04:05 PM
It's Hard to Ignore the Hype: HSBC Security Flaw
By Greg MacSweeney, Wall Street & Technology
At first glance, the security flaw within HSBC's online banking system that has been exposed by two researchers working within Cardiff University's School of Computer Science looks like another black eye for financial firms, which are battling the growing perception that personal data risks aren't being taken seriously. However, as often is the case with press coverage, the hype surrounding the flaw is probably a greater risk to HSBC than the actual security flaw itself.According to a release from Cardiff's School of Computer Science, "The researchers demonstrated (without in any way hacking or even entering the system) that the problem they observed, together with the illegal use of a keylogger (a device that records keystrokes and can later play them back), would, in principle, allow an attacker to gather all the necessary information required to enter any customer account." Added one of the researchers, Professor Antonia J. Jones, "What is truly amazing about this particular problem is that it apparently has not been illegally exploited for at least two years, during which time all user accounts were, in principle, open to the access procedure we describe. This fact alone raises some serious questions about the wisdom of having any sensitive system online and about online banking in general." But blogger David Nicholson points out that while the flaw is a risk, it isn't as "glaring" as the flurry of press coverage implies because the Cardiff research assumes that HSBC account holders would have keylogging software -- virus software that captures the keystrokes made on a computer -- on their own computer.
So it may turn out that the greater risk to HSBC is how customers react to this flaw by possibly closing accounts or deterring new customers from opening new accounts -- not the actual data that might have been exposed by the security flaw. Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio