HSBC Security Hole Leaves 3M Customers’ Accounts Vulnerable

If you’ve got your money tied up with HSBC, better be on your tip-toes: a research team from Cardiff University has discovered a flaw in HSBC’s banking system that exposes three million customers’ accounts to the theft of wily hackers.

The flaw’s been in effect for a couple of years, and the accounts can be broken into within nine attempts. Hackers using keyloggers will be the ones who will be most capable of taking advantage of the security hole, because HSBC’s anti-keylogging system doesn’t work at all. “The only reason it’s a theoretical [flaw] is that they’re fortunate no bad guys have [exposed it] yet.”

HSBC downplays the whole issue, natch:

    HSBC downplayed the discovery of the flaw, saying that, “It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim” and therefore criminals wouldn’t be bothered to try it.

Better keep up on your spyware sweeps, people.

HSBC Security Flaw Exploses Millions of Customers’ Data [Consumer Affairs]


Edit Your Comment

  1. Anyone know what the thing in the picture is?

  2. mistress smarty says:

    I think it’s one of those security-dongle-thingies (yeah, that’s the technical term) that generates a random new on-line banking password for you every few minutes and synes back to the bank.

    Or something like that.

  3. mistress smarty says:

    Afterthought: Doesn’t sync back to the bank with the exact password. Bank just confirms the hash, or something.

  4. It’s a SecurID. We use ’em at work.

  5. nomadicman says:

    My wife’s HSBC internet banking account in Malaysia was compromised on the 28th of May 2005.

    The HSBC PJ Branch in Malaysia was where she opened her Powervantage Account. The account was opened by an officer.
    The officer did all the procedures including clicking on every button. THIS IS SOMETHING I am warning everyone.. to take note of… This officer watched my wife type in the username and password. Note that when it came to the terms and conditions, the officer actually clicked onto the I Agree button. The bank has a flawed protocol here. that no one including this officer read out the terms and conditions to me. No legal officer took time to explain to me my rights before signing me up and creating the account. All they did was brisk through the sign up and registration. Their terms and conditions are very dodgy.

    My wife sued and its taken 3 years now to reach the stage where we are going to trial. The bank mamager of the branch said that the HSBC Internet Banking is 100% safe.

    I disagree as my wife has been victimised.

    Our case – my wife’s account was accessed by another HSBC bank customer who withdrew Malaysian Ringgit 29925 plus and moved it to an account in Russia. The police caught the culprit. But that was around the 29th of May 2005.

    Its now almost 3 years, and they have not returned the money and given us fair compensation.

    My claim was for RM 24,000 for expenses and travelling from Bangkok, Thailand to Kuala Lumpur Malaysia.

    At the time, my wife was 6 months pregnant, with a 2 year old daugher who was breast fed, and a special needs 10 year old son. It was impossible for my wife to travel alone without taking our children in tow.

    The bank is behaving like a bully.

    I would like for any body affected in a similar situation to contact us or post your details on this blog.