Feeds

back to article HSBC websites fell in DDoS attack last night, bank admits

HSBC has blamed a denial of service attack for the downtime of many of its websites worldwide on Thursday night. Various Reg readers told us they were unable to reach the HSBC UK and First Direct websites on Thursday, leaving them unable to carry out internet banking services. Problems kicked in just before 20.00 BST and lasted …

COMMENTS

This topic is closed for new posts.
Silver badge
FAIL

I don't need no bloody DDoS, I've got a SecureKey which ...

has denied me access to my HSBC accounts for TEN WEEKS.

And to Merrelee D (Quality Assurance). in HSBC Vancouver who said: "Just for your information, our internet banking site has never been hacked or breached. Merrilee " Say again, Merrilee, I can't hear you!

Of course, HSBC boasts of all it's high tech chappies who cut your connection if your IP changes during banking. Unfortunately they haven't heard that Win 7 can handle more than one InterNet connection as can our server.

3
2
Anonymous Coward

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

> Say again, Merrilee, I can't hear you!

It was a denial of service attack. The site was neither breached or hacked.

> Of course, HSBC boasts of all it's high tech chappies who cut your connection if your IP changes during banking. Unfortunately they haven't heard that Win 7 can handle more than one InterNet connection as can our server.

Good for your server and Win 7. I'll let you into a secret. HSBC's servers can also handle more than one connection from you (and on different IPs) but they choose not to. The reason they choose not to accept your IP address changing during a session is security. Admittedly, this decision will only protect against certain known attacks (and against some unknown) but it isn't the only security measure they apply.

5
1

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

The site was neither breached or hacked.

Either/or

Neither/nor

</pedant>

4
1
FAIL

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

Yeah thanks for the "SecureKey" I no longer check my account daily as I used to, because I would have to carry the sodding key about with me. As a result I just rely on the monthly statement, so if there is fraud then they'll not hear about it for some time (although the non-fraud they detect will no doubt continue).

0
0

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

Of course you could also configure your setup properly[1], so that a single session to a particular place is routed through the same link for its duration so this issue doesn't occur.

[1] Given that this type of connection load balancing isn't exactly "proper", the "fix" is "proper" in the same sense.

0
0
Silver badge
WTF?

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

I know what HSBC can do, mine was jumping from my home country to HongKong where our satellite service terminates/originates.. Of course their servers can handle more than one connection from customers but the fact is their so called 'security' doesn't, or at least didn't, allow changing IP connections which has annoyed many of their customers which isn't exactly 'service'.

They should accept that they, HSBC, have to adapt to customers not vice versa.

Merilee's quote was truncated.

Various HSBC sites have been hacked over the years, not DDoS, 2012 February; 2011 August; 2009 September.for example. No intelligent computer user would say they are impervious to any attack - ask the US government.

0
0

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

Securekey is a pain in the arse... prompted me to sign up for text alerts (a paid for service) that texts me when something over £n goes in or out of my account plus a weekly text statement. Good for keeping an eye on things. Shame the lower limit for transactions is => £20. Be warned if you decide to set it up, the call centre staff in India have no idea (or at least they didn't at the time) how the service works and setting it up is painful if you get someone who speaks English but doesn't appear to understand it.

0
0
Silver badge
Unhappy

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

@Vince

Why should a Customer have to adapt to a supplier?

0
0
Anonymous Coward

Re: check my account daily

I use the HSBC fast balance app for android which helps a lot, would be nice to be able to do a little more, like the mini-statement being for more transactions but alas.

Still have to use the bloody secure key if I need to login and sort something out, though.

// hate secure key

// better than some other banks 'solutions' though

0
0
Anonymous Coward

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

> They should accept that they, HSBC, have to adapt to customers not vice versa.

The customer should accept that security comes at a price. HSBC have decided that their security model will not allow changing IP during a session. If you do not like this then you can change your bank for one that uses less security.

1
0

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

People forget that the SecureKey is a good trade-off. It doesn't rely on generating keys using the card (like Barclays which is annoying - but I believe you can get the code generator as an app now?), but is secure enough that it acts another level of authentication other than a password or you inserting specific characters of the password (that CapitalOne uses - which is relatively secure).

I did wonder why I couldnt access it yesterday. Idiots.

0
0

Re: check my account daily

Yeah that's nice - you can see the balance of your "current" account. You can't see your Credit Cards. Or many other HSBC account types. Or see detailed transactions. That's er, useless.

1
0
Silver badge
FAIL

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

Sorry, your IP for your session was flapping between Hong Kong and (another unspecified country), and you think HSBC are the twats for logging you out?

1
0

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

Actually the Barclays solution is better because:

(a) You can have multiple "PinSentry" devices - so you haven't got to carry it around.

(b) There is an app to act as a pinsentry

(c) You can also get "basic access" (at least on Premier you can), which lets you do basic stuff without the need for PINsentry at all.

(the latter being what I use and hasn't caused me to lose my money through the oh-so-terrible fraud risk yet).

0
0

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

Not that I'm discounting the convenience of the PINSentry device being able to read all cards, but surely that makes it easier for someone to get into your account once they have your username and card? At least SecureKey is unique to the account AFAIK. Not difficult to attach it to your car keys or something you carry around a lot with you.

0
0
Anonymous Coward

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

>>Of course, HSBC boasts of all it's high tech chappies who cut your connection if your IP changes during banking. Unfortunately they haven't heard that Win 7 can handle more than one InterNet connection as can our server.

Actually, it was originally seen as a bug; when the IP changed the proxy hashed the connection differently, sent it to a different load-balanced machine in the cluster and because of the session had absolute references, the session couldn't be shared between nodes (data couldn't be serialised) the new node didn't recognise the session and logged you out - as this was seen as really tricky to fix (loads of locally cached data), some bright spark said, actually, lets pretend it's deliberate - "problem" goes away!

0
1
Boffin

Re: I don't need no bloody DDoS, I've got a SecureKey which ...

" if your IP changes during banking"

You should thank them.... Security. If you were the victim of a man in the middle attack, your session were hijacked, and the only giveaway was a changed IP, wouldn't you WANT them to pull the plug?

0
0
WTF?

Wrong Target?

If it is the muslims, then I don't get what they hope to achieve by launching a DDoS against HSBC. I should have thought they would have been better off trying to bring YouTube down.

0
1
Anonymous Coward

Re: Wrong Target?

Most likely to be, banks support Google by Card processing and banking services, therefore they are legitimate services. Same sort of crap that Anon believe in.

Most are clueless that banks and businesses don't transfer money via a web portal and all it affects are normal everyday people.

0
0

Re: Wrong Target?

Certainly does seem an odd choice, as I thought HSBC were rather Islam-friendly: HSBC Amanah

1
0
Anonymous Coward

Re: Wrong Target?

I dont like tescos, so I think im going to protest outside kwik fit, as I bet they supply tyres to their delivery vans!

1
0

This post has been deleted by its author

Anonymous Coward

Re: Wrong Target?

"If it is the muslims"

Are all Muslims working as one? Do Anonymous speak for all Internet users?

No. They are both small groups of people who pretend to represent more than they actually do.

3
1
Anonymous Coward

Solving "Panetta"

If the post title is to be believed, and 8 == 0, then Panetta+8 and Panetta-8 are both equal to Panetta. Whether 16 (as 2 * 8) also == 0 or not, it's hard to say. Lord knows what 5 equals...

Of course, it's fair to say that the puzzle could be complete nonsense, while not drawing any parallels with religion...

0
0
Anonymous Coward

Re: Solving "Panetta"

Panetta = 6/7

Possibly something about 6 July or 7 June ??

Or 14 December for that matter.

0
0

"Thus the chain of cyber attacks on U.S. banks will continue this week."

You would have thought that the NAME of the bank would have given away their mis-assumption.

0
0
Anonymous Coward

Agreed, everybody should understand it is PRC-based ;-)

To be fair, they do force their customers to comply to USoA IRS laws, even those who've never set foot in the US.

0
0
Anonymous Coward

Big Fish

Either this was one of the biggest ever DDOS attacks considering it managed to keep such a large site offline for so long, or HSBC are not set up very well to deal with it. In comparison to other well know companies and sectors such as betting sites which deal with this on a regular basis I would have thought a banking giant could cope with a DDOS 99% of the time.

0
0
Meh

Re: Big Fish

Word in security circles is that the sheer volume of these attacks, in excess of 6 Gbps, coupled with the fact that they are multivector attacks makes them very difficult to defend against. Certainly it can be done, but at what cost? Is it really worth €50,000,000 to prevent the occasional 24 hours downtime for single customer web access? For a gambling website, each and every transaction generates revenue and is their primary source of revenue. For banks, web access is a cost center, not a revenue generator.

1
0
Boffin

Re: Big Fish

DDOS doesn't always depends on a large "attacking" force, in fact depending on exploits and bugs it can be trivial to bring down organisations, remember "ping of death", even http connection exhaustion could be accomplished by a handful of servers, while a "D"DOS does imply multiple attacks, different operating systems handle attacks in different ways, "half open listen drop" thresholds etc.

It could well be a relatively newly discovered exploit/bug, unpatched servers (the larger you are the slower you can move).

0
0
Anonymous Coward

Re: Big Fish

HSBC executive management regard IT as a cost centre. Ship development work to India, dispose of qualified, experienced UK IT staff and slowly but inexorably fall behind. Innovations in Banking like First Direct was 20+ years ago are IT based - but FD was created by Midland Bank. HSBC would lack the imagination and see it solely as a cost centre. Indeed I believe FD doesn't earn its keep (e.g. uses some HSBC core IT systems with no cross charging, so effectively subsidised by the rest of HSBC) but it was first 24x365 Telephone Banking service, the other banks had to play catch up providing poorer service at higher cost.

0
0
Anonymous Coward

Re: Re: Big Fish AC 22/10 08:43

I have a strong feeling that AC is/was at "FD" simply by their use of the initials...

I'd agree with the first 4 sentences, and the latter half of the 5th, but the first half isn't strictly accurate. They do "contribute to HSBC's profits" and there's plenty of cross charges (although all cross charges are funny money anyway, regardless of parent/child companies).

AC for what should be obvious reasons.

0
0
Silver badge
Alert

Good publicity for that movie

The more these idiots do this sort of thing, the more all the sane people in the world will start thinking that there must be a good reason to find and watch that movie.

Definition of a fanatic - someone who redoubles his efforts when he's forgotten his aims.

0
1
Silver badge

FirstDirect

Did anyone who was blocked from accessing Firstdirect online, pick up the phone to do their business that way?

I'd be interested to know whether the telephone service was also DoS'ed ("experiencing high volume of calls, please try later") or whether Firstdirect was able to handle the increased telephone traffic with aplomb.

0
0

Re: FirstDirect

Yes, I couldn't access FirstDirect online, and I phoned them about 11pm. It took about 3 minutes to get through, most unusual for FD who normally answer immediately.

0
0
Anonymous Coward

Unconfirmed reports again

Saddam had weapons of mass destruction you know

0
1
Coat

Well, if the comments here are anything to go by, then the attackers have completely failed to make their point.

What a waste of a botnet.

0
0
Anonymous Coward

The controversial Innocence of Muslims video?

"Unconfirmed reports suggest that HSBC was targeted by the Izz ad-Din al-Qassam Cyber Fighters as part of a current campaign (see Pastebin post*) to get the controversial Innocence of Muslims video removed from YouTube"

It's the Islamic 'Life of Brian` ...

0
0
This topic is closed for new posts.