HSBC Online Banking Security Flaw Analyzed

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

Why pick on HSBC?

[Anonymous Coward]

So IF my computer has a keylogger and IF my logins are recorded as few as 9 times, THEN the dishonest individual has my security code and can access my account. Whereas, at another bank which asks for a username and passcode, the dishonest individual with the keylogger only needs me to log in ONCE to have the run of my account. So why is this news?

uhhh...

[nFriedly]

The attack relies on a keylogger being installed on the victim's machine.

Uhm.. yea. That attack will get you into about any bank website.. ever.

Keylogger required

[aminal]

So if i have a keylogger on my machine and i log into my online bank, it will log the details i put in and comprimise my online banking?

no shit sherlock.

The majority of online systems

[Timesprout]

will be 'flawed' if you get a keylogger on my pc since the majority rely on me supposedly knowing something you dont, until the logger records it for you that is.

Keylogger?

[Petskull]

[quote]The attack relies on a keylogger being installed on the victim's machine.[/quote]

Isn't this a vulnerability in *any* user/pass interface on any computer in the world?

security through obscurity?

[6OOOOO]

A spokesperson for HSBC is quoted in the article as having said:

"The reality is that it would be more profitable for that fraudster to concentrate his or her efforts elsewhere."

A single compromised user could mean a payoff of tens of thousands of dollars for a determined "fraudster." Particularly if that fraudster resides in a third-world country, that could be enough to live for years. Moreover, having to concentrate efforts on only one attack minimizes a fraudster's exposure to risk--a single instance is much harder to identify than a systematic effort.

No, HSBC, this is a problem. With the prevalence of malicious software on today's internet, keyloggers are a very real threat. Alternative systems can eliminate this vulnerability. Use them.

Re:What, they can't type?

[slashkitty]

HSBC had a virtual keyboard feature. A keylogger would not work with that. You use the mouse to enter letters on it. Maybe the virtual keyboard only has 9 positions, and maybe they are recording mouse movements?

Re:security through obscurity?

[rainman_bc]

No, HSBC, this is a problem.

Since when are banks required to protect themselves against people who have keyloggers on their computers? Not really much one can do IMHO if there's a keylogger present...

I guess the only way around it is to have a pin pad and use the mouse to enter in your pin code as well as your pass code.

W00t. Three tiered logins. Fun stuff.

Re:Nine attempts?

[Malc]

That IB code's stupid. I have to keep a copy around for copying and pasting. What's the point of making it so awkward? HSBC Canada just uses the last 10 digits of my bank card. Maybe I use it so much more than my HSBC UK IB number that I've managed to memorise it, but really it's no less secure in my case. At least I can call HSBC's telephone banking this side of the Atlantic when the account is locked out for web access.

I'd be interested to hear people's suggestions for a system that will remain secure when there's a keylogger on the client's system. It sounds like at that point they've lost control of their computer and they're pretty much screwed.

I have to admit that when travelling recently, I refused to use internet cafes for anything that involved my passwords. Fortunately I had me work laptop with me (great being able to work two weeks on the road, and have two weeks holiday on top of that too for a whole month overseas!). I took that to internet cafes when I needed to and did anything important over VPN & SSL (and tried not to think about possible man-in-the-middle exploits). This is a real problem.

Re:Nine attempts?

[SatanicPuppy]

It relies on a fricking keylogger. If anything, this is a validation of two factor authentication...It'd be after one attempt with a regular password system.

Re:Why pick on HSBC?

[badfish99]

It's news because some people might have thought that this bank has better security than one which only asks for username and password.If you're choosing an online bank, it is important to know which ones are secure and which are not.

Re:Keylogger required

[z0idberg]

The point isn't that a keylogger can capture your password. It's that they have tryed to implement a method of entering your 6 digit pin in a way that would stop a keylogger from revealing it, but the way they have done it actually allows a keylogger to figure it after relatively few times of logging in, hence creating a false sense of security.

The PIN is 6 digits, they ask for three of these six digits at any one login (e.g. type the 1st, 3rd and 4th digits of your pin). Because they always ask in ascending order (i.e. never 4th, 2nd and 1st) then after 9 login events the keylogger can figure out the number. All they had to do (and all they have to do now) is ask for the digits in any order and this problem goes away. The keylogger would eventually know which numbers are in your 6 digit pin but never what order, and as there is a 3 (or 4 ?) tries lockout then they wont be able to get in unless they are very lucky guessers.

I have HSBC internet banking and it never actually dawned on me how obvious this problem is, I don't think I ever noticed that they only ever ask in ascending order, but thats the beauty of it I guess.

Re:Why pick on HSBC?

[mrxak]

But then doesn't this say that HSBC is more secure? It takes 9 log-ins while being keylogged instead of one.

The moment a keylogger is in your system, you lost

[Opportunist]

No matter what kind of security mechanism you have, the moment a keylogger is acting as a man in the middle, the security is flushed down the tubes (I bet someone will find a witty joke... I'm waiting).

Banks here are using one time pads, quite sophisticated ones that are complicated enough to puzzle quite a few of honest users simply wanting to use their online banking service. And that's still no increased security. As long as the midm attack is possible, and that will be the case as long as there are not black box machines that can do NOTHING but actually communicate with the bank, without the possibility to install anything on them, this won't change. No matter what kind of security you implement.

Re:So what's the best real solution to the problem

[jakarta-milwaukee]

Here in Indonesia, the largest bank (BCA) gives you a small gadget that generates a different password (8 digit IIRC) everytime which you then enter into your web browser. The gadget is tied to your account only.

I personally think it's a hassle, but it might work in this case.