Slashdot Mirror

← Back to Stories (view on slashdot.org)

HSBC Online Banking Security Flaw Analyzed

Posted by ryuzaki0 on from the roight-guv'nor-jes-sign-roight-here dept.

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

6 of 178 comments (clear)

  1. Why pick on HSBC? by Anonymous Coward · · Score: 4, Insightful

    So IF my computer has a keylogger and IF my logins are recorded as few as 9 times, THEN the dishonest individual has my security code and can access my account. Whereas, at another bank which asks for a username and passcode, the dishonest individual with the keylogger only needs me to log in ONCE to have the run of my account. So why is this news?

  2. uhhh... by nFriedly · · Score: 4, Insightful
    The attack relies on a keylogger being installed on the victim's machine.
    Uhm.. yea. That attack will get you into about any bank website.. ever.
    --
    Nathan Friedly
  3. Keylogger required by aminal · · Score: 5, Insightful

    So if i have a keylogger on my machine and i log into my online bank, it will log the details i put in and comprimise my online banking?

    no shit sherlock.

    --
    Aminal - DRUMMS!!
    1. Re:Keylogger required by z0idberg · · Score: 4, Insightful

      The point isn't that a keylogger can capture your password. It's that they have tryed to implement a method of entering your 6 digit pin in a way that would stop a keylogger from revealing it, but the way they have done it actually allows a keylogger to figure it after relatively few times of logging in, hence creating a false sense of security.

      The PIN is 6 digits, they ask for three of these six digits at any one login (e.g. type the 1st, 3rd and 4th digits of your pin). Because they always ask in ascending order (i.e. never 4th, 2nd and 1st) then after 9 login events the keylogger can figure out the number. All they had to do (and all they have to do now) is ask for the digits in any order and this problem goes away. The keylogger would eventually know which numbers are in your 6 digit pin but never what order, and as there is a 3 (or 4 ?) tries lockout then they wont be able to get in unless they are very lucky guessers.

      I have HSBC internet banking and it never actually dawned on me how obvious this problem is, I don't think I ever noticed that they only ever ask in ascending order, but thats the beauty of it I guess.

  4. The majority of online systems by Timesprout · · Score: 4, Insightful

    will be 'flawed' if you get a keylogger on my pc since the majority rely on me supposedly knowing something you dont, until the logger records it for you that is.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  5. Re:Nine attempts? by SatanicPuppy · · Score: 4, Insightful

    It relies on a fricking keylogger. If anything, this is a validation of two factor authentication...It'd be after one attempt with a regular password system.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.