1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News HSBC online banking 'seriously flawed'

Discussion in 'Article Discussion' started by Da Dego, 10 Aug 2006.

  1. FliesLikeABrick

    FliesLikeABrick What's a Dremel?

    Joined:
    9 Aug 2004
    Posts:
    121
    Likes Received:
    0

    The fact is that this appears to be media hype on HSBC, even though there are thousands of other sites with insufficient authentication to prevent a keylogger from allowing someone to log in.

    nobody should be "omg I have HSBC, my stuff is exposed!" any more than they should be "omg my paypal/google/bit-tech/msn/.../... stuff is exposed!"

    if you have a keylogger on your computer, the fact that someone can get into your bank account with 9 tries is the least of your worries. There are many more banking sites on which a keylogger will let you in in 1 try (my main bank account :-(), and many more places they can use the data they get from the keylogger. I would personally be more worried about the well-being of my production servers than the relatively small amount of money in my bank accounts, as well as the bucketloads of privileged information stored in my gmail account.

    This all smells like media hype to me, and until there are any other details... I don't think it is really worth discussing HSBC in specific.

    Summary: "HSBC's site is crackable if you know the username and password, due to a scripting error in the site that renders other authentication methods useless in under 9 tries."

    Note: you still need the username/password.
     
  2. yahooadam

    yahooadam <span style="color:#f00;font-weight:bold">Ultra cs

    Joined:
    21 Mar 2006
    Posts:
    1,323
    Likes Received:
    0
    that is a much better security system, hsbc should allready be using it
     
  3. Da Dego

    Da Dego Brett Thomas

    Joined:
    17 Aug 2004
    Posts:
    3,913
    Likes Received:
    1
    Somehow I don't think that a whole research team at Cardiff plus a security expert at Cambridge would be so upset about it if it were as simple as you make it out to be...nor do they work for the media...
     
  4. Stuey

    Stuey You will be defenestrated!

    Joined:
    20 Jan 2005
    Posts:
    2,612
    Likes Received:
    10
    I'm pretty confused here. If you forgot a PW on HSBC, you still have to enter your username, atm account number and pin number to create a new password. If they already know the username and password, or username + the other info, then almost any banking site/account is as vulnerable.

    They recently changed the login procedure. You enter your usernumber (it's a 12 digit number with letters at the end), and then it takes you to the next page where you enter a password.

    In order to pay bills or transfer money out of the account or group of accounts, they have a calculator-like keyboard where you have to hit a password in w/ mouse to defeat keyloggers (this has been used since at least last september when I started using the feature).

    Anyways, I agree with everybody else - if you've got a keylogger on your computer then a lot of damage can be done in a variety of ways.
     
Tags: Add Tags

Share This Page