All the latest UK technology news, reviews and analysis
|
|
|
14 Aug 2006
UK researchers today warned that thousands of HSBC customers are vulnerable to a potentially devastating flaw in the bank's online banking system.
Two researchers working within Cardiff University's School of Computer Science, Professor Antonia J Jones and Joseph R Rabaiotti, together with a third independent researcher, Stuart P Goring, uncovered the vulnerability in HSBC's web banking system.
Without in any way hacking or even entering the system, the researchers demonstrated that the problem, together with the use of a key-logger to record keystrokes, could allow an attacker to gather all the necessary information required to enter any customer account.
The researchers stressed that the bank was informed of the issue prior to publication. HSBC and Cardiff University are now working together to address a number of issues raised by this research, according to the academics.
The team said that no illegal access took place during the research, and that it was possible "by perfectly proper use of the system" (a legal log-in which fails due to a typing error) and by intelligent observation to logically prove a weakness without even passing the gatekeeper or entering the system.
While they were able to do this because of a rather trivial problem, the scientists claimed that "an interesting point of principle has been established and a significant loophole identified".
"What is truly amazing about this particular problem is that it apparently has not been illegally exploited for at least two years, during which time all user accounts were in principle open to the access procedure we describe," said Professor Jones.
"This fact alone raises some serious questions about the wisdom of having any sensitive system online and about online banking in general."
Andrew Moloney, senior product manager at RSA Security's consumer solutions division, said: "HSBC has been heavily criticised for not addressing this flaw, but I don't believe this criticism is valid.
"No banks' systems are 100 per cent secure, and even if every flaw was patched immediately this would not mean that online banking users were safe from fraudsters. Far from it.
"Online fraud attacks rarely rely on technology flaws. They flourish because of the one flaw that cannot be addressed by a security patch: the user."
Latest stories from Web
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Position:Oracle Applications eBusiness Suite Suport...
Software Developer A leading UK Software Application...
I am looking for a permanent senior Drupal Developer...
Retail Consultant - Data Transformation and Migration...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
heh, crap
The use of keyloggers are well known in history and every bank is vulnerable to keyloggers and accounts can be exposed to use of keylogger, thus third party can gain access to user accounts instantly using keyloggers, this is not a new thing it has been widely used and is gonna be used more for every site there is outthere. NOT ONLY HSBC IS VULNERABLE TO KEYLOGGERS EVERY SITE IS, SO WHAT THESE 'SCIENTISTS'OR 'RESEARCHERS' DISCOVERED IT'S NO NEW THING, IT HAS BEEN LONG BEFORE THEY EVEN FIGURED HOW KEYLOGGING WORKED, SO, GTFO AND START PATCHING SYSTEMS BEFORE STUFF GET MESSY.
Posted by: /dev/null 23 Jun 2007