back to article HSBC biz banking crypto: The case of the vanishing green padlock and... what domain are we on again?

HSBC has been faulted for redirecting business customers to a website that is not obviously secure. Rob Jonson, director of Hobbyist Software, who alerted us to the issue, was concerned that he'd fallen victim to a phishing scam. I logged into my HSBC business account, and the site failed to give me any info. Then I looked …

Bronze badge

sooo,..... not so much a FAIL as a bit of a cock up then...

3
0
Anonymous Coward

As a former HSBC Drone, I'm hardly surprised. As much as possible is done in their "Global Service Centres", where, in my experience, the employees are hard working but are completely unable to think for themselves.

There's a reason they're referred to as How Simple Becomes Complicated.

20
0

"where, in my experience, the employees are hard working but are completely unable to think for themselves"

I spent about 6 months trying to open an account with them. The account kept getting declined repeatedly for the same ludicrous reason. My passport had my middle name on it, my bills didn't. It wasn't possible to get my middle name on the bills because it would have taken me over the maximum character limit. They wouldn't accept initials either. It was ridiculous, the bank manager kept trying to push it through, but a week later each time I got an automated letter back saying my proof of ID didn't match. After 6 months I went to Barclays. They only looked at my passport to confirm my ID, account was open same day.

20
0
Silver badge

My keypad needs replacing (flat battery). I've been trying to get through on the phone all week. Shit bank,

3
0

They also have great difficulty with UK native languages. Passport in English name, normal use name in a native language as the locals use their language. However the 8 character limit on password is a big failing for a bank.

3
0

errr... buy some batteries?

1
0
Silver badge

This is the bank that is now trying to push Voice Recognition as a way to authenticate yourself for online banking, so little in the way of security idiocy surprises me.

2
0
Silver badge

Bouncing around the domains

This is biggest problem I see with any kind of web-based login and is really an accident waiting to happen.

17
0
Gold badge

Natwest used to do this. Which is even worse, as one minute you'd be on a Natwest domain, and the next an RBS one. Which could be just incredibly confusing if you don't realise they're the same banking group - and is just a stupid thing to do if you want to encourage customers to watch out for security.

11
0
Silver badge
Headmaster

The eight-character limit is pretty bad?

I thought a 9 character was bad in 2009... My how the times have changed?

11
0
Silver badge

Re: The eight-character limit is pretty bad?

Think of it more of a PIN than a password, as the app only shows you what you can see on screen at a cash point.

0
0
Silver badge

Yep. HSBC force me to use a cut-down version of my proper secure password because otherwise it's "too long". Their app isn't that great either. And though I moved to the smartphone app to generate codes, that was a debacle and a half. I didn't have a dongle so I couldn't change to the app, resulting in them sending me a dongle and then me having to use that to activate the app. When they didn't work, they deactivated the dongle and then they started telling me to "just enter the code from the dongle into the app" "the one that's deactivated now" "Yes" "Surprisingly that doesn't work" "No problem, just log in and order another." "Cool... how do I log in now that the dongle is deactivated..." "Er..."

I haven't touched their website in years because it was a mess of domain-bounces even then (click a service and it would often kick you out to some other website to show you what loans/etc. they do and then you'd have to deal with all the warnings and then log yourself back in).

People wonder why banks are hated - I literally never have these kinds of issues dealing with places like pre-pay credit card companies, or even things like PayPal.

13
0

No one ever logged into a banking site, to give said banking site more money, only ever to take it away.

Suddenly the fact they don't work very well is obviously never going to get fixed, as it'll never drive any more profits.

8
0
Silver badge

Banking services are the act of collecting money then disbursing it.

Consumers do the latter a lot more than the former, businesses tend to be more even.

If the latter is hard to do, people leave the bank and go somewhere else, taking all the money with them.

If more than maybe 20% do so, the bank goes bust.

6
1
Silver badge

And though I moved to the smartphone app to generate codes, that was a debacle and a half. I didn't have a dongle so I couldn't change to the app, resulting in them sending me a dongle and then me having to use that to activate the app. When they didn't work, they deactivated the dongle and then they started telling me to "just enter the code from the dongle into the app" "the one that's deactivated now" "Yes" "Surprisingly that doesn't work" "No problem, just log in and order another." "Cool... how do I log in now that the dongle is deactivated..."

Heh, try sticking with the dongle.... I won't use the pile of crap that is their app, so want to stick with the dongle. Except, you can no longer order a replacement (when the battery gets low) through Internet Banking. Their site says to send them a secure message through Internet Banking to request a new one, so OK.... And you get the following response back

I regret that I am unable to replace the secure key via this messaging service. We were able to send replacement keys through the secure messaging service, however due to a change in policy and for security reasons we can no longer do this.

Instead you've got to phone them. So I can't order a replacement dongle using a service that I need access to the physical token in order to use, because that's insecure, but I can phone them and just give them my internet banking creds to do so.

Clearly I know the creds as I'm logged into Internet Banking to send the message, so all they're actually doing is removing a layer of security.

11
0
Silver badge

Their online banking service is utterly dreadful.

Try paying an HSBC credit card bill from an HSBC current account without looking resorting to a) swearing, and b) finally giving in and using the online chat to talk to a human being.

2
0

Not true actually, I can photograph cheques and pay them into my account.

0
0

and yet with First Direct such online transactions are seamless, I wonder why one company has two such different computer systems

5
0
Silver badge

The eight-character limit is pretty bad, however, there are multiple layers of security to prevent brute force attacks from the front-end.

With only eight characters to play with I'd expect clever crooks to have a pretty good idea of a mark's password before they start and not need to worry about brute-forcing. The FSA or the BoE really ought to be all over this.

17
0
N2
Trollface

only eight characters...

The FSA or the BoE really ought to be all over this.

Agreed, but that would involve actually doing something, or someone

8
0
Anonymous Coward

"We've asked HSBC for comment and will update when we hear back. ®"

Please don't hold your breath. I'm still one of their customers, and have asked them many times about their website issues (if only it were limited to http:// redirections...). Never heard back anything meaningful.

Ah, not exactly: not long ago, I was on the phone with their support, the website started misbehaving and kicked me out (a frequent occurrence), so I told the guy. He answered, I'm barely paraphrasing here: "It works for me, so there's no problem".

I'm looking for a new bank.

18
0
Anonymous Coward

Re: "We've asked HSBC for comment and will update when we hear back. ®"

The problem is they're all as bad as each other, development governed by the lowest common denominator; cost.

It's also what happens when software development for retail banking customers is deemed "not revenue generating" and all the main (high budget) effort goes into commercial banking as that's where the profits are made, or software designed to stop government fines being applied for whatever they've been caught for this time.

Did nearly 20 years in IT there and still a customer! Sometimes its better the devil you know.

3
0

Android app

I suspect the app has a token as well as the short password so guessing the password alone wouldn't be enough. I've not messed about with it to find out though as I had enough trouble getting my account to work in the first place.

As for sending funds through the app, I still can't figure out how you allow that. I send funds through the web site all the time but my recipient list in the app is always empty.

0
0
Anonymous Coward

It gets worse

I regularly find the same password letter challenges all day, so I can log in 20 times and have to provide the 1st, 3rd and last letters each time.

Then there is the cross site scripting on the password challenge that I yelled at them about last year - although at least that seems to have been sorted.

Then there is the fact you have to enable the "Liveperson" script for the business password challenge to even work, but no warnings about script failure, just a message saying the password is wrong.

And they wonder why I wont let them download their "security" crapware and "enhance" my security.

2
0

worrying that I had clicked on a bad link from Google

What kind of idiot has to Google the url for their bank? Especially when it's the obvious hsbc.co.uk. I could have guessed at that one and I've never been a customer.

6
1
Anonymous Coward

Re: worrying that I had clicked on a bad link from Google

The whole thing is a non-story. There's been no security breach.

"secure web page links to unencrypted landing page of something else."

shock horror.

Tell me, if your sites use https, does that mean you'll only link to other sites that are also https?

0
10
Silver badge

Re: worrying that I had clicked on a bad link from Google

"What kind of idiot has to Google the url for their bank?"

Quite - and what's surprising to me is that (thanks to my own stereotyping of people) I'm surprised he noticed the URL change precisely because he apparently used Google to find the bank's website.

2
0
Silver badge

Re: worrying that I had clicked on a bad link from Google

"The whole thing is a non-story. There's been no security breach."

There's no suggestion of a security breach - the point is that the person who reported this saw the change of URL and became worried that something was wrong. And he was right to be concerned. Banks should not do this.

8
0
Anonymous Coward

Re: worrying that I had clicked on a bad link from Google

Searching your bank's URL may extend beyond the domain of fools.

Let's say the user types hscb.co.uk accidentally, that could be rented by "close but not quite Ltd" with a redirect to a pre-prepared phishing site. For example, using hsbc but with Cyrillic characters.

The search gives a better chance of spotting the typo before committing to a site.

3
0
Silver badge
Holmes

Re: worrying that I had clicked on a bad link from Google

It could be that he simply typed hsbc in the address field expecting Google to fill the rest of the address based in his former visits to that page. When he noticed the domain change and the http: header, he probably thought that Google had served him a tainted address instead.

This seems to fit well with Mr. Jonson being an IT guy.

3
0
Silver badge

Re: worrying that I had clicked on a bad link from Google

1) Do not have the address bar double up as a search bar.

2) Do not have the browser suggest URLs from the browser history - bookmarks/favourites only.

Put the sites you do want to use on a regular basis in your favourites/bookmarks.

With the browser set like that, typing HSBC into the address bar will always result in the correct domain coming up.

1
2
Silver badge

Re: worrying that I had clicked on a bad link from Google

"Tell me, if your sites use https, does that mean you'll only link to other sites that are also https?"

Let me explain that.

There are hackers out there who try to get your banking data. They can't if you are careful enough. For example, if you go to https://www.mybank.com then you know one hundred percent that you landed at www.mybank.com (apart from the fact that you also know that nobody can read what goes on between you and that site). If you go to http://www.mybank.com, then not only is it not encrypted, which is bad for a banking app, but you don't know for sure that the website you reached is actually www.mybank.com. That's why everyone should never, ever trust an http site.

Now if your bank redirects you to an http site, then it is redirecting you to a site THAT YOU SHOULD NOT TRUST. As a user, you then have two choices: Don't trust the site, which means you cannot use some service that the bank provides, or trust the site, which means you are possibly trusting some dangerous criminals. No bank should ever do this. If your bank does that kind of shit, then you should change banks.

In addition to be awful in itself, that kind of behaviour also means you can't trust any software created by the developers that this bank is using. If they get basic things wrong like that, what else did they get wrong?

1
0
Anonymous Coward

Limits on password

Halifax (which IIRC is part of HSBC) dont even use case sensitivity, however you can have a longer than 8 char password, just who wants to try and remember where you put the capital letters in PaSSwoRD123...

1
2
Silver badge

Re: Limits on password

Halifax was part of HBOS, now Lloyds Banking Group.

5
0

People are Strange

People will spend hours, days, weeks bitching about the crap service they get from a company. Why should that company care what you think? They have your money!

The ONE and ONLY time a company will care is when you STOP giving them your money. Yes but nothing. Instead of wasting your time bitching, use that time to take your money elsewhere. It's only difficult if you insist on making it difficult. Yes but nothing. It's your money, you decide. you give the instructions.

9
5
Silver badge

Re: People are Strange

"use that time to take your money elsewhere"

Good advice but sooner or later you run out of elsewheres.

5
0
Anonymous Coward

The Secure Key being limited to 8 characters must only apply to the Business banking app (not entirely clear from the article) as mine is over double that in the consumer version.

0
0
Silver badge

If we follow that logic: legislation for seatbelts in cars would never have been required as safety conscious consumers would have only bought cars with them.

No market is perfect which is why we have regulation. Due to the systemic nature of banks, the banking market is even less competitive (the barriers to entry are higher) than other industries. And if the onus is not on the bank to provide security by making them liable for losses incurred by fraud, then they have little incentive to improve things.

That said: I avoid all apps and websites for online banking and use only HBCI.

3
1
Silver badge
Unhappy

"The Secure Key being limited to 8 characters must only apply to the Business banking app (not entirely clear from the article) as mine is over double that in the consumer version."

Are you sure about that?

Back around the turn of the century I thought I was using a 12 character password for my ISP, but as I later discovered, it was silently ignoring all but the first 8 characters.

1
0
Silver badge
Stop

2009 ?????

8 character passwords were obsolete in 1989 ....

As an aside, has anyone else encountered that wonder of design: the website that doesn't know the rules for the database ?

There has been more than one "professional" website I have come across where the database fields allows [x] characters. But the login page only allows [y] where [y]<[x].

You'd think that the account creation or change password pages would be the same .... only they're not.

Result. No one with a password > [y] can log in .

5
1
Silver badge

Re: 2009 ?????

Depends a bit on the logic. Frontends should contain hints about fields but not necessarily all relevant constraints. A good frontend will validate as much as possible inline and might include additional constraints that are not in the schema. Specifically regarding passwords: if you're only ever storing the salted hash this will be bound to be different in length.

But, of course, the login should be implemented as a testable service with a detailed API… I think you've lost > 90% of the web monkeys with that kind of requirement.

2
0

Re: 2009 ?????

I've had similar with emails with + chars in them (essentially an alias).

Create a new account, + is fine, log in, no issue, then get to some internal settings page that includes the email, and it refuses to accept the +! So edit the + out, save settings, then go to the main admin page and change the email back again, as that page is fine with the +!

Promptly followed by two emails arriving asking me if it was me that changed the address!

1
0
Anonymous Coward

Re: I've had similar with emails with + chars in them

Best one I had was some hand-rolled code (because no one could possibly write a better version) which "validated" email addresses. Only it did it according to the authors idea of an email address, rather than the RFC.

Now, it may be deprecated. It's certainly not advisable. But it's perfectly valid to have an apostrophe (') in an email address ... as a johnyo'rourke@somewhere.com had.

1
0

Their personal banking experience is a bit wanky too.

I have a passphrase, something that clearly should be memorable, and a password.

They ask me to enter the entirety of the passphrase (something that I can remember) and then only certain letters of the password.

The password is a randomly generated 42 char string. Working out the 2nd, 5th and last letters is always a pain...

...although it is made easier by the fact that they only ever ask me for the 1st-6th and the last, ignoring the intermediary 30 odd characters in the middle.

So I ended up changing my passphrase to a 42 char randomly generated string and the password is a memorable word. I'm sure next time I have to use their phone system they will ask me for my passphrase and having to read out that random string will be the end of me.

7
0
Bronze badge

They're a bank

They haven't got a clue about security because they're a bank and banks' priority is not security.

5
0
Silver badge

cc Bank of England/Mark Carney ....... RSVPamfM

My conclusion is that HSBC is just shamefully bad.

I prefer to run with Shamelessly Fabulously Rad.

With IT is it a Virtual Gold Mining Operation. Are HSBC into CryptoCurrencies???

1
0
Silver badge
Facepalm

MarkMonitor Inc. Idaho USA

The question is who at HSBC decided to allocate domain registration to a company in Meridian, Idaho USA ..

Domain: hsbc.uk

Registrar: Markmonitor Inc

Name: HSBC Group Management Services Limited

Address: 8 Canada Square

London

E14 5HQ

United Kingdom

Domain: markmonitor.com

Registrar: MarkMonitor Inc.

Organization: MarkMonitor Inc.

Street: 3540 East Longwing Lane, Suite 300

City: Meridian

State: ID

Postal Code: 83646

Country: US

1
1
Silver badge
Facepalm

Re: MarkMonitor Inc. Idaho USA

So? I bet the majority of uk domains use UK registrars.

In addition, markmonitor specialise in checking/investigating/registering similar domains for companies to avoid phishing and other scams.

They also have a large physical presence in London, if that makes you happier.

A good idea to use them, no?

I presume you've never heard of them: https://www.markmonitor.com/company/

Not to worry, over half the fortune 500 have: https://www.markmonitor.com/customers/brand-protection-real-life-customer-success

1
0
Silver badge

Re: MarkMonitor Inc. Idaho USA

"So? I bet the majority of uk domains use UK registrars."

Well for instance, if I wanted to execute a DNS hijack against HSBC, no one at HSBC would notice. The site says 'Fighting financial crime with HSBC Safeguard'. Obviously not applying the magic sauce to themselves.

"markmonitor specialise in checking/investigating/registering similar domains for companies to avoid phishing and other scams."

Is it wise relying on some under-paid third party intern in India for your Internet Banking security?

0
0
Silver badge

Since we're all having fun criticising HSBC, I'm just going to leave this here.

4
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017