Slashdot Mirror

← Back to Stories (view on slashdot.org)

HSBC Online Banking Security Flaw Analyzed

Posted by ryuzaki0 on from the roight-guv'nor-jes-sign-roight-here dept.

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

3 of 178 comments (clear)

  1. Nine attempts? by Kerr · · Score: 5, Interesting

    As a HSBC internet banking user, I can safely say you'd be locked out long before your ninth attempt, hell; four locked me out when I last forgot my IB code. Being locked out is something you can only fix by visiting your local branch and using your password to unlock the account again.
    The number of attempts is not given, but the automatic lockout is at least covered at their security page
    Sorry Cardiff University, no bank hax for you today.

    --
    Don't try to outweird me, three-eyes. I get stranger things than you free with my breakfast cereal. -- Zaphod Beeblebrox
    1. Re:Nine attempts? by LiquidCoooled · · Score: 5, Informative

      This is not a problem of trying 9 times to break in, this is a problem of somebody RECORDING whilst you enter your correct details into the account.

      As you know, with HSBC, you are asked to specify 3 digits from your security key (which is 6-8 characters long)

      This is fine and stops people shoulder surfing to get it once, but if someone keeps recording you they will have all they need.

      I actually had more of a shock in the past when I managed to man in the middle the HSBC login, but after speaking to them (they called me back literally within seconds of me mailing them) it was cleared up and my worries were put to rest (there is a ~2 minute timeout where if you steal the cookies from someones machine who has logged in but not logged out where you can technically get at the information - this might have changed since, but it used to be the case)

      --
      liqbase :: faster than paper
  2. Keylogger required by aminal · · Score: 5, Insightful

    So if i have a keylogger on my machine and i log into my online bank, it will log the details i put in and comprimise my online banking?

    no shit sherlock.

    --
    Aminal - DRUMMS!!