Researchers at Cardiff University claim to have uncovered a vulnerability in HSBC's web banking system
HSBC online banking security flaw exposed
/v3-uk/news/1972269/hsbc-online-banking-security-flaw-exposed
14 Aug 2006, Robert Jaques , V3
UK researchers today warned that thousands of HSBC customers are vulnerable to a potentially devastating flaw in the bank's online banking system.
Two researchers working within Cardiff University's School of Computer Science, Professor Antonia J Jones and Joseph R Rabaiotti, together with a third independent researcher, Stuart P Goring, uncovered the vulnerability in HSBC's web banking system.
Without in any way hacking or even entering the system, the researchers demonstrated that the problem, together with the use of a key-logger to record keystrokes, could allow an attacker to gather all the necessary information required to enter any customer account.
The researchers stressed that the bank was informed of the issue prior to publication. HSBC and Cardiff University are now working together to address a number of issues raised by this research, according to the academics.
The team said that no illegal access took place during the research, and that it was possible "by perfectly proper use of the system" (a legal log-in which fails due to a typing error) and by intelligent observation to logically prove a weakness without even passing the gatekeeper or entering the system.
While they were able to do this because of a rather trivial problem, the scientists claimed that "an interesting point of principle has been established and a significant loophole identified".
"What is truly amazing about this particular problem is that it apparently has not been illegally exploited for at least two years, during which time all user accounts were in principle open to the access procedure we describe," said Professor Jones.
"This fact alone raises some serious questions about the wisdom of having any sensitive system online and about online banking in general."
Andrew Moloney, senior product manager at RSA Security's consumer solutions division, said: "HSBC has been heavily criticised for not addressing this flaw, but I don't believe this criticism is valid.
"No banks' systems are 100 per cent secure, and even if every flaw was patched immediately this would not mean that online banking users were safe from fraudsters. Far from it.
"Online fraud attacks rarely rely on technology flaws. They flourish because of the one flaw that cannot be addressed by a security patch: the user."
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
heh, crap
The use of keyloggers are well known in history and every bank is vulnerable to keyloggers and accounts can be exposed to use of keylogger, thus third party can gain access to user accounts instantly using keyloggers, this is not a new thing it has been widely used and is gonna be used more for every site there is outthere. NOT ONLY HSBC IS VULNERABLE TO KEYLOGGERS EVERY SITE IS, SO WHAT THESE 'SCIENTISTS'OR 'RESEARCHERS' DISCOVERED IT'S NO NEW THING, IT HAS BEEN LONG BEFORE THEY EVEN FIGURED HOW KEYLOGGING WORKED, SO, GTFO AND START PATCHING SYSTEMS BEFORE STUFF GET MESSY.
Posted by /dev/null, 23 Jun 2007