HSBC web security cracked

The bank's anti-keylogging system is flawed, say researchers

The safety of online banking is again in question, as researchers say the log-in systems used by HSBC and another major high street bank could be easily cracked by keylogging devices.

Cardiff University researchers said they discovered a flaw, which could allow hackers to break into accounts within nine attempts. Unlike many other banks, HSBC asks for a numeric-only passcode and does not regularly change the order of digits it requests, making it easier for hackers to obtain the number.

"They have an anti-keylogging system that doesn't work – they might as well not have it," said Cambridge University net security expert Richard Clayton. " The only reason it's a theoretical [flaw] is that they're fortunate no bad guys have [exposed it] yet."

Clayton said banks should ask for more authentication when users try to access certain facilities, such as to add new payees.

"The deep flaw is that they have the same authentication to do everything," Clayton said. "The problem is that they're all copying each other – none of the online security schemes are perfect but it would be wiser to do something different."

HSBC said in a statement that attacks of this kind are unlikely as they require "a particular and time-consuming focus on one individual", although it invited feedback from experts on its online banking service. "In this instance the supposed flaw uncovered is not one that we have seen criminals use [and] it is not likely to be a profitable way for criminals to behave."