HSBC online banking "seriously flawed"?

Mr_Cheese 18 years ago

i dunno about anyone else, but technology students at a renouned univercity claiming a keylogger and brute force attempt is a major breakthrough and is a exploit… im appauled. i mean admitedly yes it is a weakness and HSBC could do more to protect themselves against keylogger attacks etc etc, but so can every other bank in the UK. i think we should look closely at what computer "professionals" are teaching in these types of courses!

ghost 18 years ago

Heh my step mum is the head of Data Protection and Cyber crime at Cardiff Uni so I will have a chat with her.

ghost 18 years ago

cant you learn how to brute force to keylog with 5 mins of googleing and a little bit of reading? im not saying to that standard but you can see what i mean? these seem like techniques any one with a small amount of techno-knowledge can use…..

ghost 18 years ago

haha- stupid. It makes you think what other banks are as weak as this.

ghost 18 years ago

I did read (like Mr_Cheese did) that they used a keylogger. This is not a flaw with HSBC, though they could still do things to prevent this. For instance swedish banks send customers a scratch card via the post with one time passwords. Any time not using two-method authenticaion is "vulnerable" to this "flaw", including amazon and paypal.

Mr_Cheese 18 years ago

exactly whiteacid! its stupid. if i was HSBC i'd be pissed at cardiff uni for pubically stating HSBC has weak security. admitedly there is things HSBC can do, but even amazon / paypal has weaker security than HSBC. 99.9% of websites are vunerable to keylogging and i certainly wouldnt call a key logged attack a vunerbility in the website. i think cardiff uni are using this as their claim to fame… either that or computer specilists are getting worse.

ghost 18 years ago

HSBC has been hacked through a domain i used but it's on someone else's name. They uploaded files to the host (shell scripts and stuff) to gain access of servers and do whatever they want to do. They also made a fake login thing to get user logins and stuff. So HSBC talked to us and they were going to investigate everything. I'm not sure if those guys did it on our host (+ they used other hosts aswell so they couldn't be blamed directly). But yeah this has happened about 3-4 months ago so not sure if it are the same guys.

Mr_Cheese 18 years ago

nah not the same guys, this only happened a week or two ago, and from what i gather they released the info before properly thinking it through…. and Xyng.. HSBC was on a shared server?!?! that i find hard to believe.

ghost 18 years ago

Lols, they used the shell scripts to get access to several hosting servers and used fake logins and stuff to get user info. Those two things have i seen on ftp of my old host but don't know if they did anything else than phishing.

AldarHawk 18 years ago

They used Phishing techniques to gain passwords (I got about 60 attempts in 1 month). This is a different group of Techo-Weirdos :evil:

ghost 18 years ago

Many financial institutions, such as HSBC, give customers a unique security code, which might be six digits, to be used when they log on to their accounts. The system will generally ask for a subset of three of these numbers, chosen at random.

HSBC argues that a criminal would need to expend so much time and effort it would not be worth the trouble.

ghost 18 years ago

wolfmankurd, that is exactly how the HSBC site works, but this team worked out that in 9 attempts you are sure to have the full 6 digits. While this is a decent find (which takes half an hour to make) it's not a flaw.

ghost 18 years ago

So in other words they are counting mistakes to capitalize on other people behalf. May I ask were they good Phishing attacks or were they half assed like the rest of the project? lol, notto be biased or anything but I'm a little appauled.