HSBC Online Banking Security Flaw Analyzed 178
greenechidna writes "The BBC is reporting that a vulnerability has been found in the online banking service of HSBC by researchers at Cardiff University. According to the story the attack would allow an attacker to log on to an account within 9 attempts. The attack relies on a keylogger being installed on the victim's machine. The article doesn't have any further technical details."
David Nicholson adds links to coverage at CNN and at the Guardian, writing
"The attack revolves around the order that customers are requested to enter random security numbers on the site. The main news stories fail to detail the vulnerability but I have provided an analysis of it here."
Nine attempts? (Score:5, Interesting)
The number of attempts is not given, but the automatic lockout is at least covered at their security page [hsbc.com]
Sorry Cardiff University, no bank hax for you today.
Re:Nine attempts? (Score:4, Informative)
Re:Nine attempts? (Score:5, Insightful)
Re:Nine attempts? (Score:1)
A lockout system is good policy, but I don't think it's going to be enough on its own to plug this hole.
Re:Nine attempts? (Score:3, Informative)
Re:Nine attempts? (Score:5, Informative)
As you know, with HSBC, you are asked to specify 3 digits from your security key (which is 6-8 characters long)
This is fine and stops people shoulder surfing to get it once, but if someone keeps recording you they will have all they need.
I actually had more of a shock in the past when I managed to man in the middle the HSBC login, but after speaking to them (they called me back literally within seconds of me mailing them) it was cleared up and my worries were put to rest (there is a ~2 minute timeout where if you steal the cookies from someones machine who has logged in but not logged out where you can technically get at the information - this might have changed since, but it used to be the case)
Re:Nine attempts? (Score:2)
Re:Nine attempts? (Score:3, Insightful)
I'd be interested to hear people's suggestions for a system that will remain secur
Re:Nine attempts? (Score:3, Informative)
When you login on the website, you're propted with a DHTML panel, with five buttons like this:
[3 5] [9 6] [0 1] [2 7] [4 8]
And then you have to type your password using the mouse, so if your password is 12345 you'll have to enter the 3rd, 4th, 1st, 5th and 1st buttons. Each time you enter the site they present the numbers at a different order, so hackers can't use a mouse-logger either.
Pretty smart, works
Re:Nine attempts? (Score:2)
Two things spring to mind.
1) involve the mouse.
2) insert decoy keys, eg, instead of "Enter 2nd, 4th and last digits of your PIN", it could have "Press 1 random number, then the 2nd digit of your PIN, then 3 random numbers, then the 4th" etc. Unless this keylogger has screen capture too, you could even tell them exactly what to type, eg: "37*218*0*644" (substitute * for 3rd, 4th, and 6th digits).
Yes, I know, thi
Re:Nine attempts? (Score:2)
Re:Nine attempts? (Score:2)
Re:Nine attempts? (Score:2)
LloydsTSB requires you to enter a userID (randomish 8 char string), a password, and 3 random characters from some 'memorable information' (an ASCII word i think); the memorable information characters are entered using HTML form SELECT/OPTION tags, so you're generally encouraged to enter it using the mouse.
Barclays requires you to enter a
Re:Nine attempts? (Score:2)
INGdirect's system foils keylogger (Score:3, Informative)
Re:Nine attempts? (Score:2)
funny you should ask that... look what Lloyds bank are trialling [bbc.co.uk]
and Barclays will be going a bit further when their system comes out [early-warning.org]...
Re:Nine attempts? (Score:2)
Re:Nine attempts? (Score:2)
Re:Nine attempts? (Score:2)
Security is a liability.... (Score:2)
Tokens of this kind are now regularly used in any company that provides remote access to their employees and is serious about security.
Tokens are small, unobtrusive and some of them don't even require your interaction, you just type the number you see in the LCD display and that is it (they are not connected to a USB port).
Re:Nine attempts? (Score:2)
Why pick on HSBC? (Score:4, Insightful)
Re:Why pick on HSBC? (Score:3, Insightful)
Re:Why pick on HSBC? (Score:3, Insightful)
Re:Why pick on HSBC? (Score:2)
Re:Why pick on HSBC? (Score:2)
uhhh... (Score:4, Insightful)
Pretty much any site, actually (Score:2)
It fails at ING (Score:2)
Re:uhhh... (Score:2)
Keylogger required (Score:5, Insightful)
no shit sherlock.
In other news.. (Score:1)
O RLY?
YA RLY!
Re:In other news.. (Score:2)
Especially if you use the time-honored method of hunt-and-peck typing.
Re:Keylogger required (Score:1)
Please enter the 1st, 4th and last digits of your Slashdot ID to login to the system:
Re:Keylogger required (Score:2)
Re:Keylogger required (Score:5, Insightful)
The PIN is 6 digits, they ask for three of these six digits at any one login (e.g. type the 1st, 3rd and 4th digits of your pin). Because they always ask in ascending order (i.e. never 4th, 2nd and 1st) then after 9 login events the keylogger can figure out the number. All they had to do (and all they have to do now) is ask for the digits in any order and this problem goes away. The keylogger would eventually know which numbers are in your 6 digit pin but never what order, and as there is a 3 (or 4 ?) tries lockout then they wont be able to get in unless they are very lucky guessers.
I have HSBC internet banking and it never actually dawned on me how obvious this problem is, I don't think I ever noticed that they only ever ask in ascending order, but thats the beauty of it I guess.
Re:Keylogger required (Score:2)
The internet banking PIN (or security number or whatever you want to call it) is no less and no more than 6 numbers.
Re:Keylogger required (Score:2)
Re:Keylogger required (Score:2)
This isnt correct. By asking for them in order then a keylogger knows the PIN *exactly* after you have logged in 9 times when the keylogger is in place.
By asking for them out of order then it will still take 25 *guesses* to get the right PIN*. And the incorrect guesses carry over sessions, so more than 4 incorrect guesses without a correct l
The majority of online systems (Score:4, Insightful)
Re:The majority of online systems (Score:2)
I use one of these to access my bank's website for online banking, any security experts out there know if these are spoofable?
In order to hack my account, they'd need both a keylogger (I work in an office, so not too hard to install) and the physical "token ring" (as my bank likes to call them -- though it's not a ring, but a keychain). Good luck getting my keychain without me noticing.
Re:The majority of online systems (Score:5, Funny)
Re:A token ring? (Score:2)
Keylogger? (Score:2, Insightful)
Isn't this a vulnerability in *any* user/pass interface on any computer in the world?
security through obscurity? (Score:2, Insightful)
"The reality is that it would be more profitable for that fraudster to concentrate his or her efforts elsewhere."
A single compromised user could mean a payoff of tens of thousands of dollars for a determined "fraudster." Particularly if that fraudster resides in a third-world country, that could be enough to live for years. Moreover, having to concentrate efforts on only one attack minimizes a fraudster's exposure to risk--a single instance i
Re:security through obscurity? (Score:3, Insightful)
Since when are banks required to protect themselves against people who have keyloggers on their computers? Not really much one can do IMHO if there's a keylogger present...
I guess the only way around it is to have a pin pad and use the mouse to enter in your pin code as well as your pass code.
W00t. Three tiered logins. Fun stuff.
Re:security through obscurity? (Score:2)
because any sudden transfers away for a customer's account would
lead to them having a stern word with their bank. An investigation could
also show the huge transfer to have happened while logged in from an
IP address elsewhere in the world (unless the keylogger also contains
a proxy, of course).
Some banks (like mine) might have "stupidity insurance", like Visa,
where they cover losses up to a certain amount.
A while ago, I discovered my bank's rid
Re:security through obscurity? (Score:2)
Its not a requirement, but it is a competitive advantage. The combination of convenience and security is a key selling feature for banking services. And as other people have pointed out, its actually quite possible to frustrate a keylogger by a method similar to what HSBC uses, only adding in permutations. Of course, if they had a way of reading your screen and associating the results with a keylog
Re:security through obscurity? (Score:3, Informative)
On Oct. 12, 2005 the FFIEC issued regulations that must be met by end of year 2006 that banks must use a 2 level authentication that includes a method that cannot be logged by a keylogger (ie, entering the numbers on virtual scramble pad).
Not surprised they are clueless (Score:2)
I've repeatedly tried to contact them to tell them to stop that, but they continue. If they cannot clear up a simple problem like this when they are told about it, do you really expect them to correct a DESIGN FLAW like TFA quickly?
Re:Not surprised they are clueless (Score:2)
What, they can't type? (Score:2, Funny)
Is it just me, or are we dealing with a fundamentally stupid attacker?
If I use a keylogger to lift a login/pw, it shouldn't take more than 3 or 4 attempts to get it right.... perhaps I'm just a smarter attacker than most?
Re:What, they can't type? (Score:1)
Re:What, they can't type? (Score:1)
Re:What, they can't type? (Score:3)
Re:What, they can't type? (Score:3, Insightful)
Re:What, they can't type? (Score:2)
Gotcha. Well that makes it a heck of a lot more interesting. Does it say that in the article? Huh. Is it an optional feature, or are you required to use it?
Re:What, they can't type? (Score:2)
HSBC has two points of authentication. The first is a normal username/password which allows you to view your accounts. The second requires typing a password on a virtual keyboard before you can do anything with your money. Online bill-pay, bank transfers, etc. are all behind this second password.
When I saw it, I immediately started thinking about how you could narrow the possibilities if you could record mouse movements. However, that still requires that you can get past the first login as well as reco
Re:What, they can't type? (Score:2)
Re:What, they can't type? (Score:2)
Re:What, they can't type? (Score:2)
Re:What, they can't type? (Score:2)
So what's the best real solution to the problem? (Score:4, Interesting)
As a vendor of a web-based, access-restricted product, keyloggers are a real issue. I've been considering setting up client-side SSL certificates in order to restrict access to only machines that have been "set up" in order to deal with the problem of keyloggers. Are there better solutions?
Does this bank have something that's: A) Easy to use, B) doesn't require painful machine-by-machine setup, and C) significantly improves security?
If so, I just might be interested!
Re:So what's the best real solution to the problem (Score:3, Interesting)
You type in your account id (keylogger can pick this up obviously), then you are presented with an on screen keypad where you enter your pin number with the mouse. 4 digit pin number ( easy to remember), the numbers are in a different location on the on screen keypad every time. The only way any spyware can capture this would be with screen captures on every mouse click. I am not sure there are many spywares that go to the
Re:So what's the best real solution to the problem (Score:2)
Yet.
Re:So what's the best real solution to the problem (Score:3, Interesting)
Thats the best m
Re:So what's the best real solution to the problem (Score:2)
or insert your card to get a number required to enter (I have both, and
the old PIN 'calculator' is still valid). This number is generated from a
seed only your device and your bank has, and is valid for about a minute.
A crook would have to be real fast to use a logged passnumber.
Re:So what's the best real solution to the problem (Score:2)
I don't know if there are better solutions, but please don't rely on two-factor ID. There are at least two downsides there:
Re:So what's the best real solution to the problem (Score:2, Insightful)
I personally think it's a hassle, but it might work in this case.
How to trick key loggers (Score:4, Funny)
More so if I screw up the last attempt and have to request a new password.
Another simple solution is to keep your password in a text file and copy / paste it in.
Or your password could just be ******* that would work a treat...
ObQuote: noob learns about cutting and pasting (Score:3, Funny)
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<Azure
Re:How to trick key loggers (Score:2)
Heck, I've used character map before when my keyboard died and i didn't have an immediate replacement.
Comment removed (Score:4, Informative)
Re:Fud... or at least, way overhyped (Score:2)
A similar problem exists in meatspace (Score:4, Interesting)
-BbT
Re:A similar problem exists in meatspace (Score:2)
That said, I suppose if someone had enough receipts of yours, they could get the full account number -- which is why a paper shredder is no longer an office-only appliance.
Re:A similar problem exists in meatspace (Score:2)
US System is Different (Score:2)
The login process is fairly typical (username, password only), but in mid-July 2006, they changed the process so that they are entered on separate pages. I do not understand how this improves security, because the username is echoed back on the password-entry page. There are no additional interactive anti-replay attack features--the username/password form seems to have been simply split to two pages.
The biggest security f
HSBC Security Flaw, 1 login attempt (Score:3, Funny)
Another HSBC Security Flaw has been found. If you are logging into your account, and somebody is looking over your shoulder while you're doing it, odds are they can determine your username & password after only 1 successful login attempt.
How to fix this (Score:3, Interesting)
So who should we look to for an answer? ING Direct [ingdirect.com]! They use a two step process to log in. The first is a non-descript customer number. This step would be defeated by a keylogger or if someone had some mail stolen. Step two is to ask you to answer a pair of personal questions only you know the answer to. Still this could be defeated by a keylogger. The third step is pure genius though. First of all the page displays an image and phrase that you pre-selected. While a keylogger might pick up this phrease during account setup it would not pick up the image. If the image is not present, you are instructed not to enter your PIN number. Then the entering of the PIN number is via a keypad that you click with your mouse. Each number corresponds to a random letter that changes everytime you log in. If you choose you can type in the letter that corresponds to each number for that log in. In this case the data a keylogger might capture would be useless. This is the best security feature on the website and ensures almost nobody except the account owner can ever log in. Of course if the PIN is compromised then the whole system breaks down but a smart user will never have a compromised PIN.
Re:How to fix this (Score:3, Interesting)
For my account, I set my secret phrase to be "false sense of security". However, I was disappointed that for the image they didn't seem to have any pictures that looked like a man in the middle of anything.
What are the image and phrase really supposed to do for you? They are supposed to let you know "hey, this really is the ING site, so it's safe now to login". If you go to a fake ING site (either
Re:How to fix this (Score:2)
Wierd... (Score:3, Funny)
Google's out to hijack my machine! ; )
Emigrant Direct has a similar issue (Score:2)
The moment a keylogger is in your system, you lost (Score:3, Insightful)
Banks here are using one time pads, quite sophisticated ones that are complicated enough to puzzle quite a few of honest users simply wanting to use their online banking service. And that's still no increased security. As long as the midm attack is possible, and that will be the case as long as there are not black box machines that can do NOTHING but actually communicate with the bank, without the possibility to install anything on them, this won't change. No matter what kind of security you implement.
Out Of Band Communications (Score:2)
Of course, if you can't trust the PC you're using at the moment, you have no idea what it might be doing to your bank account for the duration of your authenticated session.
And that's the long-and-short of it. Have you ever seen a shady character loitering around in front of the post office offering to go stand in line for you and deposit your paycheck, for just a few coins?
Re:Out Of Band Communications (Score:2)
What WOULD work is a hash that's calc'ed out of target address, amount and timestamp. Which would result either in a ridiculously long key to punch
Security checks, and requirements (Score:3, Interesting)
What the company did list as issues (and severe issues mind you) was the fact the application displayed signs of being vulnerable to cookie stealing, and session hijacking through man-in-the-middle attacks, that the server type was sent in the http headers, and that ports 110 and 25 were open on the web server. Well, my complaint is that the security report listed the application problems first, and give them a higher score of criticality, which made everything else, including the open ports 1) seem less sever, and 2) seem as though they were application problems and not network problems, which is what they really are. The business people flipped out and thought the sky was going to fall, since there is some sensitive information stored in this system. Rather than breaking out champagne and celebrating the fact the system was secure against 99.9% of the attacks that would possibly be thrown at it, they lamented issues that weren't application issues. Now understand, I don't manage the servers this application runs on. I merely wrote the application. I don't know what all kind of shit the people who do manage it might have changed.
The funniest thing is, in order to successfully run any cookie stealing, or session hijacking, you (the hacker) had to already have access to not one, but two windows accounts on the domain! The only way to get those was to either work there and have an account, brute-force the username/password, or social-engineer someone out of theirs. And, in order to successfully run the man-in-the-middle attack, you would have to have penetrated the LAN, or hacked someone's computer at their home.
I began to run damage control, explaining how these exploits were possible, why they weren't application issues but network issues, and explaining lots of terms like ARP spoofing, cache poisoning, and how to avoid those things. I remarked that the open ports issue should be rated more highly than the MITM issues, and I also detailed how virtually every web application ever written was similarly vulnerable to these attacks in one way or the other, only to wind up being told that can't possible be true, how I'm extremely arrogant, and how I think I know everything! One person even threatened to have me removed from the project, the cocksucker.
At any rate, the requirement of the keylogger reminded me of the extenuating circumstances needed to exploit this application here: network penetration, not one but two valid accounts, and specialized knowledge of the application.
It's weird. You try to help people and do your job, and they hate you for it. I think I've been doing this for just too damn long.
Re:Security checks, and requirements (Score:2)
Another exploit... (Score:2)
Oh, really? (Score:2)
Now I am laughing.
Will we also see headline saying "All online banking system have flaws" (without adding '...assuming you have keylogger on your machine')?
different authentication (Score:2)
this is a different method from the one mentioned and will probably have no effect against key loggers. although i read somewhere that phishing sites are now able to mimick a bank website and instantly login to the account as it is phished. however, the main feature that the bad guys forget is that account t
Re:a better way (Score:2)
Yeah, it's not a bad solution to the problem, I think. It also asks for the same set of characters until you get it right, so even if you only knew the first half of the secret word, you couldn't keep refreshing until it asked for chars 1, 2 and 3.
Re:No surprise it's HSBC (Score:2)
Re:No surprise it's HSBC (Score:2)
I went to one of the local branch next day and talked to the teller. She had not heard about that. Well, this is still forgivable. No one expects them to know every single product. Then, it came to the shocking bit. She yelled from the counter, asked if an
Re:No surprise it's HSBC (Score:2)
Somehow it's HSBC's issue that your wife doesn't have enough self-control to stay out of an account, and decided destroying the card was the best choice instead of putting it out of sight somewhere, having a family member keep it locked up, etc.?
They claim to have sent her a
Re:No surprise it's HSBC (Score:2)
I've had accounts with HSBC for years, our mortgage is through them, the accounts are spread over two branches and you have to go to the relevant branch to make changes. They have always been fair and provided good service, once a month I have to go in-bran
Re:No surprise it's HSBC (Score:2)
And perhaps the organiza
Re:Why passwords? (Score:2)
Supplying a card and reader to people (as well as providing tech supports for the complete idiots who would probably try to stick their "smart" card in a "stupid" place) would cost a lot of money.
Having a simple password is cheap -- even if the customers get cleaned out, at least the banks saved a couple bucks.
There's a way to beat that... (Score:2)
Bradesco (the largest non-government bank in Brazil) is one example of a bank here in Brazil that, as the parent post says, has the sa