not just install all the software you need to replay, control, screen capture ou just kill the clients computer. this is lame and should not even be mentionned. You clearly don't work in the security filed. If you do, please let somebody else do the work...
hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
(taken from <url: http://www.bash.org/?244321> )
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Or a free, opensource two-factor solution like http://sourceforge.net/projects/wikid-twofactor
Here in Indonesia, the largest bank (BCA) gives you a small gadget that generates a different password (8 digit IIRC) everytime which you then enter into your web browser. The gadget is tied to your account only.
I personally think it's a hassle, but it might work in this case.
google: verb - to search for information on the Internet.
I log in to webmail via
Username
Password (changed every month)
Pin number
RSA Secure ID, a key fob which changes every minute, with a 3 year battery life
Fairly secure, doesn't matter if you're videoed as the key fob constantly changes. I guess if there's a weakness in the fob, and you have two adjacent numbers, you can probably guess the future ones, but it's easier for a fraudster to go elsewhere. Ultimatly security is making your system harder to break than other similar systems.
The third-largest non-government bank in Brazil, Unibanco, has an interesting solution to that: the identifying marks on the keys on the virtual keyboard disappear on mouseover. So to see where you need to click, you have to move the mouse pointer away, but when the mouse pointer is actually on the virtual keyboard, even a "snapshot" app can't "see" what key has been pressed (the virtual keyboard keys are arranged randomly each time) when you click on one of them. Pretty cool, if you ask me.
By the way, HSBC Brasil does not have the vulnerability described in TFA. Access to the HSBC Brasil internet banking app is different. Users of HSBC Brasil's internet banking have seven-character passwords. The 26 letters and ten numerals are, on each access attempt, arranged randomly into nine rows of four on a "virtual keyboard." The user clicks on the row containing each character of his password, and the seven blocks of four are sent for verification (another interesting detail is that the verification is done inside an HSM, so there's no way to hack the server and get at the user's password).
"It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
This is not always true. Some two-factor systems are actually well thought out and resolve both of your problems. Check out http://sourceforge.net/projects/wikid-twofactor for an example. It uses Public Key Crypto to allow you to easily register your single "token" at any number of totally autonomous sites. Your private key is never shared with anyone and the websites you use it with have no idea where else you bank/shop/etc. It's real two-factor, so you not only need the pub/priv keys but you need to know the PIN that you setup for that site. This isn't stored locally so a stolen token gets the thief exactly nothing. This system also uses mutual authentication to ensure the site you're logging into is really the site you think it is. Use your phone, PDA, laptop, etc. to generate the (single use) passcode and that's a really tight system.
Short of a site that requires you to draw a picture with your mouse, scan your retina, and submit a sample for blood-dna comparison, a keylogger would in fact be capable of getting into 99% of any online password-entered systems, anywhere.
It's possible to get EVERYONE'S login details! All you have to do is crack into their database and reverse any hashes! OH SH!! STOP THE PRESSES!
> The only way any spyware can capture this
Oh fer god's sake. The spyware is running on the system where you're logging in, presumably as part of the OS, and you think it cannot figure out what you're doing??? They don't have to look at the screen, they can just patch the code that assembles the number.
Geez, kids these days.
Wow, hack into your bank account within 9 attempts, using a keylogger? Amazing. Amazing how stupid a person would have to be to take so many attempts to get into someone's bank account *WITH* a keylogger.
If the attacker can install a keylogger on your machine, chances are they can copy this file (picture) and use it, provided they can figure out which file it is you use.
Since I'm using HSBC online banking, I froze when I saw the headline.
Now I am laughing.
Will we also see headline saying "All online banking system have flaws" (without adding '...assuming you have keylogger on your machine')?
I've been using something called keyscrambler. It's a plugin that claims to encrypt keystrokes at the driver level and decrypts in the browser. It does require per machine install, but the free version works on login pages from any site (but not on the homepage of Bank of America, apparently it has to have a password field, which BofA's homepage doesn't). It's only for IE, but there's supposedly a Firefox version coming. It's weird because I use FF almost exlusive and find myself actually go into IE to log in to my bank after I installed this.
This confirms that uneasy fealing I got recently.
I moved from The Netherlands to the UK recently, and have been used to the ABN amro current account I have in The Netherlands. This one uses a card reader with and a challenge/response using my PIN number. When I opened my account at HSBC, they encouraged me to activate the web&phone service with a six digit code. I expressed that I did not trust this and would be ready to pay more for a secure web accounting service. The agent replied that the service is secure because the password show only "round blobs". I argued that if someone crack in he would be able to record my keys and be not too impressed by the round blobs, but only heard in return that the system was secure, take it or leave it and thank your sir. In fact, it turns out that many corporate HSBC account refrain from using internet, so they introduced a timed keygenerator for them. The average joe may have to wait for another industrial revolution to be allocated one, tho...
There's an easy way around most keyloggers, especially "keyboard" or "hardware" loggers.
Just display a graphical key pad (or keyboard) on the screen that lets users "click in" usernames or password for sensitive fields.
(This is someone I would hope to see start popping up in web browsers, in the meantime, I'm sticking it my web applications.)
If you read the article that details the exploit, you would understand why it takes 9 attempts. Each time you login, you are asked for 3 "randomly selected" digits from your security number. Obviously this security scheme is supposed to defeat keylogging.
http://da.vidnicholson.com/2006/08/analysis-of-hs
"When you logon to HSBC banking you are asked for your date of birth and for three digits from your security number. The three digits you are asked for are randomly selected by HSBC but the digits requested only seem to change after a successful login. Also the instructions that tell you which digits to enter are sent over HTTPS and we will assume are invisible to the attacker. Now for the important part: the digits are always requested in the order they appear in the security number. For example you might be asked for digits 1, 2 and 3 in that order, but you would never be asked for digits 3, 2 and 1 in that order. This leads to the vulnerability..."
HSBC in Korea used to do that. I wonder why they didn't do it in the UK.
I am not sure there are many spywares that go to these lengths.
Yet.
https://www.eff.org/https-everywhere
Seems HSBC internet banking site is entirely differant here in Australia.
For starters, you need to enter your 10digit account number, and a password. Yes - a key logger can grab these. Then however much like it seems the overseas ones do, you have a secureID type of device and when you push the button it generates a random number which you have to enter in full.
You need to do this every time you attempt to make a transaction, transfers, scheduled bill payment, etc.
Now, I am 'assuming' that this device is synced to some clock and the number will never be the same. Maybe I can install a keylogger on my mate's PC and using my dongle, log into his HSBC account. I doubt it. The dongles are registed to your account, so much like a secureID token I'd guess neither one is the same.
Took a while for HSBC to get here, seems they ironed out "the bugs" before they did!
I don't know about the UK's one, but in Hong Kong, we login using a small hardware device. It will generate a six digit code for you to login (after entering your username and password). HK newspaper said that the code is changed every 5 second.
The online system for HSBC Hong Kong has this device that generates a random (is it random?) PIN that has to be input every time. So even if someone uses a key-logger the moment you will logout yourself the PIN is invalid. In fact it's invalid just after a short period of time.
How safe is this system in comparison?
I love ING's simply brilliant solution to this: they display a number pad and ask for your PIN, but you can't type it in numbers. You have to type the letters which are mapped onto the number pad, or click the buttons. The mapping of numbers to letters changes with every login, so you can intercept me typing my password 10,000 times and never get anything useful unless you can also screengrab me while I'm typing the password.
Help poke pirates in the eyepatch, arr.
Just yesterday, I was talking about how my bank in India was more secure than everyone else since it uses a similar method! Shit, Now I have to ....
if you have a side-channel to the bank, such as SMS to your mobile, there is a tool you can use to defeat MITM authentication attacks.
Of course, if you can't trust the PC you're using at the moment, you have no idea what it might be doing to your bank account for the duration of your authenticated session.
And that's the long-and-short of it. Have you ever seen a shady character loitering around in front of the post office offering to go stand in line for you and deposit your paycheck, for just a few coins? Do you think you would trust him, or would you go stand in line and talk to a real bank employee? Heck, I'm nervous about using my employer's computers to do online banking -- EVEN THOUGH my employer is the one sending in the paychecks in the first place...
(course, my true fear is the ACH system. I'm completely at a loss for what to do when the russian mob figures out how to exploit that in volume.)
.... if your only concern is convenience.
Tokens of this kind are now regularly used in any company that provides remote access to their employees and is serious about security.
Tokens are small, unobtrusive and some of them don't even require your interaction, you just type the number you see in the LCD display and that is it (they are not connected to a USB port).
IANAL but write like a drunk one.
TD Canada Trust uses two combo boxes to ask for two letters from your password, and the keyboard cannot be used to select a letter - it only works with mouse clicks. That would defeat a simple keylogger, wouldn't it?
Ceci n'est pas un sig.
i am an hsbc customer and have access to internet banking. though i am not uk based, aside from the regular username and password, you will have to enter a six digit number generated by a token given.
this is a different method from the one mentioned and will probably have no effect against key loggers. although i read somewhere that phishing sites are now able to mimick a bank website and instantly login to the account as it is phished. however, the main feature that the bad guys forget is that account transfers are not permitted if the destination account has not yet been enroled (even bills payment i believe.) in other words, i must strickly go to the branch and fill out a form to allow money transfers to a particular account. so it will be a no go if they will siphon everything in my account (though they will be able to see transaction history but i don't think they will spend that much time and effort figuring out a pattern.)
Live your life each day as if it was your last.
I thought HSBC used a small electronic device to generate a different security code everytime you sign in.
HSBC *does* use one time passcodes, at least in Asian countries, and Australia. I didn't know they used anything else elsewhere until I read this article.