HSBC accused of 'scandalous' security glitch

HSBC accused of 'scandalous' security glitch

Summary: Update: Researchers at Cardiff University claim to have discovered a serious flaw in HSBC's online banking procedure, but the bank is downplaying the situation

TOPICS: Security

Banking giant HSBC has been accused of leaving its online accounts exposed for over two years due to a security flaw, according to reports.

The bank left 3.1 million customers exposed due to a defect in how people access their online accounts, The Guardian claimed on Thursday.

Criminals who had harvested banking information using keylogging malware would be able to change account details and transfer money, according to researchers at Cardiff University, who claimed that any account could be broken within nine attempts.

However, full details of the security flaw were not made available. It's understood that it involves a security procedure where a customer is asked to supply randomly chosen letters from within their password.

It's also not clear if the alleged flaw has ever been exploited.

"There are serious issues here," said Professor Antonia Jones, who led the research team. "Banks are in the business of safeguarding your money, and if they tell you that it's safe then you assume that's the case. But as long as this flaw exists, customers are at risk. For banks or institutions that are making huge amounts out of their customers, not to protect them is pretty scandalous," she told The Guardian.

HSBC downplayed the severity of the situation, saying that the supposed flaw had not been exploited by criminals, and that it would be "interested to hear any expert commentary on the security of its personal Internet banking service".

"It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim. It is therefore not likely to be a profitable way for criminals to behave," said HSBC in a statement.

Security expert Richard Clayton of Cambridge University confirmed to ZDNet UK that the vulnerability existed. He believes that it will be "very trivial" to construct a fix and roll it out.

"On the HSBC online banking scheme, after you type in your name and password, you have to provide some characters from a secret phrase. The idea is that even if there is a "keylogger" on your system — and most viruses come with keyloggers as standard these days — it will not know the positions within the phrase you have been asked for," explained Clayton.

"Unfortunately, the Cardiff researchers have realised that there is a way around this — and hence once you have a keylogger on your system then you will not be protected in the way that HSBC hoped," he added.

Alan Phillips, chief executive of security company 7Safe, said there are ways to avoid keystroke loggers stealing PIN numbers and passwords. One method is to use an on-screen keyboard in Windows XP or one provided by the online bank when typing in confidential details.

"There are some ways around keyloggers," Phillips said. "Other banks like Credit Agricole have their own on-screen keyboards. This way you can't get hit by a keystroke log. The other way is with a drop-down box. Barclays do that."

But Graham Cluley, senior technology consultant for antivirus company Sophos, argued keylogging software can beat on-screen keyboards. "Any keylogger is likely to be part of a more complex piece of spyware. That allows the hacker access to everything on your PC, such as monitoring the screen and mouse clicks. Similarly, drop-down boxes are not immune to hackers grabbing information from them."'s Dan Ilett contributed to this report.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The logging in description given in no way resembles the proceedure I have to use to access my HSBC account!
  • Its not surprising at all, Hsbc is used to downplaying major issues.

    At our Bagalore call centre a guy detected two major security flaws and reported them to his manager. His Indian manager immediately saw it as a way to take advantge of and gain credit. This was becausethe TM knew the guy was good and must have detected something important especially as presented a paper in June but refused to give details without proof.

    However the agent refused and the TM's
    senior manager too dilly dallied for a month and a half, finally the guy left in the begginning of Aug, where he was made to resign. Do you think senior managers did anything, well their busy massaging thier egos with that stiff upper lip and a supercilious smile, a legacy of the British.

    This is Hsbc for you. its a very nice place but don't be too pro-active, or you had it. Come to work, have fun and go home.
  • The procedure in article is correct. It refers to the password since replaced by the pass number after detection.

    Hsbc can be very careless but speak big, talk big about world class. Several guys working there say they know exactly how world class it is, upto no good. Fab statements, repeated to make it the truth - like Hitler