The battle for your online bank account

Millions of people now control their cash via the web

The discovery comes amid wider concerns that bank customers using the internet to access their accounts are increasingly at risk from an array of sophisticated scams.

What is the threat to HSBC customers?

The flaw centres on the way the bank's 3.1 million online customers access their accounts.

According to researchers at Cardiff University, fraudsters using "keyloggers" - gadgets or software that capture keystrokes made on a particular computer - could potentially use the data to break into the individual account of an HSBC customer.

The discovery specifically relates to HSBC because of the particular design of the security system it uses to protect customer accounts.

Once inside an HSBC online account, fraudsters would be able to change key information, transfer money and even arrange loans.

How real is the risk?

Very real, the Cardiff University team warns.

HSBC says it is reviewing it internet banking security

Anyone exploiting the flaw would be able to break into an HSBC account within nine attempts, they say.

"As long as this flaw exists, customers are at risk," professor Antonia Jones, the computer scientist heading the team, told The Guardian newspaper.

However, HSBC says the problem does not pose a serious threat to its customers.

It says that exploiting what it calls the "supposed flaw" would require an undue amount of effort on the part of the hacker to target a single victim.

HSBC says that no-one has yet fallen foul of the problem and points to its better-than-average record for internet security.

Nevertheless, the bank says it plans to "examine the issues" raised by the Cardiff researchers very closely.

This is not the first time internet banking customers have been warned about the dangers posed by fraudsters. What are the other main threats?

For some time the main buzzword in internet security circles has been "phishing" - by which online account holders are induced to give away their personal details to fraudsters using bogus internet bank login sites.

More recently, security experts have warned of a new identity theft scam using phones instead of computers.

"Vishing" uses easily obtainable voice over internet protocol (VoIP) numbers as bogus credit card or financial services numbers.

Customers are tricked into calling spoof VoIP-operated service centres after being warned that their own accounts have been compromised.

As with phishing, they are then asked to disclose sensitive information about their accounts, which is then used by fraudsters.

How are the banks dealing with threats to online security?

In a number of ways.

Lloyds is following in the footsteps of banks elsewhere

Most banks require users to have more than one password, while many use drop-down menus for passwords on their internet banking login pages to counter fraudsters who use keylogging techniques.

Lloyds TSB recently began trialling keyring-sized security devices, or "tokens", which generate a six-digit code to be used alongside usernames and passwords.

The system uses a code which changes every 30 seconds.

Meanwhile, UK rival Barclays plans to introduce an interoperable card reader, which also generates security numbers for online transactions.

Dutch bank ABN Amro has taken the battle against fraudsters a step further by introducing biometric voice verification in phone banking.

The technology uses more than 100 biometric characteristics, such as voice pitch and frequency, to verify the identity of customers over the phone.

Is any of this making a difference?

To a degree, yes.

The banks argue that they are going to great lengths to protect the security and identity of their online customers from fraudsters.

But as the technology used in online banking security becomes ever more sophisticated, so do the efforts of internet bank hackers and fraudsters.

The struggle between the banks and fraudsters is akin to a virtual arms race, with millions of online banking customers - and the money in their accounts - stuck in the middle.

Indeed, one of the most recent scares is called a "man in the middle" attack.

It involves a possible breach of the protection offered by tokens by getting customers to log onto fake banking sites, which then - in real time - pass information back and forth between the customer and a bank's real systems.

The warning from the Cardiff University research team about HSBC's online banking security system is the latest episode in a struggle which shows no sign of abating.

E-mail this to a friend

Printable version