Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

HSBC online banking "seriously flawed"?


HSBC online banking "seriously flawed"?

<img src='http://images.google.co.uk/images?q=tbn:O8sT5uEOuLBykM:http://www.aduem.org.br/Logo%2520Hsbc.jpg' style='margin:5px;' align='left'>A research team at Cardiff univercity, (a place renouned for technology students) claims to had a breakthrough and hacked one of the largest online banking systems in the United Kingdom.

How did they do it? They havnt released full details yet, but we know a keylogger was involved and then the account has a maximum of 9 access attempts before its breached. They came across this "weakness" when researching into online banking security.


Comments
Mr_Cheese's avatar
Mr_Cheese 17 years ago

i dunno about anyone else, but technology students at a renouned univercity claiming a keylogger and brute force attempt is a major breakthrough and is a exploit… im appauled. i mean admitedly yes it is a weakness and HSBC could do more to protect themselves against keylogger attacks etc etc, but so can every other bank in the UK. i think we should look closely at what computer "professionals" are teaching in these types of courses!

ghost's avatar
ghost 17 years ago

Heh my step mum is the head of Data Protection and Cyber crime at Cardiff Uni so I will have a chat with her.

ghost's avatar
ghost 17 years ago

cant you learn how to brute force to keylog with 5 mins of googleing and a little bit of reading? im not saying to that standard but you can see what i mean? these seem like techniques any one with a small amount of techno-knowledge can use…..

ghost's avatar
ghost 17 years ago

haha- stupid. It makes you think what other banks are as weak as this.

ghost's avatar
ghost 17 years ago

I did read (like Mr_Cheese did) that they used a keylogger. This is not a flaw with HSBC, though they could still do things to prevent this. For instance swedish banks send customers a scratch card via the post with one time passwords. Any time not using two-method authenticaion is "vulnerable" to this "flaw", including amazon and paypal.

Mr_Cheese's avatar
Mr_Cheese 17 years ago

exactly whiteacid! its stupid. if i was HSBC i'd be pissed at cardiff uni for pubically stating HSBC has weak security. admitedly there is things HSBC can do, but even amazon / paypal has weaker security than HSBC. 99.9% of websites are vunerable to keylogging and i certainly wouldnt call a key logged attack a vunerbility in the website. i think cardiff uni are using this as their claim to fame… either that or computer specilists are getting worse.

ghost's avatar
ghost 17 years ago

HSBC has been hacked through a domain i used but it's on someone else's name. They uploaded files to the host (shell scripts and stuff) to gain access of servers and do whatever they want to do. They also made a fake login thing to get user logins and stuff. So HSBC talked to us and they were going to investigate everything. I'm not sure if those guys did it on our host (+ they used other hosts aswell so they couldn't be blamed directly). But yeah this has happened about 3-4 months ago so not sure if it are the same guys.

Mr_Cheese's avatar
Mr_Cheese 17 years ago

nah not the same guys, this only happened a week or two ago, and from what i gather they released the info before properly thinking it through…. and Xyng.. HSBC was on a shared server?!?! that i find hard to believe.

ghost's avatar
ghost 17 years ago

Lols, they used the shell scripts to get access to several hosting servers and used fake logins and stuff to get user info. Those two things have i seen on ftp of my old host but don't know if they did anything else than phishing.

AldarHawk's avatar
AldarHawk 17 years ago

They used Phishing techniques to gain passwords (I got about 60 attempts in 1 month). This is a different group of Techo-Weirdos :evil:

ghost's avatar
ghost 17 years ago

Many financial institutions, such as HSBC, give customers a unique security code, which might be six digits, to be used when they log on to their accounts. The system will generally ask for a subset of three of these numbers, chosen at random.


HSBC argues that a criminal would need to expend so much time and effort it would not be worth the trouble.

ghost's avatar
ghost 17 years ago

wolfmankurd, that is exactly how the HSBC site works, but this team worked out that in 9 attempts you are sure to have the full 6 digits. While this is a decent find (which takes half an hour to make) it's not a flaw.

ghost's avatar
ghost 17 years ago

So in other words they are counting mistakes to capitalize on other people behalf. May I ask were they good Phishing attacks or were they half assed like the rest of the project? lol, notto be biased or anything but I'm a little appauled.