America may have the market cornered on embarrassing data security breaches, but other countries are catching up fast. A security flaw in the UK's HSBC Bank online banking system has left over three million customers' accounts dangerously vulnerable to outside attack from hackers.
A research team from Cardiff University discovered the flaw and alerted HSBC on August 9th. According to the team, the flaw has been active for at least two years, rendering many accountholders' finances vulnerable to hacking "within nine attempts," they said.
Professor Antonia Jones, leader of the research team, told The Guardian that "as long as this flaw exists, customers are at risk. For banks or institutions that are making huge amounts out of their customers not to protect them is pretty scandalous."
HSBC downplayed the discovery of the flaw, saying that, "It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim" and therefore criminals wouldn't be bothered to try it.
The Cardiff team declined to provide details about the flaw, saying that they would publish their full findings later in the year.
The team did say that hackers who use "keyloggers," remote programs that can hijack a user's machine and make records of the keystrokes as they type, would be most able to take advantage of the HSBC flaw.
According to Cambridge University's Richard Clayton, HSBC's online banking security would not sufficiently protect users from a keylogger.
The password system involves providing random letters from a secret "pass phrase" to gain access to your account. Although this was thought to be sufficient to fool keyloggers, Clayton claims the new find has a way around that.
"They have an anti-keylogging system that doesn't work they might as well not have it" Clayton said. "The only reason it's a theoretical [flaw] is that they're fortunate no bad guys have [exposed it] yet.
A keylogger was discovered last year by researchers working for Florida-based Sunbelt Software. That discovery led Sunbelt's team to a treasure trove of financial information stolen by unknown parties, believed to be based in Russia.
Sunbelt president Alex Eckelberry personally contacted victims of the hack and publicized the keylogger's existence.
Security experts and tech geeks furiously debated the threat level of the flaw after the announcement. One commenter on the tech web site Slashdot expressed amusement at the news, saying that it would take nine tries and many possible factors for the flaw to present a danger.
"Whereas, at another bank which asks for a username and passcode, the dishonest individual with the keylogger only needs me to log in ONCE to have the run of my account," they said. "So why is this news?"
"Andy," an anonymous and self-proclaimed "ex-bank hacker," posted his theory on the flaw on the Web, saying that HSBC's online banking security relied too heavily on repeatable number sequences, and didn't factor in the ability of hackers to wait out multiple login attempts before the challenge returned to a sequence the keylogger recorded.
"The rest is easy peasy, lemon squeezy, as they [say] in the business," he said.