News HSBC online banking 'seriously flawed'

http://www.bit-tech.net/news/2006/08/10/HSBC_online_banking_seriously_flawed/

 

Doh. But if it requires a key logger then surely its hardly rocket science?

 

Requiring a key logger suggest to me that u need be able to get the logger onto the targets system in the first place.

However i hope this is fixed soon!

 

But any online banking system would be suseptible to a keylogger attack, any particular reason why its HSBC specifically? I dont use any others so I dont know thier systems, but HSBC asks for your Internet account number (not related to your actual card/account number) your DOB and 3 random digits from your passcode.

 

My online banking system requires a digipass... A calculator lookalike, where you enter your personal pin, and it gives you a 6digit code that is different everytime. That you have to enter into the site. I think that's quite a secure way of doing online banking. The fact that it's as easy to crack the online banking thing with just a keylogger scares me a bit... Don't want to loose my hard earned money so easily

 

Being a specialist in the banking and online security industry, I've got to say this is more evidence of the press pushing drama then actual threat. The flaw is not HSBC, its in the anti-virus and security software. If you have a key logger on your computer, most likely the person(s) receiving the output can get into your accounts. There are a few solutions capable of stopping such threats, and <a href="http://wiki.unilocusa.com/Online_Banking">one of them is what I do for a living</a>.

If you really want to take a good look at a serious threat to the online banking industries, take <a href="http://wiki.unilocusa.com/CitiBusiness_VASCO_Breach">a look at this</a>. The "man-in-the-middle" attack against Citibank and one time passwords is putting a serious chill down the spines of all online bank administrators and security engineers.

Casey S. Potenzone

 

The first time i logged onto my hsbc bank account i figured this one out, they may ask for certain data but theres only a finite number of combinations. It not really a problem for me any more though since i forgot my login details shortly after logging in for the first time.

The thing is, surely if you have a key logger and havnt noticed then your pretty much screwed anyway since they'll get your details when you pay for things, get your other passwords etc.

 

Exactly. The only difference with online banking is that it's totally centred around supposedly water-tight security. They usually ask you to select 3 out of 6 digits of your passcode via drop down boxes so that they cannot be detected by keyloggers. However people just a lot more easily steal your credit card details using a keylogger as you are far more likely to type that info into whatever website that requires it. My guess is that this flaw that has been discovered is based on the selection of the three digits for the passcode. Maybe something in the way that info is processed means you don't need many tries to get in.

I was taught Maths by Prof Antonia Jones at Cardiff and she also taught Computer Security so I'm sure she knows what she's on about. (Though she can go on about some pretty tangental stuff at times ).

By the way the link to this thread from the article is broken.

 

I don't see how it is seriously flawed, if the user has a keylogger, its their fault tbh.

 

1. BT - the link on the article points to the forum and not the topic

Anyway - this hack does require a keylogger, so its not that easy to do, however considering 90% of people are probably not great at keeping their computer secure it could be a problem

anyway, if you account is hacked, then i do believe HSBC have to deal with it, and refund your money anyway - like credit card fraud

 

I dont see how they can "fix" it.

HSBC ask someone to input their IB number and DOB, that obviously can be logged, then they tell them to choose 3 random numbers (which are pre-specified) out of their 6 digit number they requested at the bank. So, sure, after 9 tried you can log that but it's better than 99% of other places like paypal etc which just require a single email and password so that takes 1 try with a keylogger
How do you fix that? Unless you specify someone gets a new number every time they want to use internet banking because there's a limit to the numbers people can remember. Get them to choose 16 random numbers out of a 128 number code?? It just gets silly.

It's not gonna stop me using HSBC internet banking on my own PC.

 

links broken to the forum area, or im being a retard. one or the other

 

yeh i said that

As they havent released the details of how its done, its hard to assume where the flaw is

i assume its more then a simple key logging though

 

erm the code number for HSBC can be up to nine digits I belive. My only complaint is that they always ask for the 3 number in sequential order. i.e 1st 3rd 5th, or 2nd 3rd 6th. to me it should mix it up a little bit ie 5th 1st 3rd. however HSBC's internet banking is the easiest to use that i've seen, the number of secure questions for sainsburys bank is insane and all on subjects like "who is you favourite singer?" and as this chnages for me on a weekly basis I had to write down all the answers, not the best security in the world for me personally.

 

Fixed the link to this thread

 

lol this stupid, in no way is this 'seriously flawed'

 

xrob, how do you know? You haven't heard the details of the flaw. In any case whether you need a keylogger or not the system would be seriously flawed if just one of the security measures could be easily broken e.g. the passcode entry. If it's there then it's obviously there for a reason. If it can be broken then it is obviously seriously flawed.

 

Instead of typing numbers they could be selected from drop down boxes...rendering a keylogger useless. But yes as long as u keep your own system clean and locked tight u should be fine.

Actually they ask for a minimum of 6 digits, I know mines is more like 20 digit. Making it that little bit more secure.

 

Yep, with Lloyds you have a pass code which is mix of numbers and letters.

Each time you log on (after you've put in a normal username / password) it asks you for 3 specific letters form it (e.g. 1st, 3rd and 5th). But instead of typing them in (like you do on FirstDirect & Presumably HSBC) you select them from drop downs. If you try type in the letter, which usually selects the item in the drop down, it just goes straight to 'z'.

So if you could keylog someone actually entering their details eventually you'd have enough to get in.

HOWEVER, i thought most banks only allowed 3 incorrect entries anyway? Not 5-9.

 

Dex: It's just keylogging what people put in. That's the "serious flaw"!? It's not some glamourous hack

Matt: if you keylog someone then after them accessing the site 9 times they can get their full details.

Min: I couldnt remember a 20 digit number if I tried.