HSBC Online Banking Security Flaw Analyzed

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

Re:Nine attempts?

[BabyDave]

I think it means that after the victim has had 9 successful logins, the h4x0r has enough info to successfully login themselves.

Re:Nine attempts?

[LiquidCoooled]

This is not a problem of trying 9 times to break in, this is a problem of somebody RECORDING whilst you enter your correct details into the account.

As you know, with HSBC, you are asked to specify 3 digits from your security key (which is 6-8 characters long)

This is fine and stops people shoulder surfing to get it once, but if someone keeps recording you they will have all they need.

I actually had more of a shock in the past when I managed to man in the middle the HSBC login, but after speaking to them (they called me back literally within seconds of me mailing them) it was cleared up and my worries were put to rest (there is a ~2 minute timeout where if you steal the cookies from someones machine who has logged in but not logged out where you can technically get at the information - this might have changed since, but it used to be the case)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Nine attempts?

I'd be interested to hear people's suggestions for a system that will remain secure when there's a keylogger on the client's system. It sounds like at that point they've lost control of their computer and they're pretty much screwed.

An RSA SecurID or similar device could help. It would be nice if such devices didn't have to be separate hardware and were software that could run on people's cell phones.

Re:Nine attempts?

[baadger]

The problem is the way the random digits from your security code are selected. I would guess that the digit indexes are indeed selected randomly and then sorted by their index for convenient input by the user, probably to lower tha number of mis-types (think of the user sliding their finger across some paper to mask digits as they go) and reduce call in's from user's who have been locked out. Whoever designed the system obviously missed the fact that this in sorting causes the user to unwittingly provide more clues to their security code via the keyboard.

It's a great hack, but has a trivial fix. It demonstates the convenience-security trade off well.

You're right of course that a larger data set means a much much higher certainty nd therefore fewer or no guesses needed on the attackers part.

Re:Nine attempts?

[vhogemann]

I have an account at this Brazilian bank called Itau, they have a pretty smart way to avoid keyloggers.

When you login on the website, you're propted with a DHTML panel, with five buttons like this:

[3 5] [9 6] [0 1] [2 7] [4 8]

And then you have to type your password using the mouse, so if your password is 12345 you'll have to enter the 3rd, 4th, 1st, 5th and 1st buttons. Each time you enter the site they present the numbers at a different order, so hackers can't use a mouse-logger either.

Pretty smart, works on Firefox and Linux, and don't require any special devices.

Re:security through obscurity?

[madman101]

Since when are banks required to protect themselves against people who have keyloggers on their computers? Not really much one can do IMHO if there's a keylogger present...

On Oct. 12, 2005 the FFIEC issued regulations that must be met by end of year 2006 that banks must use a 2 level authentication that includes a method that cannot be logged by a keylogger (ie, entering the numbers on virtual scramble pad).

INGdirect's system foils keylogger

[KWTm]

INGdirect's banking system sets you up with a 4-digit PIN. However, you don't actually enter that number; they have a numeric keypad image that you click on, and a Javascript applet enters letters which correspond to the number on each key. (If Javascript doesn't work for you, you have the option of just manually typing in the letters that correspond to the digits as shown by the image.) These letters change each time that you log in, so unless the keylogger can intercept that image too, it would be useless to know what letters you typed.

Also, INGdirect shows an image and a phrase selected by you when you log in, presumably to foil a man-in-the-middle attack, although I don't know the details.

I'm pretty impressed with INGdirect's cyber security practices: fairly secure yet practical, without needing a USB blood extractor/DNA analyzer dongle. By the same token, when I went to HSBCdirect's site, I was somewhat disappointed by their site. It's not that bad, but you'd expect better from an institution that bills itself as "the world's local bank". Part of this doesn't have to do with cyber security, just stuff like the web site being unclear, the hassle of having to wait for customer numbers in the mail, the delays in signing up for an account only to discover that although I had an "account", I did not yet have an "internet account". HSBC offers a higher interest rate in their savings account, but I'm going to take a very close look at them before I commit a whole lot of money to them.