HSBC accused of 'scandalous' security glitch

Update: Researchers at Cardiff University claim to have discovered a serious flaw in HSBC's online banking procedure, but the bank is downplaying the situation
Written by Tom Espiner, Contributor

Banking giant HSBC has been accused of leaving its online accounts exposed for over two years due to a security flaw, according to reports.

The bank left 3.1 million customers exposed due to a defect in how people access their online accounts, The Guardian claimed on Thursday.

Criminals who had harvested banking information using keylogging malware would be able to change account details and transfer money, according to researchers at Cardiff University, who claimed that any account could be broken within nine attempts.

However, full details of the security flaw were not made available. It's understood that it involves a security procedure where a customer is asked to supply randomly chosen letters from within their password.

It's also not clear if the alleged flaw has ever been exploited.

"There are serious issues here," said Professor Antonia Jones, who led the research team. "Banks are in the business of safeguarding your money, and if they tell you that it's safe then you assume that's the case. But as long as this flaw exists, customers are at risk. For banks or institutions that are making huge amounts out of their customers, not to protect them is pretty scandalous," she told The Guardian.

HSBC downplayed the severity of the situation, saying that the supposed flaw had not been exploited by criminals, and that it would be "interested to hear any expert commentary on the security of its personal Internet banking service".

"It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim. It is therefore not likely to be a profitable way for criminals to behave," said HSBC in a statement.

Security expert Richard Clayton of Cambridge University confirmed to ZDNet UK that the vulnerability existed. He believes that it will be "very trivial" to construct a fix and roll it out.

"On the HSBC online banking scheme, after you type in your name and password, you have to provide some characters from a secret phrase. The idea is that even if there is a "keylogger" on your system — and most viruses come with keyloggers as standard these days — it will not know the positions within the phrase you have been asked for," explained Clayton.

"Unfortunately, the Cardiff researchers have realised that there is a way around this — and hence once you have a keylogger on your system then you will not be protected in the way that HSBC hoped," he added.

Alan Phillips, chief executive of security company 7Safe, said there are ways to avoid keystroke loggers stealing PIN numbers and passwords. One method is to use an on-screen keyboard in Windows XP or one provided by the online bank when typing in confidential details.

"There are some ways around keyloggers," Phillips said. "Other banks like Credit Agricole have their own on-screen keyboards. This way you can't get hit by a keystroke log. The other way is with a drop-down box. Barclays do that."

But Graham Cluley, senior technology consultant for antivirus company Sophos, argued keylogging software can beat on-screen keyboards. "Any keylogger is likely to be part of a more complex piece of spyware. That allows the hacker access to everything on your PC, such as monitoring the screen and mouse clicks. Similarly, drop-down boxes are not immune to hackers grabbing information from them."

Silicon.com's Dan Ilett contributed to this report.

Editorial standards