HSBC Online Banking Security Flaw Analyzed

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

No surprise it's HSBC

[Billosaur]

My wife is a former customer of HSBC, because they were nothing but a pain. She had put some money in a savings account with them and sent her an ATM card which she destroyed, not wanting to be tempted to withdraw the money at any time. They claim to have sent her a pin for her online banking account, but she never received it, and when she called them up to try and get it reset so she could log in, they refused, even though she could provide them with all the relevant identification information. This went on and on until finally she told them to simply cancel the account, which they stated they could do, but they could not simply transfer the money back to the account from which they'd originally taken it, and would instead send her a check.

Their customer sevice stinks, so why should their tech be any different?