Slashdot Mirror

← Back to Stories (view on slashdot.org)

HSBC Online Banking Security Flaw Analyzed

Posted by ryuzaki0 on from the roight-guv'nor-jes-sign-roight-here dept.

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

6 of 178 comments (clear)

  1. What, they can't type? by mcrbids · · Score: 1, Funny

    Ok, so we have a keylogger on the victim's machine, ostensibly to lift the login name and password. Then, we have an "attacker" who tries 9 times to type it in?

    Is it just me, or are we dealing with a fundamentally stupid attacker?

    If I use a keylogger to lift a login/pw, it shouldn't take more than 3 or 4 attempts to get it right.... perhaps I'm just a smarter attacker than most?

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  2. How to trick key loggers by Rik+Sweeney · · Score: 3, Funny

    I'm quite worried about key loggers so I always enter my password incorrectly the first two times and then input it successfully the final time. This ensures that my password is as secure as possible.

    More so if I screw up the last attempt and have to request a new password.

    Another simple solution is to keep your password in a text file and copy / paste it in.

    Or your password could just be ******* that would work a treat...

    --
    Summation 2
  3. Re:The majority of online systems by Rob+T+Firefly · · Score: 4, Funny

    Safe words, rings, and chains.. is this HSBC or S&M?

    --
    Slashdot Burying Stories About Slashdot Media Owned
  4. HSBC Security Flaw, 1 login attempt by neonprimetime · · Score: 2, Funny

    This just in...
    Another HSBC Security Flaw has been found. If you are logging into your account, and somebody is looking over your shoulder while you're doing it, odds are they can determine your username & password after only 1 successful login attempt.

  5. Wierd... by Random+Utinni · · Score: 2, Funny
    Anyone else see the irony in the following ads Google inserted following this story?

    HSBCDirect Online Savings
    Earn 5.05% APY* at HSBC! You Don't Need to Switch Banks
    HSBCdirect.com

    HSBC Safe Online Banking
    Free Digital Security Code Device with all HSBC Account. Get it Now!
    www.hsbc.co.in


    Google's out to hijack my machine! ; )
  6. ObQuote: noob learns about cutting and pasting by KWTm · · Score: 2, Funny

    hey, if you type in your pw, it will show as stars
    <Cthon98> ********* see!
    <AzureDiamond> hunter2
    <AzureDiamond> doesnt look like stars to me
    <Cthon98> <AzureDiamond> *******
    <Cthon98> thats what I see
    <AzureDiamond> oh, really?
    <Cthon98> Absolutely
    <AzureDiamond> you can go hunter2 my hunter2-ing hunter2
    <AzureDiamond> haha, does that look funny to you?
    <Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
    <AzureDiamond> thats neat, I didnt know IRC did that
    <Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
    <AzureDiamond> awesome!
    <AzureDiamond> wait, how do you know my pw?
    <Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
    <AzureDiamond> oh, ok.

    (taken from <url: http://www.bash.org/?244321> )

    --
    404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
    [GPG key in journal]