If, like me, you saw the news items lately about a Cardiff University researcher revealing flaws in the Internet banking user authentication process used by the UK part of HSBC, you have probably been wondering about the details. The journalists refer somewhat vaguely to the exploit involving the use of keyloggers on customers' PCs, which is a significant vulnerability in the first place although unfortunately not uncommon these days. They say capturing details from just 9 logins or less provides sufficient information to complete the exploit - this presumably points to the hacker needing to capture the user's complete password even though only parts are requested each time. Various amateur researchers have been analysing the mathematics involved in the login process, but while there are flaws, they cannot analyse their way directly to being able to capture the complete password in "nine tries or less, typically 5" as mentioned in some of the original news aticles. At least one article referred specifically to a flaw in the web scripting which perhaps hints at a weakness in the exchange of information between the bank and the logging-in customer: my guess would be a vulnerability in the algorithm that "randomly" selects which digits are required. Perhaps it is not truly random, maybe a simple sequence or at least a predictable sequence, due to an implementation flaw I suspect. If so, it wouldn't be the first encryption scheme to fail through supposedly random numbers in fact having predictable patterns.
More identity theft links