Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

HSBC Online Banking Security Flaw Analyzed

timothy posted more than 7 years ago | from the roight-guv'nor-jes-sign-roight-here dept.

178

greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details." David Nicholson adds links to coverage at CNN and at the Guardian, writing "The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."

cancel ×

178 comments

Sorry! There are no comments related to the filter you selected.

Nine attempts? (5, Interesting)

Kerr (889580) | more than 7 years ago | (#15881343)

As a HSBC internet banking user, I can safely say you'd be locked out long before your ninth attempt, hell; four locked me out when I last forgot my IB code. Being locked out is something you can only fix by visiting your local branch and using your password to unlock the account again.
The number of attempts is not given, but the automatic lockout is at least covered at their security page [hsbc.com]
Sorry Cardiff University, no bank hax for you today.

Re:Nine attempts? (4, Informative)

BabyDave (575083) | more than 7 years ago | (#15881466)

I think it means that after the victim has had 9 successful logins, the h4x0r has enough info to successfully login themselves.

Re:Nine attempts? (4, Insightful)

SatanicPuppy (611928) | more than 7 years ago | (#15881654)

It relies on a fricking keylogger. If anything, this is a validation of two factor authentication...It'd be after one attempt with a regular password system.

Re:Nine attempts? (1)

6OOOOO (600000) | more than 7 years ago | (#15881488)

Nine attempts is not a minimum; in fact, according to the researchers, it's a maximum. Since keyloggers are involved, I would guess that in most cases the login/password can be determined in well under four attempts.

A lockout system is good policy, but I don't think it's going to be enough on its own to plug this hole.

Re:Nine attempts? (2, Informative)

baadger (764884) | more than 7 years ago | (#15882253)

The problem is the way the random digits from your security code are selected. I would guess that the digit indexes are indeed selected randomly and then sorted by their index for convenient input by the user, probably to lower tha number of mis-types (think of the user sliding their finger across some paper to mask digits as they go) and reduce call in's from user's who have been locked out. Whoever designed the system obviously missed the fact that this in sorting causes the user to unwittingly provide more clues to their security code via the keyboard.

It's a great hack, but has a trivial fix. It demonstates the convenience-security trade off well.

You're right of course that a larger data set means a much much higher certainty nd therefore fewer or no guesses needed on the attackers part.

Re:Nine attempts? (5, Informative)

LiquidCoooled (634315) | more than 7 years ago | (#15881489)

This is not a problem of trying 9 times to break in, this is a problem of somebody RECORDING whilst you enter your correct details into the account.

As you know, with HSBC, you are asked to specify 3 digits from your security key (which is 6-8 characters long)

This is fine and stops people shoulder surfing to get it once, but if someone keeps recording you they will have all they need.

I actually had more of a shock in the past when I managed to man in the middle the HSBC login, but after speaking to them (they called me back literally within seconds of me mailing them) it was cleared up and my worries were put to rest (there is a ~2 minute timeout where if you steal the cookies from someones machine who has logged in but not logged out where you can technically get at the information - this might have changed since, but it used to be the case)

Re:Nine attempts? (1)

badfish99 (826052) | more than 7 years ago | (#15881593)

If it takes up to 9 attempts to crack the system, then on average you're going to get in after 4 or 5. So all the criminals have to do is to attack more than one account: some will get locked out but they will be lucky almost 50% of the time.

Re:Nine attempts? (2, Insightful)

Malc (1751) | more than 7 years ago | (#15881627)

That IB code's stupid. I have to keep a copy around for copying and pasting. What's the point of making it so awkward? HSBC Canada just uses the last 10 digits of my bank card. Maybe I use it so much more than my HSBC UK IB number that I've managed to memorise it, but really it's no less secure in my case. At least I can call HSBC's telephone banking this side of the Atlantic when the account is locked out for web access.

I'd be interested to hear people's suggestions for a system that will remain secure when there's a keylogger on the client's system. It sounds like at that point they've lost control of their computer and they're pretty much screwed.

I have to admit that when travelling recently, I refused to use internet cafes for anything that involved my passwords. Fortunately I had me work laptop with me (great being able to work two weeks on the road, and have two weeks holiday on top of that too for a whole month overseas!). I took that to internet cafes when I needed to and did anything important over VPN & SSL (and tried not to think about possible man-in-the-middle exploits). This is a real problem.

Re:Nine attempts? (1, Informative)

Anonymous Coward | more than 7 years ago | (#15881683)

I'd be interested to hear people's suggestions for a system that will remain secure when there's a keylogger on the client's system. It sounds like at that point they've lost control of their computer and they're pretty much screwed.

An RSA SecurID or similar device could help. It would be nice if such devices didn't have to be separate hardware and were software that could run on people's cell phones.

Re:Nine attempts? (1)

Malc (1751) | more than 7 years ago | (#15881751)

So now you're telling me I have to carry something around (either software or hardware)? That's not very convenient (to the point of being useless to me making online banking not an option). And what happens when I lose it or it's stolen? The thing is a liability then.

Re:Nine attempts? (1)

shawb (16347) | more than 7 years ago | (#15882073)

The hardware device would probably be similar in form factor to a small USB thumb drive. Just keep it on your keychain. If the device is lost or stolen, you report it to the institute that you need to log in with and they cancel your old device and issue a new one. Hopefully this will be used in conjunction with a password, and possibly some biometric ID such as thumbprint for extremely sensitive information acess. Basically the device would encrypt any password given to the machine, probably in conjunction with username info and some other token given by the server. It will feel like using a physical key to a lock, but in all reality be less succeptible to a duplication attack. Again, if you lose the key, you would have to report it missing to whoever you log into, similar to how you have to cnacel credit cards/etc if you wallet is lost or stolen. And if you think you are the type of person who would be likely to forget or lose the key? Then it's not for you. If this key is necessary for security for a job that you want, then inability to keep track of the key would in all likelihood signify that you are not qualified for that sort of security clearance. And you are still free to carry around a standard credit card, check book, cash, gold dubloons or even poultry to barter if you don't want your financial information secured in this manner. For a lot of people, however, this level of security just makes sense.

And having the encryption as software, while helpfull to a small extent (makes extremely basic main in the middle attacks and basic line snooping a little more difficult, etc) it would not be any more secure than standard browser embedded encryption or whatnot... current state of the art, but the encryption would be easilly duplicated. If done in a hardware gadget, you could essentially utilize one-time pads which are decisively non-trivial to break.

Re:Nine attempts? (0)

Anonymous Coward | more than 7 years ago | (#15882226)

Actually, HSBC has already take use of the security device [hsbc.com.hk] in some areas like Hong Kong.

Re:Nine attempts? (2, Informative)

vhogemann (797994) | more than 7 years ago | (#15882363)

I have an account at this Brazilian bank called Itau, they have a pretty smart way to avoid keyloggers.

When you login on the website, you're propted with a DHTML panel, with five buttons like this:

[3 5] [9 6] [0 1] [2 7] [4 8]

And then you have to type your password using the mouse, so if your password is 12345 you'll have to enter the 3rd, 4th, 1st, 5th and 1st buttons. Each time you enter the site they present the numbers at a different order, so hackers can't use a mouse-logger either.

Pretty smart, works on Firefox and Linux, and don't require any special devices.

Re:Nine attempts? (0)

Anonymous Coward | more than 7 years ago | (#15881787)

I've been an HSBC customer since May, I thought about this within about 2 weeks of being a customer.

It requires three things to log in to your account

Internet Banking code
Date of Birth
3 digits from your security code

IIRC the conditions, your security code is a number between 6 and 10 digits long.

Each time you log in it asks, please enter the first, third and fifth digits of your password. If your login attempt is unsuccessful, it asks for the same 3 digits next time and presumably locks you out after x attempts.

However... if your login is successful, next login you will be asked for 3 digits, but not the exact same 3 as the previous login - the idea being that even if someone sees you logon in plain sight the same values next login won't work. I assume from the archive that they take advantage of the downside of this theory whereby after x successful logins, every digit of your security code is known.

This would require not only a keylogger, but something logging which digits the site is asking for (and its https so not just a sniffing traffic) and a user has to log in 9 times succesfully from that terminal. If the user logs in once from a different computer, it could take another 9 times before the security code is known since the requests must cycle.

I think HSBC security is reasonable compared to the banking practises in new zealand that I am used to (login/password only).

Re:Nine attempts? (1)

TMacPhail (519256) | more than 7 years ago | (#15881928)

Well I'm glad that there is a lock out security measure. When I saw this new system implemented I immediately could see that it was mathematicaly easier to brute force it by about 6 orders of magnitude. This is discounting the personal identification question which I figured could be obtained by some social engineering or dumpster diving.

a better way (0)

Anonymous Coward | more than 7 years ago | (#15881381)

Lloyds TSB use drop down menus to bypass keyloggers.

Natwest is probably also vulnerable to the same 'attack' that this article mentions that HSBC are vulnerable to.

Re:a better way (1)

caluml (551744) | more than 7 years ago | (#15881412)

Lloyds TSB use drop down menus to bypass keyloggers.

Yeah, it's not a bad solution to the problem, I think. It also asks for the same set of characters until you get it right, so even if you only knew the first half of the secret word, you couldn't keep refreshing until it asked for chars 1, 2 and 3.

Re:a better way (1)

Macthorpe (960048) | more than 7 years ago | (#15881607)

To be fair, HSBC do the same.

If you can't put in the characters requested the first time, it will continue to request those characters until you successfully log in.

The issue is definitely with keyloggers, but one has to wonder if this is something that HSBC can actually be blamed for, or the person who doesn't run a firewall and anti-virus while connected directly to the net, like a lot of people in the UK are.

Re:a better way (0)

Anonymous Coward | more than 7 years ago | (#15882326)

The treasury department use HSBC online banking several times a day. You have to enter a password, and then use a 'virtual keyboard' to enter certain digits of a memorable word.

Why pick on HSBC? (4, Insightful)

Anonymous Coward | more than 7 years ago | (#15881391)

So IF my computer has a keylogger and IF my logins are recorded as few as 9 times, THEN the dishonest individual has my security code and can access my account. Whereas, at another bank which asks for a username and passcode, the dishonest individual with the keylogger only needs me to log in ONCE to have the run of my account. So why is this news?

Re:Why pick on HSBC? (2, Insightful)

badfish99 (826052) | more than 7 years ago | (#15881670)

It's news because some people might have thought that this bank has better security than one which only asks for username and password.If you're choosing an online bank, it is important to know which ones are secure and which are not.

Re:Why pick on HSBC? (2, Insightful)

mrxak (727974) | more than 7 years ago | (#15882207)

But then doesn't this say that HSBC is more secure? It takes 9 log-ins while being keylogged instead of one.

uhhh... (5, Insightful)

nFriedly (628261) | more than 7 years ago | (#15881402)

The attack relies on a keylogger being installed on the victim's machine.
Uhm.. yea. That attack will get you into about any bank website.. ever.

Re:uhhh... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#15881983)

Not quite. My bank (Caixa Geral de Depósitos, a Portuguese bank) uses a system where you click a virtual numpad with your mouse to enter the digits (and the position of each digit is random).

No way a keylogger will work there, something much more sophisticated, like a virtual screen connection.

Keylogger required (5, Insightful)

aminal (122974) | more than 7 years ago | (#15881404)

So if i have a keylogger on my machine and i log into my online bank, it will log the details i put in and comprimise my online banking?

no shit sherlock.

In other news.. (0)

Rob T Firefly (844560) | more than 7 years ago | (#15881452)

..it turns out people who watch you type in your password can then use your password.

O RLY?

YA RLY!

Re:In other news.. (1)

Billosaur (927319) | more than 7 years ago | (#15881523)

..it turns out people who watch you type in your password can then use your password.

Especially if you use the time-honored method of hunt-and-peck typing.

Re:Keylogger required (1)

LiquidCoooled (634315) | more than 7 years ago | (#15881510)

Actually, just logging one session isn't enough to get into HSBC, they only ask for a part of your special key.

Please enter the 1st, 4th and last digits of your Slashdot ID to login to the system:

Re:Keylogger required (4, Insightful)

z0idberg (888892) | more than 7 years ago | (#15881713)

The point isn't that a keylogger can capture your password. It's that they have tryed to implement a method of entering your 6 digit pin in a way that would stop a keylogger from revealing it, but the way they have done it actually allows a keylogger to figure it after relatively few times of logging in, hence creating a false sense of security.

The PIN is 6 digits, they ask for three of these six digits at any one login (e.g. type the 1st, 3rd and 4th digits of your pin). Because they always ask in ascending order (i.e. never 4th, 2nd and 1st) then after 9 login events the keylogger can figure out the number. All they had to do (and all they have to do now) is ask for the digits in any order and this problem goes away. The keylogger would eventually know which numbers are in your 6 digit pin but never what order, and as there is a 3 (or 4 ?) tries lockout then they wont be able to get in unless they are very lucky guessers.

I have HSBC internet banking and it never actually dawned on me how obvious this problem is, I don't think I ever noticed that they only ever ask in ascending order, but thats the beauty of it I guess.

Re:Keylogger required (1)

philipmather (864521) | more than 7 years ago | (#15882223)

WRONG! My PIN is longer than 6 digits. I'm not sure what the max is tho', 6 probably comes from people using either their phone number or their DOB.

Re:Keylogger required (1)

z0idberg (888892) | more than 7 years ago | (#15882337)

Are you sure you are talking about your internet banking PIN? This is not the same as the PIN you enter to withdraw money or make a purchase with your card.......

The internet banking PIN (or security number or whatever you want to call it) is no less and no more than 6 numbers.

Re:Keylogger required (0, Troll)

uglydog (944971) | more than 7 years ago | (#15881977)

Fuck you, Watson!

The majority of online systems (4, Insightful)

Timesprout (579035) | more than 7 years ago | (#15881408)

will be 'flawed' if you get a keylogger on my pc since the majority rely on me supposedly knowing something you dont, until the logger records it for you that is.

Re:The majority of online systems (1)

Red Flayer (890720) | more than 7 years ago | (#15881590)

A Solution [safeword.com]

I use one of these to access my bank's website for online banking, any security experts out there know if these are spoofable?

In order to hack my account, they'd need both a keylogger (I work in an office, so not too hard to install) and the physical "token ring" (as my bank likes to call them -- though it's not a ring, but a keychain). Good luck getting my keychain without me noticing.

Re:The majority of online systems (4, Funny)

Rob T Firefly (844560) | more than 7 years ago | (#15881633)

Safe words, rings, and chains.. is this HSBC or S&M?

A token ring? (0)

Anonymous Coward | more than 7 years ago | (#15881976)

So the people using Ethernet can't bank online with your bank? It seems strange to lock out 99% of the population that way.

Re:A token ring? (1)

Red Flayer (890720) | more than 7 years ago | (#15882054)

That's why I put the "token ring" in quotes -- because it's clearly not what you or I would consider to be a token ring.

Re:A token ring? (0)

Anonymous Coward | more than 7 years ago | (#15882347)

Not at all. Our token ring network talks to our ethernet network through a router without any problem.

Yes, I know you were trying to be cute. You failed...

Re:The majority of online systems (0)

Anonymous Coward | more than 7 years ago | (#15881833)

Actually, HSBC requires its users to use a graphical keyboard to enter a separate password in order to transfer money outside of one of your own accounts.

Although it's still spoofable, it would take a lot more effort than a simple keylogger to do so.

Keylogger? (3, Insightful)

Petskull (650178) | more than 7 years ago | (#15881411)

[quote]The attack relies on a keylogger being installed on the victim's machine.[/quote]

Isn't this a vulnerability in *any* user/pass interface on any computer in the world?

Avoiding keyloggers (0)

Anonymous Coward | more than 7 years ago | (#15881417)

My old bank in Australia rolled out an Internet Banking app quite early in comparison to other banks. They actually made you download & install a Java app, which amongst other things provided a little "pop-up window" that would launch when you tried to log on to your account. The window had the image of a regular keyboard, and you'd have to click on each key with your mouse to enter the appropriate letter/number/symbol.

It worked well, but eventually when they re-wrote their banking system the did away with the Java app & the popup window, and went to just regular HTTP+SSL. So you were back to typing in your credentials, and back to being vulnerable from keyloggers.

Ha ha! (0)

Anonymous Coward | more than 7 years ago | (#15881423)

That's what they get for using Rails!

security through obscurity? (2, Insightful)

6OOOOO (600000) | more than 7 years ago | (#15881439)

A spokesperson for HSBC is quoted in the article as having said:

"The reality is that it would be more profitable for that fraudster to concentrate his or her efforts elsewhere."

A single compromised user could mean a payoff of tens of thousands of dollars for a determined "fraudster." Particularly if that fraudster resides in a third-world country, that could be enough to live for years. Moreover, having to concentrate efforts on only one attack minimizes a fraudster's exposure to risk--a single instance is much harder to identify than a systematic effort.

No, HSBC, this is a problem. With the prevalence of malicious software on today's internet, keyloggers are a very real threat. Alternative systems can eliminate this vulnerability. Use them.

Re:security through obscurity? (1)

Erectile Dysfunction (994340) | more than 7 years ago | (#15881592)

With the prevalence of malicious software on the Internet, Internet banking is inherently threatened by the limited ability for the system to secure itself from interception of various forms. Especially on Windows where the typical user still makes use of global administrator privileges for conducting day-to-day activities it is possible to modify JVMs, Flash plug-ins, JavaScript interpreters, system libraries, and web clients. It is possible to record every form of input as well as the display output of interfaces with online banking, without even having to bother doing the same to other tasks. HSBC has a difficult job well beyond simple key loggers for preventing compromised computers from betraying information to would-be thieves.

Re:security through obscurity? (2, Insightful)

rainman_bc (735332) | more than 7 years ago | (#15881621)

No, HSBC, this is a problem.

Since when are banks required to protect themselves against people who have keyloggers on their computers? Not really much one can do IMHO if there's a keylogger present...

I guess the only way around it is to have a pin pad and use the mouse to enter in your pin code as well as your pass code.

W00t. Three tiered logins. Fun stuff.

Re:security through obscurity? (1)

6OOOOO (600000) | more than 7 years ago | (#15881765)

You're right, of course, that the presence of a keylogger implies that the login environment is completely and utterly not to be trusted.

Still, it seems to me that a bank ought to offer a variety of security measures (perhaps only as options for its more paranoid users), as while a keylogger might come as a payload in a worm, an all around monitoring system for your mouse and keyboard, which also analyzes all images on the screen for captcha challenges and attempts to decipher them, well, that seems less likely to me.

Re:security through obscurity? (1)

EvilIdler (21087) | more than 7 years ago | (#15881972)

Banks would need to protect themselves against this sort of thing,
because any sudden transfers away for a customer's account would
lead to them having a stern word with their bank. An investigation could
also show the huge transfer to have happened while logged in from an
IP address elsewhere in the world (unless the keylogger also contains
a proxy, of course).

Some banks (like mine) might have "stupidity insurance", like Visa,
where they cover losses up to a certain amount.

A while ago, I discovered my bank's ridiculously bloated Java login
didn't actually care what password I typed. The webmonkey at their end
took it very seriously, and things were promptly fixed. If your bank
doesn't care enough about security, change!

Re:security through obscurity? (1)

DragonWriter (970822) | more than 7 years ago | (#15882172)

Since when are banks required to protect themselves against people who have keyloggers on their computers?
Its not a requirement, but it is a competitive advantage. The combination of convenience and security is a key selling feature for banking services. And as other people have pointed out, its actually quite possible to frustrate a keylogger by a method similar to what HSBC uses, only adding in permutations. Of course, if they had a way of reading your screen and associating the results with a keylogger, its a bit harder to frustrate.

Not surprised they are clueless (1)

wowbagger (69688) | more than 7 years ago | (#15881445)

I am not surprised they are this clueless - they also bounce spams to the nominal "From" address after accepting the message - so if a spammer forges a "From: joe@example.com", guess where they send the spam bounce message to?

I've repeatedly tried to contact them to tell them to stop that, but they continue. If they cannot clear up a simple problem like this when they are told about it, do you really expect them to correct a DESIGN FLAW like TFA quickly?

Re:Not surprised they are clueless (0)

Anonymous Coward | more than 7 years ago | (#15881635)

Either that, or you should stop sending so much spam.

Re:Not surprised they are clueless (1)

Malc (1751) | more than 7 years ago | (#15881710)

What are you whittering on about? I can also forge the from field in the message envelope. Perhaps they shouldn't bounce any messages. Most popular MUA's have been setting both the envelope and header from fields to the same value for years... I remember people complaining about Netscape doing that last decade. If you want to bounce messages, you have to assume one of them is correct. So pick one - makes sense to me to pick the one that people generally see in the UI (header from field).

What, they can't type? (1, Funny)

mcrbids (148650) | more than 7 years ago | (#15881458)

Ok, so we have a keylogger on the victim's machine, ostensibly to lift the login name and password. Then, we have an "attacker" who tries 9 times to type it in?

Is it just me, or are we dealing with a fundamentally stupid attacker?

If I use a keylogger to lift a login/pw, it shouldn't take more than 3 or 4 attempts to get it right.... perhaps I'm just a smarter attacker than most?

Re:What, they can't type? (1)

6OOOOO (600000) | more than 7 years ago | (#15881514)

True, and it probably doesn't take more than 3 or 4 most times. Then again, we might be talking about an automated attacker (TFA wasn't clear on this point), in which case, yeah, a stupid one.

Re:What, they can't type? (1)

Timesprout (579035) | more than 7 years ago | (#15881533)

the password is a supposed to be a completion of 'random' number which is not all that random and can be guessed withing 9 attempts.

Re:What, they can't type? (1)

merryberry (974454) | more than 7 years ago | (#15881535)

What I think this is referring to, and I am not sure, is that when you log into banking sites these days they will normally have an additional password, and will make you type in certain characters of the password, in different sequences each time you log in. E.g. it will prompt you to type in character 4, 3 & 5 of your additional password, and then randomise that sequence again for the next time you log in. My assumption is that what these security guys found is that in 9 attempts it is possible to reconstruct this additional password. However calling a user with a malicious key logger on his/her system a banking security vulnerability seems totally ridiculous, there must be more to it than that.

Re:What, they can't type? (2)

neonprimetime (528653) | more than 7 years ago | (#15881551)

This isn't a security flaw. If you have a key logger, you have everything for any bank site, or any other site for that matter. I wonder who disclosed this? Perhaps a competitor? Cause it's the stupidest thing I've ever heard.

Re:What, they can't type? (2, Insightful)

slashkitty (21637) | more than 7 years ago | (#15881596)

HSBC had a virtual keyboard feature. A keylogger would not work with that. You use the mouse to enter letters on it. Maybe the virtual keyboard only has 9 positions, and maybe they are recording mouse movements?

Re:What, they can't type? (1)

neonprimetime (528653) | more than 7 years ago | (#15881693)

HSBC had a virtual keyboard feature. A keylogger would not work with that. You use the mouse to enter letters on it. Maybe the virtual keyboard only has 9 positions, and maybe they are recording mouse movements?

Gotcha. Well that makes it a heck of a lot more interesting. Does it say that in the article? Huh. Is it an optional feature, or are you required to use it?

Re:What, they can't type? (1)

nine-times (778537) | more than 7 years ago | (#15882274)

HSBC has two points of authentication. The first is a normal username/password which allows you to view your accounts. The second requires typing a password on a virtual keyboard before you can do anything with your money. Online bill-pay, bank transfers, etc. are all behind this second password.

When I saw it, I immediately started thinking about how you could narrow the possibilities if you could record mouse movements. However, that still requires that you can get past the first login as well as record the user's mouse movements. It's not perfect, but it's better than a lot of online banking security.

Re:What, they can't type? (0)

Anonymous Coward | more than 7 years ago | (#15881584)

Did you not read the article? The security code is something like 10 digits long, each time you log on though it only asks you for a portion of the code, and a different portion each time. The "problem" though seems to be that it always asks them in the correct order, thus leading to less permutations needed to crack it.

More interesting than serious, mainly because HSBC has been touting their system as more secure (and honestly it still is) but it still is not unbreakable

But honestly any system that is so compromised to have a keylogger installed is generally done for anyway

Re:What, they can't type? (1)

BlueStraggler (765543) | more than 7 years ago | (#15881647)

HSBC uses a double-password system, but only prompts for random characters from the second password. This makes it "impossible" for a keylogger to grab your complete password. I assume that the security flaw is that your complete password can be inferred after 9 logins.

So what's the best real solution to the problem? (3, Interesting)

mcrbids (148650) | more than 7 years ago | (#15881511)

Ok, so I replied with a joke a few minutes ago... but I think this warrants more intelligent discussion.

As a vendor of a web-based, access-restricted product, keyloggers are a real issue. I've been considering setting up client-side SSL certificates in order to restrict access to only machines that have been "set up" in order to deal with the problem of keyloggers. Are there better solutions?

Does this bank have something that's: A) Easy to use, B) doesn't require painful machine-by-machine setup, and C) significantly improves security?

If so, I just might be interested!

Re:So what's the best real solution to the problem (2, Interesting)

z0idberg (888892) | more than 7 years ago | (#15881625)

My ingdirect.com.au savings account has a login method that would stop any keyloggers.

You type in your account id (keylogger can pick this up obviously), then you are presented with an on screen keypad where you enter your pin number with the mouse. 4 digit pin number ( easy to remember), the numbers are in a different location on the on screen keypad every time. The only way any spyware can capture this would be with screen captures on every mouse click. I am not sure there are many spywares that go to these lengths.

Re:So what's the best real solution to the problem (0)

Anonymous Coward | more than 7 years ago | (#15881723)

Well, you could also use a two-factor authentication system such as RSA SecurID. Many banks are beginning to offer this type of technology as an option.

Re:So what's the best real solution to the problem (2, Interesting)

doormat (63648) | more than 7 years ago | (#15881685)

The only good way to beat keyloggers is some sort of per-machine file. One of the best things I've seen is where you have to pick a certain file off your computer and upload it every time you log in (e.g. a picture of your kids) in addition to a password. So even having the PW is useless without this extra file. This does require some setup - during account establishment the user has to go and select this file (and make sure its on read-only so no one can edit it and destroy account access).

Thats the best means I've seen so far to protect against keyloggers.

Re:So what's the best real solution to the problem (1)

EvilIdler (21087) | more than 7 years ago | (#15882030)

The "extra file" could also be an external device where you type in a PIN
or insert your card to get a number required to enter (I have both, and
the old PIN 'calculator' is still valid). This number is generated from a
seed only your device and your bank has, and is valid for about a minute.
A crook would have to be real fast to use a logged passnumber.

Re:So what's the best real solution to the problem (1)

partenon (749418) | more than 7 years ago | (#15881984)

I don't know it works for USA banks, but here in Brazil we have some solutions, that solves (at least) the keylogger problem:

1) Some banks uses a Java Applet (http://www.bb.com.br), forcing the users to use the mouse to enter the "internet banking password" (generally, just numbers) . Of course, the position of the numbers are random, so, grabbing the mouse path isn't enough.

2) Other banks (http://www.citibank.com.br) uses the simplest and oldest "encryption" solution, but with a special component ;-) A table with two rows: the first one with 0-9 numbers and the second with 10 random letters. To access the internet banking, you need to type (in your keyboard) the letters.

3) Even other banks (http://www.itau.com.br) uses a variation of the first: after entering your branch (agency?) number/account number, your first name appears and you enter your password by clicking in the numbers, that are grouped in 2 numbers per button.

Also, some banks uses alternative methods in certain critic operations, like money transfers. Some banks provides you with a "security card", containing about 60 numbers. For each session in the internet banking, before the first "critical" operation, they ask you for the, say, number 26. You, of course, knows this number only if you have one security card. Other banks uses a "computer identification" (I didn't even tried to figure out how), but they provide one 4-number code for each computer you are using. So, if you just bought a new desktop, you need to log in the internet banking, get that number, call the bank-phone (or use an ATM) and inform the number you received in the internet banking. Then, you can use your internet banking from your new desktop :-) This approach have some problems, but it is fully understandable: its *my* money :-)

Re:So what's the best real solution to the problem (1)

photon87 (677697) | more than 7 years ago | (#15882010)

There are a few alternatives. One is to hand a one-time password generator. Ironic is that HSBC in Korea did use one time password before they're forced by the Korean banking regulation agency to switch to an ActiveX based solution that encrypts the traffic with SEED (a Korean encryption algorithm) and takes care of personal certificate-based authentication and signing. Due to its reliance on ActiveX controls (instead of more platform/browser independent solutions like Java signed applets, we need to use MS IE on Windows to do on-line banking. Linux, Mac and firefox/opera users tried to change this situation, but so far we haven't been successful. Another is to make mandatory the use of a smartcard with a personal certificate. Unless a smartcard is stolen, a keylogger couldn't do any harm.

Re:So what's the best real solution to the problem (1)

wtansill (576643) | more than 7 years ago | (#15882143)

As a vendor of a web-based, access-restricted product, keyloggers are a real issue. I've been considering setting up client-side SSL certificates in order to restrict access to only machines that have been "set up" in order to deal with the problem of keyloggers. Are there better solutions?
I don't know if there are better solutions, but please don't rely on two-factor ID. There are at least two downsides there:
  1. If you have multiple accounts at various institutions, you wind up having a half-dozen or more of the silly security tokens. This quickly confuses and annoys the customer.
  2. Two-factor ID does nothing to prevent man-in-the-middle attacks. There was an article recently (not here) that described that very type of attack

How to trick key loggers (3, Funny)

Rik Sweeney (471717) | more than 7 years ago | (#15881519)

I'm quite worried about key loggers so I always enter my password incorrectly the first two times and then input it successfully the final time. This ensures that my password is as secure as possible.

More so if I screw up the last attempt and have to request a new password.

Another simple solution is to keep your password in a text file and copy / paste it in.

Or your password could just be ******* that would work a treat...

Re:How to trick key loggers (1)

91degrees (207121) | more than 7 years ago | (#15881628)

Or why not open notepad. Type a letter. Every so often you click onto the browser to add a couple of letters of username and password. Should be difficult to get your username or password using a keyogger.

Re:How to trick key loggers (1)

merryberry (974454) | more than 7 years ago | (#15881661)

Keeping passwords in text files seems like a bad idea. If you want to keep passwords safe on a networked machine you should be using something like http://keepass.sourceforge.net/ [sourceforge.net] . Additionally if you are worried about key loggers never type in your password even after failed attempts, just copy and paste the letters of your password into the password field (getting the letters from a web page, or typing out the alphabet and numbers 0 to 9, etc...); this is the only way to be sure that your password will never show up on the keyboard logger.

Re:How to trick key loggers (1)

Volante3192 (953645) | more than 7 years ago | (#15881749)

On a windows system, character map would work wonders for this.

Heck, I've used character map before when my keyboard died and i didn't have an immediate replacement.

No surprise it's HSBC (0, Troll)

Billosaur (927319) | more than 7 years ago | (#15881597)

My wife is a former customer of HSBC, because they were nothing but a pain. She had put some money in a savings account with them and sent her an ATM card which she destroyed, not wanting to be tempted to withdraw the money at any time. They claim to have sent her a pin for her online banking account, but she never received it, and when she called them up to try and get it reset so she could log in, they refused, even though she could provide them with all the relevant identification information. This went on and on until finally she told them to simply cancel the account, which they stated they could do, but they could not simply transfer the money back to the account from which they'd originally taken it, and would instead send her a check.

Their customer sevice stinks, so why should their tech be any different?

Re:No surprise it's HSBC (1)

Malc (1751) | more than 7 years ago | (#15881729)

Their customer service is excellent in Canada. I've had them call me to tell me that a cheque is about to send the account overdrawn, and thus give me a chance to transfer funds in to it. Maybe this is because they're number 5 or 6 here, a long way behind the main Canadian banks.

Re:No surprise it's HSBC (0)

Anonymous Coward | more than 7 years ago | (#15881913)

Sounds like Emigrant Bank (http://emigrantdirect.com/). In the past 10 months I've had an account there, I've only been able to login to their web site twice out of hundreds of attempts. They've already invalidated all of their user accounts twice. The only reason I can think that they would do that was because they were compromised twice. Since June they're now playing the "we mailed you a pin" game that you described. Of course they haven't. It would be easier for them to just admit they're so incompetent that their web site has been down for two months and counting. I'd appreciate the honesty, especially from a bank.

The bigger problem is that I have no proof of the money I have in their account. They didn't even send-out a 1099 (US-required tax paperwork that shows interest earned so the IRS knows you need to pay taxes on it) for last year. During the many times I called them, not once did I find someone that even knew what a 1099 was. I have never dealt with bank employees that are so incompetent. About a month ago when I got paranoid about the fact that I have nothing in writing from them showing what I have in the account, they refused to transfer the money back into my checking account as you said HSBC did also refused. Unlike HSBC, they also refused to mail a check. I'm buying a house next week so I *really* need the money to help with the downpayment. I guess it's time to hire a lawyer to get my own money back.

Re:No surprise it's HSBC (1)

AtomicBomb (173897) | more than 7 years ago | (#15882006)

I came to England last year and is living in a 250,000 medium city. I was shocked with HSBC front line staff... Once upon a time, I checked my HSBC online account and noticed I had to talked to the bank staff directly in order to enable some service.

I went to one of the local branch next day and talked to the teller. She had not heard about that. Well, this is still forgivable. No one expects them to know every single product. Then, it came to the shocking bit. She yelled from the counter, asked if anyone knew anything about internet banking. The bank manager replied "Not a clue, I don't even have an internet account". Oh come on, it was 2005. Is it really that hard to organise some sort of internal staff training?

Re:No surprise it's HSBC (1)

Chosen Reject (842143) | more than 7 years ago | (#15882027)

Their customer sevice stinks, so why should their tech be any different?

I have never had any dealings with HSBC, nor do I know anything about their customer service. But I can take a wild guess as to how their tech could be different than their customer service. Maybe, just maybe, those are two different departments. Perhaps those two different departments are not staffed by the same people. And perhaps, even if they are the same people, some people are really good at one thing (tech for instance) and not so good at another (people pleasing) perhaps.

Re:No surprise it's HSBC (1)

Billosaur (927319) | more than 7 years ago | (#15882385)

I have never had any dealings with HSBC, nor do I know anything about their customer service. But I can take a wild guess as to how their tech could be different than their customer service. Maybe, just maybe, those are two different departments. Perhaps those two different departments are not staffed by the same people. And perhaps, even if they are the same people, some people are really good at one thing (tech for instance) and not so good at another (people pleasing) perhaps.

And perhaps the organization as a whole is lousy at hiring people, even if they do work in different departments. Organizations tend to take on the character of their leadership -- in this case, clueless.

No flaw here. (1)

insomniac8400 (590226) | more than 7 years ago | (#15881614)

If you have a keylogger on your computer, you've got bigger issues. Odds are they got all your info when you signed up for the bank.

Fud... or at least, way overhyped (3, Informative)

deego (587575) | more than 7 years ago | (#15881649)

I am a hsbc customer, and it requires an extra login with a new password for "risky stuff" such as online bank transfer. This one needs you to type in a different password on a virtual keyboard via mouse clicks.

This is the one researchers have probably defeated, that too when they have a keylogger installed on *my* computer.

Re:Fud... or at least, way overhyped (1)

Wierdy1024 (902573) | more than 7 years ago | (#15881763)

Maybe HSBC UK is different - but I don't see any of that here All I have to evter to do anything is: Internet bank ID Date of birth 3 random digits of my 6 digit passcode

Re:Fud... or at least, way overhyped (1)

nine-times (778537) | more than 7 years ago | (#15881969)

Isn't a "keylogger" for a keyboard? Wouldn't you need, like, a "mouselogger"?

umm, why has nobody asked yet... (0)

Anonymous Coward | more than 7 years ago | (#15881656)

first I have an HSBC credit card, but not a bank account. I do use the online services for it. I've gotten passwords mixed up before and tried probably about 12 attempts before it DID work, and let me in.

Secondly, why the hell does it take you nine attempts if you have a keylogger installed???

In other news.... (1)

telchine (719345) | more than 7 years ago | (#15881691)

"The attack relies on a keylogger being installed on the victim's machine." In other news... "Burglar breaks in to house with key"

What are they logging into? (0)

Anonymous Coward | more than 7 years ago | (#15881719)

When I log into HSBC online banking, I only provide a username and then a password. No DOB, no SSN. What exactly is flawed?

A similar problem exists in meatspace (4, Interesting)

Bigboote66 (166717) | more than 7 years ago | (#15881766)

In the U.S., most places have taken to just displaying the last 4 digits of your credit card number on the receipts they give back to you. However, on a recent trip to Europe (Finland & Russia, actually), I noticed that the receipts there seem to favor a scheme where a random set of digits appear each time (e.g. XXXX-XXX1-234X-XXXX). If you're like me, you often accumulate a bunch of these receipts in your pockets as you travel; some people may just dump the days wad of receipts in a trash can. A fortunate dumpster diver may stumble onto a wad of receipts that allow him to reconstruct the credit card number. I'm not sure why the people that implemented that latter scheme thought it was preferable.

-BbT

Re:A similar problem exists in meatspace (1)

Red Flayer (890720) | more than 7 years ago | (#15881809)

Ever notice that a lot of the time, those four digits are reordered?

That said, I suppose if someone had enough receipts of yours, they could get the full account number -- which is why a paper shredder is no longer an office-only appliance.

US System is Different (1)

Spudnuts (21990) | more than 7 years ago | (#15881828)

As a US HSBC customer, the security that I see is different than the article describes.

The login process is fairly typical (username, password only), but in mid-July 2006, they changed the process so that they are entered on separate pages. I do not understand how this improves security, because the username is echoed back on the password-entry page. There are no additional interactive anti-replay attack features--the username/password form seems to have been simply split to two pages.

The biggest security feature that I have casually identified is that on the Online Bill Payment page, it is necessary to do a second authentication using a Java-based on-screen keyboard (which must be clicked with a mouse). This avoids a simple keystroke logger but is not beyond other attacks (for instance, it would be somewhat easier to shoulder-surf).

HSBC Security Flaw, 1 login attempt (2, Funny)

neonprimetime (528653) | more than 7 years ago | (#15881883)

This just in...
Another HSBC Security Flaw has been found. If you are logging into your account, and somebody is looking over your shoulder while you're doing it, odds are they can determine your username & password after only 1 successful login attempt.

Why passwords? (1)

human spam filter (994463) | more than 7 years ago | (#15881900)

I have wondered before why U.S. banks use weak security measures, such as password authentication, for online banking. When I opened an account, the clerk at the bank even wrote down my password and told me to change it when I log on the first time.. My bank in Switzerland uses a smart card for authentication. When you open an account the give you a card reader and a smart card. When you want to log on, you have to type in your account ID (something like 10 digits) and they show you a 8-digit number, you then insert the card into the reader an enter you password (in the card reader). After this you enter the 8-digit number in the reader, it then calculates another number which is used for authentication. For a more detailed description, see http://www.xiring.com/xiring-banking/pdf/Case_stud y_UBS.pdf [xiring.com] I think this system is far superior to password based authentication, because only my smart card can generate a number for authentication and the smart card permanently locks down if you enter the wrong password for three times. So, are there any banks in the U.S which use a similar system and if not, why?

Re:Why passwords? (1)

MrSquirrel (976630) | more than 7 years ago | (#15882106)

It's all embedded in American corporate beureaucratics.
Supplying a card and reader to people (as well as providing tech supports for the complete idiots who would probably try to stick their "smart" card in a "stupid" place) would cost a lot of money.
Having a simple password is cheap -- even if the customers get cleaned out, at least the banks saved a couple bucks.

How to fix this (2, Interesting)

Bryansix (761547) | more than 7 years ago | (#15881940)

Keyloggers would defeat the security at most online banking websites. I know it would defeat www.wamu.com which uses only a username and password. And yes, HSBC has taken better measures on some of their websites but this still does not protect against keyloggers.

So who should we look to for an answer? ING Direct [ingdirect.com] ! They use a two step process to log in. The first is a non-descript customer number. This step would be defeated by a keylogger or if someone had some mail stolen. Step two is to ask you to answer a pair of personal questions only you know the answer to. Still this could be defeated by a keylogger. The third step is pure genius though. First of all the page displays an image and phrase that you pre-selected. While a keylogger might pick up this phrease during account setup it would not pick up the image. If the image is not present, you are instructed not to enter your PIN number. Then the entering of the PIN number is via a keypad that you click with your mouse. Each number corresponds to a random letter that changes everytime you log in. If you choose you can type in the letter that corresponds to each number for that log in. In this case the data a keylogger might capture would be useless. This is the best security feature on the website and ensures almost nobody except the account owner can ever log in. Of course if the PIN is compromised then the whole system breaks down but a smart user will never have a compromised PIN.

In other news... (1)

Other Than That... (824148) | more than 7 years ago | (#15881943)

Researchers at WeAreARealSchoolHonest University have discovered a method to unlock any combination lock within 12 attempts, the potential thief needs only to have a 24/7 video camera pointed at the lock in question....

The Grand Solution (1)

Frightening (976489) | more than 7 years ago | (#15882024)

1) Make sure computer doesn't have keylogger/trojan/spyware/windows on it

2) Do life-endangering work (i.e log into account with life savings in it)

3) Logout

4) Beer

After RTFA (1)

Frightening (976489) | more than 7 years ago | (#15882171)

The link to the blog is useful. It turns out the fact that the ordering of requested digits is ..ordered (i.e digits 1 3 8, or 3 4 6, but never 8 5 2) for apparently user-friendliness reasons.

Nothing serious though, the keylogger is far more unsettling. If someone has your machine pwned like that, an online account login is only one of your worries, and they are many.

Wierd... (2, Funny)

Random Utinni (208410) | more than 7 years ago | (#15882097)

Anyone else see the irony in the following ads Google inserted following this story?

HSBCDirect Online Savings
Earn 5.05% APY* at HSBC! You Don't Need to Switch Banks
HSBCdirect.com

HSBC Safe Online Banking
Free Digital Security Code Device with all HSBC Account. Get it Now!
www.hsbc.co.in


Google's out to hijack my machine! ; )

Emigrant Direct has a similar issue (1)

pen (7191) | more than 7 years ago | (#15882139)

Emigrant Direct recently implemented a two-step logon process, where you first supply your username, followed by your password and answeres to two random security questions. Unfortunately, you're supposed to type the two answers into regular textboxes instead of masked password boxes, exposing your information to any shoulder surfers.

The moment a keylogger is in your system, you lost (2, Insightful)

Opportunist (166417) | more than 7 years ago | (#15882258)

No matter what kind of security mechanism you have, the moment a keylogger is acting as a man in the middle, the security is flushed down the tubes (I bet someone will find a witty joke... I'm waiting).

Banks here are using one time pads, quite sophisticated ones that are complicated enough to puzzle quite a few of honest users simply wanting to use their online banking service. And that's still no increased security. As long as the midm attack is possible, and that will be the case as long as there are not black box machines that can do NOTHING but actually communicate with the bank, without the possibility to install anything on them, this won't change. No matter what kind of security you implement.

Separate OS installation for online banking (0)

Anonymous Coward | more than 7 years ago | (#15882269)

I use Windows at home, but I've been planning for install a very basic 'alternative' OS on another partition, and use that for all my online banking and nothing else.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>