HSBC is one of both the UK's and the world's largest banks. With operations across Europe and the United States, as well as interests in many other foreign countries, it has to work very hard to keep your money secure. Therefore, you'd think the company would be embarassed to find out that over 3.1 million of its accounts are subject to a hack
that allows full access into online banking.
The flaw was discovered by researchers at Cardiff University, who were studying security of online finances. Details of how the site was cracked are not disclosed as of yet, as the researchers are writing it up in a journal for release later this year - by then, they hope that HSBC will have closed the loophole. Richard Clayton, an internet security expert at Cambridge University familiar with the Cardiff research, said "In my view it is clueless, and what's more, incredibly easy to fix."
According to the researchers, it is possible to get into any online account in nine tries or less (they figure five for most accounts) due to a flaw in the web scripting. Once inside, the hacker can do everything that the customer could do, including change addresses, account/password info, or even wire up to 2,000 quid in any currency to anywhere in the world. The hack does require a keylogger, but since many viruses come with these included, unaware people could be transmitting the needed data at any time.
HSBC has downplayed the hole, calling it a "supposed flaw." A statement from the bank stated:
"HSBC would be very interested to hear any expert commentary on the security of its personal internet banking service. However, in this instance the supposed flaw uncovered is not one we have seen criminals use. It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim. It is therefore not likely to be a profitable way for criminals to behave.
"Online fraud via HSBC's internet banking system is substantially lower than the market average and we are satisfied our customers are adequately protected."
The researchers at Cardiff disagree. Professor Antonia Jones, leader of the group, said: "There are serious issues here. Banks are in the business of safeguarding your money, and if they tell you that it's safe then you assume that's the case. But as long as this flaw exists, customers are at risk. For banks or institutions that are making huge amounts out of their customers not to protect them is pretty scandalous."
Got a thought about the security hole? Do you think HSBC should be fixing it ASAP, or are you of the mind that people who don't even run virus protection deserve what they get? Let us know your thoughts on the matter in our forums