HSBC’s “Flaw” Revealed ( & how to protect yourself from it!)

I read in the news today that a bunch of researchers at Cardiff Uni have “discovered”  a flaw in HSBC online banking, they don’t say what the flaw is si I’m not 100% sure which one they are referring to..there are many.

They say it’s unique to HSBC.. well that rules out about 7 flaws..leaving just two, they mention that the flaw involves the use of a keystroke recorder.. so that narrows it down to one.

As a retired ex bank hacker myself I’m always careful not to give away any tools or “secrets” that would assist the “would be” hacker, but this exploit is so easy to fix that I’m sure HSBC will have it sorted now that it’s out in the open.  Their suggestion that it has not been used by hackers is bullshit, although I retired from active hacking a few years ago (following my release from a 5 yr prison sentence, but that is another story) I keep my ear to the ground and this one has certainly been abused for years.

Here it is….

This exploit depends on two principle cock up’s on the part of HSBC.  

Background

HSBC have offered Internet banking for a long time and until early 2003 they relied upon a simple user-name and password approach.  HSBC Internet banking evolved from telephone banking and for the customers’ benefit they retained the same password for Internet banking as customers used for telephone banking.

The HSBC telephone banking / Internet banking password can be variable length, though most customers choose a six digit number which is the minimum.  The fact that it’s a variable length password increases security exponentially for users who choose a longer pasword, but most users choose their ATM pin number with either a leading or trailing 00 or 99, so if joe bloggs has a pin number of 1979 he would likely choose 001979 or 197900, you get the picture.

Actually, there is a whole science of determining how people will respond to certain questions such as “choose a number of between 6 and 10 digits”, It’s called “Human Stereotype Response”, that’s why a smart hacker has a 1 in 14 chance of hacking your ATM card (assuming you choose the 4 digit pin standing at an ATM machine) given 3 attempts at entering a PIN..statisticaly speaking of course!  But again, thats another story!

In 2003, along with most UK banks, HSBC changed their log-on procedure to request a date-of-birth, and to ask for 3 supposed random digits from the numeric password.

Most Internet banking hacks begin with a keystroke logger being active on the machine that a customer uses to access the Internet Banking service (often an internet cafe, hotel or other public computer) so the hacker starts off armed with the username, the date-of birth, and 3 digits of the numeric password.

Problem Time

HSBC have two incredibly stupid flaws at this stage, both of which make the exploit much easier for the criminal hacker, first the sequence of these random numbers is always left to right, which gives a hacker an unfair advantage.  The second flaw is the real jewel for the hacker..if the 3 digits are entered incorrectly and the hacker logs out and tries again he will get a different challenge.  This is the most fundamental cock-up, because the hacker knows that with a request for 3 out of 6 digits, always in left to right order, there are simply only a handful of options, sooner or later (usually sooner) it will get back to the same question as the one that presented when the “victim” was logged using a keystoke logger.

OK I hear you say..but you only have about 3 chances till the account is locked.  Well that’s not true, you see the hacker can try 2 times and then wait till the genuine account holder logs in, thus resetting the amount of tries he has.  This trick has been used for years by hackers with cloned ATM cards, instead of 3 chances at entering a PIN number they get 4,6,8 or more attempts by trying 2 every month, not possible with a stolen physical card of course.

 The rest is easy peasy, lemon squeezy..as the say in the business, well they did in my day.

Conclusion

Well, the good news is that most serious criminal hackers don’t spend too much time targeting HSBC’s UK customers, there are actually much softer targets and the hacker will usually take the easy route.  HSBC depend heavily on secondary measures that make it difficult to move large sums of money out of the victim’s account without being noticed, they normally spot the fraud after it’s happened..but before the customer knows.

To remedy this situation HSBC need to make a couple of very minor changes to the login procedure, but it’s still going to be weak.  Conventional access control consists of two parts, “what I have” (key, card, token) and “what I know” (password, pin etc).  Internet banking relies simply on the “what I know” element which is always going to be problem.

How Protect yourself from this flaw.. change your internet password and make it greater than the 6 digit minimum, never use a public computer, always enter the information on the log in screen in a random order..ie enter 2 digits of your DOB, then the first 4 digits of your password, then the rest of your DOB, then the rest of your password.. that way the output from the keystroke logger will be useless to the hacker!

Written by Andy, ex-hacker, ex-con and ex-pat!