This morning BBC News and The Register revealed an issue exposing an online security flaw related to online banking. Cardiff University researchers, under the supervision of Professor Antonia Jones, used hardware/software key-loggers to capture data that is supposed to lead into exposing a flaw in HSBC’s online banking system.
I would like to post my personal view on the matter by pointing out the following:
1) The use of key-loggers is not something new and when it gathers information it does it discreetly without focusing against a specific bank. Thus, the title used that “Flaw exposed in HSBC’s online banking” can easily be considered not true.
2) The use of key-loggers falls under the category of profiling the user (victim) in any possible way by gathering his personal data.
For example: habits, preferences, visited addresses, login names & passwords, conversations, outgoing e-mail, file names & folder structure, text containing sensitive information. Thus, the login details about a bank’s website (which could be only used to display a balance) is only one of the problems and not always the most important.
3) “Ever get that tingly feeling at the base of your spine when using one of those grubby "public" computers?” – http://www.thinkgeek.com/computing/drives/80be/ The idea of the user’s keystrokes being monitored is so well known that products already exist in the market [e.g. Bio Computer-On-a-Stick] that will help avoid such problems.
4) This point not only proves that key-logging is not something new. At the InfoSecurity conference in May 2006 an experiment was conducted in order to prove the obvious.
“SecureTest staff using these networked PCs to check their email discovered that insecure system configurations left users open to attack. It reports that it would have been trivial to download and install a software key logger to pick up keystrokes, disclosing the user name and passwords of anyone who had used the system to check webmail.
To prove the point SecureTest staff keylogged themselves, logging into the SecureTest webmail system. It was then possible to retrieve their log-in credentials. There was no usage policy available for these machines. As a consequence, unknown individuals had been able to disable anti-virus software installed on these machines.”
‘HSBC to ‘review’ online security’, BBC News – http://news.bbc.co.uk/1/hi/business/4778351.stm
‘Flaw exposed in HSBC’s online banking’, The Register – http://www.theregister.co.uk/2006/08/10/flaw_hsbc/
‘Ancient worm runs riot at Infosec’, The Register – http://www.theregister.co.uk/2006/05/02/infosec_insecurity/
Bio Computer-On-a-Stick – http://www.thinkgeek.com/computing/drives/80be/