HSBC Online Banking Security Flaw Analyzed

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

Re:Nine attempts?

[BabyDave]

I think it means that after the victim has had 9 successful logins, the h4x0r has enough info to successfully login themselves.

Re:Nine attempts?

[LiquidCoooled]

This is not a problem of trying 9 times to break in, this is a problem of somebody RECORDING whilst you enter your correct details into the account.

As you know, with HSBC, you are asked to specify 3 digits from your security key (which is 6-8 characters long)

This is fine and stops people shoulder surfing to get it once, but if someone keeps recording you they will have all they need.

I actually had more of a shock in the past when I managed to man in the middle the HSBC login, but after speaking to them (they called me back literally within seconds of me mailing them) it was cleared up and my worries were put to rest (there is a ~2 minute timeout where if you steal the cookies from someones machine who has logged in but not logged out where you can technically get at the information - this might have changed since, but it used to be the case)