Slashdot Mirror

← Back to Stories (view on slashdot.org)

HSBC Online Banking Security Flaw Analyzed

Posted by ryuzaki0 on from the roight-guv'nor-jes-sign-roight-here dept.

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

16 of 178 comments (clear)

  1. Nine attempts? by Kerr · · Score: 5, Interesting

    As a HSBC internet banking user, I can safely say you'd be locked out long before your ninth attempt, hell; four locked me out when I last forgot my IB code. Being locked out is something you can only fix by visiting your local branch and using your password to unlock the account again.
    The number of attempts is not given, but the automatic lockout is at least covered at their security page
    Sorry Cardiff University, no bank hax for you today.

    --
    Don't try to outweird me, three-eyes. I get stranger things than you free with my breakfast cereal. -- Zaphod Beeblebrox
    1. Re:Nine attempts? by BabyDave · · Score: 4, Informative

      I think it means that after the victim has had 9 successful logins, the h4x0r has enough info to successfully login themselves.

    2. Re:Nine attempts? by LiquidCoooled · · Score: 5, Informative

      This is not a problem of trying 9 times to break in, this is a problem of somebody RECORDING whilst you enter your correct details into the account.

      As you know, with HSBC, you are asked to specify 3 digits from your security key (which is 6-8 characters long)

      This is fine and stops people shoulder surfing to get it once, but if someone keeps recording you they will have all they need.

      I actually had more of a shock in the past when I managed to man in the middle the HSBC login, but after speaking to them (they called me back literally within seconds of me mailing them) it was cleared up and my worries were put to rest (there is a ~2 minute timeout where if you steal the cookies from someones machine who has logged in but not logged out where you can technically get at the information - this might have changed since, but it used to be the case)

      --
      liqbase :: faster than paper
    3. Re:Nine attempts? by SatanicPuppy · · Score: 4, Insightful

      It relies on a fricking keylogger. If anything, this is a validation of two factor authentication...It'd be after one attempt with a regular password system.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  2. Why pick on HSBC? by Anonymous Coward · · Score: 4, Insightful

    So IF my computer has a keylogger and IF my logins are recorded as few as 9 times, THEN the dishonest individual has my security code and can access my account. Whereas, at another bank which asks for a username and passcode, the dishonest individual with the keylogger only needs me to log in ONCE to have the run of my account. So why is this news?

  3. uhhh... by nFriedly · · Score: 4, Insightful
    The attack relies on a keylogger being installed on the victim's machine.
    Uhm.. yea. That attack will get you into about any bank website.. ever.
    --
    Nathan Friedly
  4. Keylogger required by aminal · · Score: 5, Insightful

    So if i have a keylogger on my machine and i log into my online bank, it will log the details i put in and comprimise my online banking?

    no shit sherlock.

    --
    Aminal - DRUMMS!!
    1. Re:Keylogger required by z0idberg · · Score: 4, Insightful

      The point isn't that a keylogger can capture your password. It's that they have tryed to implement a method of entering your 6 digit pin in a way that would stop a keylogger from revealing it, but the way they have done it actually allows a keylogger to figure it after relatively few times of logging in, hence creating a false sense of security.

      The PIN is 6 digits, they ask for three of these six digits at any one login (e.g. type the 1st, 3rd and 4th digits of your pin). Because they always ask in ascending order (i.e. never 4th, 2nd and 1st) then after 9 login events the keylogger can figure out the number. All they had to do (and all they have to do now) is ask for the digits in any order and this problem goes away. The keylogger would eventually know which numbers are in your 6 digit pin but never what order, and as there is a 3 (or 4 ?) tries lockout then they wont be able to get in unless they are very lucky guessers.

      I have HSBC internet banking and it never actually dawned on me how obvious this problem is, I don't think I ever noticed that they only ever ask in ascending order, but thats the beauty of it I guess.

  5. The majority of online systems by Timesprout · · Score: 4, Insightful

    will be 'flawed' if you get a keylogger on my pc since the majority rely on me supposedly knowing something you dont, until the logger records it for you that is.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
    1. Re:The majority of online systems by Rob+T+Firefly · · Score: 4, Funny

      Safe words, rings, and chains.. is this HSBC or S&M?

      --
      Slashdot Burying Stories About Slashdot Media Owned
  6. So what's the best real solution to the problem? by mcrbids · · Score: 3, Interesting

    Ok, so I replied with a joke a few minutes ago... but I think this warrants more intelligent discussion.

    As a vendor of a web-based, access-restricted product, keyloggers are a real issue. I've been considering setting up client-side SSL certificates in order to restrict access to only machines that have been "set up" in order to deal with the problem of keyloggers. Are there better solutions?

    Does this bank have something that's: A) Easy to use, B) doesn't require painful machine-by-machine setup, and C) significantly improves security?

    If so, I just might be interested!

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  7. How to trick key loggers by Rik+Sweeney · · Score: 3, Funny

    I'm quite worried about key loggers so I always enter my password incorrectly the first two times and then input it successfully the final time. This ensures that my password is as secure as possible.

    More so if I screw up the last attempt and have to request a new password.

    Another simple solution is to keep your password in a text file and copy / paste it in.

    Or your password could just be ******* that would work a treat...

    --
    Summation 2
  8. Comment removed by account_deleted · · Score: 3, Informative

    Comment removed based on user account deletion

  9. A similar problem exists in meatspace by Bigboote66 · · Score: 4, Interesting

    In the U.S., most places have taken to just displaying the last 4 digits of your credit card number on the receipts they give back to you. However, on a recent trip to Europe (Finland & Russia, actually), I noticed that the receipts there seem to favor a scheme where a random set of digits appear each time (e.g. XXXX-XXX1-234X-XXXX). If you're like me, you often accumulate a bunch of these receipts in your pockets as you travel; some people may just dump the days wad of receipts in a trash can. A fortunate dumpster diver may stumble onto a wad of receipts that allow him to reconstruct the credit card number. I'm not sure why the people that implemented that latter scheme thought it was preferable.

    -BbT

  10. Re:security through obscurity? by madman101 · · Score: 3, Informative

    Since when are banks required to protect themselves against people who have keyloggers on their computers? Not really much one can do IMHO if there's a keylogger present...

    On Oct. 12, 2005 the FFIEC issued regulations that must be met by end of year 2006 that banks must use a 2 level authentication that includes a method that cannot be logged by a keylogger (ie, entering the numbers on virtual scramble pad).

  11. Security checks, and requirements by TheRealBurKaZoiD · · Score: 3, Interesting

    I find this all pretty funny, especially the requirement of the keylogger, because it hits home pretty close. A web application I wrote and deployed to production about a year ago and now support was finally put through a third-party security check a few weeks ago. The results were fine for the most part. The application is more or less rock-solid since it is secured through Kerberos, hardened against sql injection, and invulnerable to cross-site scripting attacks.

    What the company did list as issues (and severe issues mind you) was the fact the application displayed signs of being vulnerable to cookie stealing, and session hijacking through man-in-the-middle attacks, that the server type was sent in the http headers, and that ports 110 and 25 were open on the web server. Well, my complaint is that the security report listed the application problems first, and give them a higher score of criticality, which made everything else, including the open ports 1) seem less sever, and 2) seem as though they were application problems and not network problems, which is what they really are. The business people flipped out and thought the sky was going to fall, since there is some sensitive information stored in this system. Rather than breaking out champagne and celebrating the fact the system was secure against 99.9% of the attacks that would possibly be thrown at it, they lamented issues that weren't application issues. Now understand, I don't manage the servers this application runs on. I merely wrote the application. I don't know what all kind of shit the people who do manage it might have changed.

    The funniest thing is, in order to successfully run any cookie stealing, or session hijacking, you (the hacker) had to already have access to not one, but two windows accounts on the domain! The only way to get those was to either work there and have an account, brute-force the username/password, or social-engineer someone out of theirs. And, in order to successfully run the man-in-the-middle attack, you would have to have penetrated the LAN, or hacked someone's computer at their home.

    I began to run damage control, explaining how these exploits were possible, why they weren't application issues but network issues, and explaining lots of terms like ARP spoofing, cache poisoning, and how to avoid those things. I remarked that the open ports issue should be rated more highly than the MITM issues, and I also detailed how virtually every web application ever written was similarly vulnerable to these attacks in one way or the other, only to wind up being told that can't possible be true, how I'm extremely arrogant, and how I think I know everything! One person even threatened to have me removed from the project, the cocksucker.

    At any rate, the requirement of the keylogger reminded me of the extenuating circumstances needed to exploit this application here: network penetration, not one but two valid accounts, and specialized knowledge of the application.

    It's weird. You try to help people and do your job, and they hate you for it. I think I've been doing this for just too damn long.