Menu
 Home
 Local News    
 Global News
 Technical & Product News
 Opinions
 Contact Us
 Subscribe/Unsubscribe
 
 Publications
 ICT World
 Cable Talk
 Computing S.A.
 Network World
 The Channel
 IT users handbook
 
 Sponsors
 ICT World Company Directory
 
 Partners
 CareerJunction
 Johnnic Mag Division
 
 Privacy Policy
 Privacy Policy
 
   
   

Cardiff researchers discover online banking security problem

Date: 14 August 2006
Issue: One hundred and ninety nine (14/8/06 - 18/8/06)
(ICT World)
Category: Global News
Two researchers working within Cardiff University's School of Computer Science, Professor Antonia J Jones and Joseph R Rabaiotti, together with a third independent researcher, Stuart P Goring, have released details of a problem with HSBC's online banking system. The bank was informed of the issue prior to publication.

The researchers demonstrated (without in any way hacking, or even entering, the system) that the problem they observed, together with the illegal use of a keylogger (a device which records keystrokes and can later play them back), would, in principle, allow an attacker to gather all the necessary information required to enter any customer account.

HSBC and Cardiff University are now working together to address a number of issues raised by this research.

No illegal access took place during this research. It is generally assumed that to be in a position to prove that a gatekeeper system has a weakness, one must have broken the law. However, the researchers were able to demonstrate that this is not the case.

In this case they showed that by perfectly proper use of the system (a legal log-in which fails due to a typing error), and by intelligent observation, one can logically prove a weakness without even passing the gatekeeper or entering the system. While they were able to do this because of a rather trivial problem, an interesting point of principle has been established, and a significant loophole identified.

Professor Jones says: "What is truly amazing about this particular problem is that it apparently has not been illegally exploited for at least two years, during which time all user accounts were, in principle, open to the access procedure we describe. This fact alone raises some serious questions about the wisdom of having any sensitive system online and about online banking in general."