HSBC Online Banking Security Flaw Analyzed

Posted by ryuzaki0 on Thursday August 10, 2006 @03:33AM from the roight-guv'nor-jes-sign-roight-here dept.

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

1 of 178 comments (clear)

Min score:

Reason:

Sort:

Let the user "click in" info with a mouse by xxxJonBoyxxx · 2006-08-10 09:08 · Score: 0, Redundant

There's an easy way around most keyloggers, especially "keyboard" or "hardware" loggers.

Just display a graphical key pad (or keyboard) on the screen that lets users "click in" usernames or password for sensitive fields.

(This is someone I would hope to see start popping up in web browsers, in the meantime, I'm sticking it my web applications.)