Complain about a product or service

HSBC Security Flaw Exposes Millions Of Customers' Data

By Martin H. Bosworth
ConsumerAffairs.com

August 11, 2006

Data Theft • Bank Data Breach Threatens 248,000 in North Carolina • GPS Not Foolproof • Countrywide Warns Millions of Data Breach • Thieves Steal AT&T Laptop with Employee Data • Report: Data Breach Disclosure Laws Don't Affect Identity Theft • Patient Information Exposed in Data Breach at Walter Reed • Supermarket Chain Reports Data Breach • Report: Feds Still Not Doing Enough To Secure Data • Data Thieves Hit Georgetown University Students, Faculty • 800,000 Job Seekers At Risk In Gap Data Breach • TJX Data Breach Settlement Has Strings Attached • More ...

America may have the market cornered on embarrassing data security breaches, but other countries are catching up fast. A security flaw in the UK's HSBC Bank online banking system has left over three million customers' accounts dangerously vulnerable to outside attack from hackers.

A research team from Cardiff University discovered the flaw and alerted HSBC on August 9th. According to the team, the flaw has been active for at least two years, rendering many accountholders' finances vulnerable to hacking "within nine attempts," they said.

Professor Antonia Jones, leader of the research team, told The Guardian that "as long as this flaw exists, customers are at risk. For banks or institutions that are making huge amounts out of their customers not to protect them is pretty scandalous."

HSBC downplayed the discovery of the flaw, saying that, "It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim" and therefore criminals wouldn't be bothered to try it.

The Cardiff team declined to provide details about the flaw, saying that they would publish their full findings later in the year.

The team did say that hackers who use "keyloggers," remote programs that can hijack a user's machine and make records of the keystrokes as they type, would be most able to take advantage of the HSBC flaw.

According to Cambridge University's Richard Clayton, HSBC's online banking security would not sufficiently protect users from a keylogger.

The password system involves providing random letters from a secret "pass phrase" to gain access to your account. Although this was thought to be sufficient to fool keyloggers, Clayton claims the new find has a way around that.

"They have an anti-keylogging system that doesn't work – they might as well not have it" Clayton said. "The only reason it's a theoretical [flaw] is that they're fortunate no bad guys have [exposed it] yet.

A keylogger was discovered last year by researchers working for Florida-based Sunbelt Software. That discovery led Sunbelt's team to a treasure trove of financial information stolen by unknown parties, believed to be based in Russia.

Sunbelt president Alex Eckelberry personally contacted victims of the hack and publicized the keylogger's existence.

Security experts and tech geeks furiously debated the threat level of the flaw after the announcement. One commenter on the tech web site Slashdot expressed amusement at the news, saying that it would take nine tries and many possible factors for the flaw to present a danger.

"Whereas, at another bank which asks for a username and passcode, the dishonest individual with the keylogger only needs me to log in ONCE to have the run of my account," they said. "So why is this news?"

"Andy," an anonymous and self-proclaimed "ex-bank hacker," posted his theory on the flaw on the Web, saying that HSBC's online banking security relied too heavily on repeatable number sequences, and didn't factor in the ability of hackers to wait out multiple login attempts before the challenge returned to a sequence the keylogger recorded.

"The rest is easy peasy, lemon squeezy, as they [say] in the business," he said.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |