back to article HSBC biz banking crypto: The case of the vanishing green padlock and... what domain are we on again?

HSBC has been faulted for redirecting business customers to a website that is not obviously secure. Rob Jonson, director of Hobbyist Software, who alerted us to the issue, was concerned that he'd fallen victim to a phishing scam. I logged into my HSBC business account, and the site failed to give me any info. Then I looked …

  1. Paul Woodhouse

    sooo,..... not so much a FAIL as a bit of a cock up then...

    1. Anonymous Coward
      Anonymous Coward

      As a former HSBC Drone, I'm hardly surprised. As much as possible is done in their "Global Service Centres", where, in my experience, the employees are hard working but are completely unable to think for themselves.

      There's a reason they're referred to as How Simple Becomes Complicated.

      1. Aqua Marina

        "where, in my experience, the employees are hard working but are completely unable to think for themselves"

        I spent about 6 months trying to open an account with them. The account kept getting declined repeatedly for the same ludicrous reason. My passport had my middle name on it, my bills didn't. It wasn't possible to get my middle name on the bills because it would have taken me over the maximum character limit. They wouldn't accept initials either. It was ridiculous, the bank manager kept trying to push it through, but a week later each time I got an automated letter back saying my proof of ID didn't match. After 6 months I went to Barclays. They only looked at my passport to confirm my ID, account was open same day.

        1. AMBxx Silver badge

          My keypad needs replacing (flat battery). I've been trying to get through on the phone all week. Shit bank,

          1. Little boy down the lane

            errr... buy some batteries?

        2. eionmac

          They also have great difficulty with UK native languages. Passport in English name, normal use name in a native language as the locals use their language. However the 8 character limit on password is a big failing for a bank.

        3. h4rm0ny

          This is the bank that is now trying to push Voice Recognition as a way to authenticate yourself for online banking, so little in the way of security idiocy surprises me.

  2. Charlie Clark Silver badge

    Bouncing around the domains

    This is biggest problem I see with any kind of web-based login and is really an accident waiting to happen.

    1. I ain't Spartacus Gold badge

      Natwest used to do this. Which is even worse, as one minute you'd be on a Natwest domain, and the next an RBS one. Which could be just incredibly confusing if you don't realise they're the same banking group - and is just a stupid thing to do if you want to encourage customers to watch out for security.

  3. chivo243 Silver badge
    Headmaster

    The eight-character limit is pretty bad?

    I thought a 9 character was bad in 2009... My how the times have changed?

    1. druck Silver badge

      Re: The eight-character limit is pretty bad?

      Think of it more of a PIN than a password, as the app only shows you what you can see on screen at a cash point.

  4. Lee D Silver badge

    Yep. HSBC force me to use a cut-down version of my proper secure password because otherwise it's "too long". Their app isn't that great either. And though I moved to the smartphone app to generate codes, that was a debacle and a half. I didn't have a dongle so I couldn't change to the app, resulting in them sending me a dongle and then me having to use that to activate the app. When they didn't work, they deactivated the dongle and then they started telling me to "just enter the code from the dongle into the app" "the one that's deactivated now" "Yes" "Surprisingly that doesn't work" "No problem, just log in and order another." "Cool... how do I log in now that the dongle is deactivated..." "Er..."

    I haven't touched their website in years because it was a mess of domain-bounces even then (click a service and it would often kick you out to some other website to show you what loans/etc. they do and then you'd have to deal with all the warnings and then log yourself back in).

    People wonder why banks are hated - I literally never have these kinds of issues dealing with places like pre-pay credit card companies, or even things like PayPal.

    1. DJ Smiley

      No one ever logged into a banking site, to give said banking site more money, only ever to take it away.

      Suddenly the fact they don't work very well is obviously never going to get fixed, as it'll never drive any more profits.

      1. Richard 12 Silver badge

        Banking services are the act of collecting money then disbursing it.

        Consumers do the latter a lot more than the former, businesses tend to be more even.

        If the latter is hard to do, people leave the bank and go somewhere else, taking all the money with them.

        If more than maybe 20% do so, the bank goes bust.

      2. Uberseehandel

        Not true actually, I can photograph cheques and pay them into my account.

    2. Ben Tasker

      And though I moved to the smartphone app to generate codes, that was a debacle and a half. I didn't have a dongle so I couldn't change to the app, resulting in them sending me a dongle and then me having to use that to activate the app. When they didn't work, they deactivated the dongle and then they started telling me to "just enter the code from the dongle into the app" "the one that's deactivated now" "Yes" "Surprisingly that doesn't work" "No problem, just log in and order another." "Cool... how do I log in now that the dongle is deactivated..."

      Heh, try sticking with the dongle.... I won't use the pile of crap that is their app, so want to stick with the dongle. Except, you can no longer order a replacement (when the battery gets low) through Internet Banking. Their site says to send them a secure message through Internet Banking to request a new one, so OK.... And you get the following response back

      I regret that I am unable to replace the secure key via this messaging service. We were able to send replacement keys through the secure messaging service, however due to a change in policy and for security reasons we can no longer do this.

      Instead you've got to phone them. So I can't order a replacement dongle using a service that I need access to the physical token in order to use, because that's insecure, but I can phone them and just give them my internet banking creds to do so.

      Clearly I know the creds as I'm logged into Internet Banking to send the message, so all they're actually doing is removing a layer of security.

    3. Anonymous Coward
      Anonymous Coward

      Their online banking service is utterly dreadful.

      Try paying an HSBC credit card bill from an HSBC current account without looking resorting to a) swearing, and b) finally giving in and using the online chat to talk to a human being.

      1. OurAl

        and yet with First Direct such online transactions are seamless, I wonder why one company has two such different computer systems

  5. Charlie Clark Silver badge

    The eight-character limit is pretty bad, however, there are multiple layers of security to prevent brute force attacks from the front-end.

    With only eight characters to play with I'd expect clever crooks to have a pretty good idea of a mark's password before they start and not need to worry about brute-forcing. The FSA or the BoE really ought to be all over this.

    1. N2
      Trollface

      only eight characters...

      The FSA or the BoE really ought to be all over this.

      Agreed, but that would involve actually doing something, or someone

  6. Anonymous Coward
    Anonymous Coward

    "We've asked HSBC for comment and will update when we hear back. ®"

    Please don't hold your breath. I'm still one of their customers, and have asked them many times about their website issues (if only it were limited to http:// redirections...). Never heard back anything meaningful.

    Ah, not exactly: not long ago, I was on the phone with their support, the website started misbehaving and kicked me out (a frequent occurrence), so I told the guy. He answered, I'm barely paraphrasing here: "It works for me, so there's no problem".

    I'm looking for a new bank.

    1. Anonymous Coward
      Anonymous Coward

      Re: "We've asked HSBC for comment and will update when we hear back. ®"

      The problem is they're all as bad as each other, development governed by the lowest common denominator; cost.

      It's also what happens when software development for retail banking customers is deemed "not revenue generating" and all the main (high budget) effort goes into commercial banking as that's where the profits are made, or software designed to stop government fines being applied for whatever they've been caught for this time.

      Did nearly 20 years in IT there and still a customer! Sometimes its better the devil you know.

  7. Chewi

    Android app

    I suspect the app has a token as well as the short password so guessing the password alone wouldn't be enough. I've not messed about with it to find out though as I had enough trouble getting my account to work in the first place.

    As for sending funds through the app, I still can't figure out how you allow that. I send funds through the web site all the time but my recipient list in the app is always empty.

  8. Anonymous Coward
    Anonymous Coward

    It gets worse

    I regularly find the same password letter challenges all day, so I can log in 20 times and have to provide the 1st, 3rd and last letters each time.

    Then there is the cross site scripting on the password challenge that I yelled at them about last year - although at least that seems to have been sorted.

    Then there is the fact you have to enable the "Liveperson" script for the business password challenge to even work, but no warnings about script failure, just a message saying the password is wrong.

    And they wonder why I wont let them download their "security" crapware and "enhance" my security.

  9. Irongut

    worrying that I had clicked on a bad link from Google

    What kind of idiot has to Google the url for their bank? Especially when it's the obvious hsbc.co.uk. I could have guessed at that one and I've never been a customer.

    1. Anonymous Coward
      Anonymous Coward

      Re: worrying that I had clicked on a bad link from Google

      The whole thing is a non-story. There's been no security breach.

      "secure web page links to unencrypted landing page of something else."

      shock horror.

      Tell me, if your sites use https, does that mean you'll only link to other sites that are also https?

      1. VinceH

        Re: worrying that I had clicked on a bad link from Google

        "The whole thing is a non-story. There's been no security breach."

        There's no suggestion of a security breach - the point is that the person who reported this saw the change of URL and became worried that something was wrong. And he was right to be concerned. Banks should not do this.

      2. gnasher729 Silver badge

        Re: worrying that I had clicked on a bad link from Google

        "Tell me, if your sites use https, does that mean you'll only link to other sites that are also https?"

        Let me explain that.

        There are hackers out there who try to get your banking data. They can't if you are careful enough. For example, if you go to https://www.mybank.com then you know one hundred percent that you landed at www.mybank.com (apart from the fact that you also know that nobody can read what goes on between you and that site). If you go to http://www.mybank.com, then not only is it not encrypted, which is bad for a banking app, but you don't know for sure that the website you reached is actually www.mybank.com. That's why everyone should never, ever trust an http site.

        Now if your bank redirects you to an http site, then it is redirecting you to a site THAT YOU SHOULD NOT TRUST. As a user, you then have two choices: Don't trust the site, which means you cannot use some service that the bank provides, or trust the site, which means you are possibly trusting some dangerous criminals. No bank should ever do this. If your bank does that kind of shit, then you should change banks.

        In addition to be awful in itself, that kind of behaviour also means you can't trust any software created by the developers that this bank is using. If they get basic things wrong like that, what else did they get wrong?

    2. VinceH

      Re: worrying that I had clicked on a bad link from Google

      "What kind of idiot has to Google the url for their bank?"

      Quite - and what's surprising to me is that (thanks to my own stereotyping of people) I'm surprised he noticed the URL change precisely because he apparently used Google to find the bank's website.

    3. Anonymous Coward
      Anonymous Coward

      Re: worrying that I had clicked on a bad link from Google

      Searching your bank's URL may extend beyond the domain of fools.

      Let's say the user types hscb.co.uk accidentally, that could be rented by "close but not quite Ltd" with a redirect to a pre-prepared phishing site. For example, using hsbc but with Cyrillic characters.

      The search gives a better chance of spotting the typo before committing to a site.

    4. Mephistro
      Holmes

      Re: worrying that I had clicked on a bad link from Google

      It could be that he simply typed hsbc in the address field expecting Google to fill the rest of the address based in his former visits to that page. When he noticed the domain change and the http: header, he probably thought that Google had served him a tainted address instead.

      This seems to fit well with Mr. Jonson being an IT guy.

      1. VinceH

        Re: worrying that I had clicked on a bad link from Google

        1) Do not have the address bar double up as a search bar.

        2) Do not have the browser suggest URLs from the browser history - bookmarks/favourites only.

        Put the sites you do want to use on a regular basis in your favourites/bookmarks.

        With the browser set like that, typing HSBC into the address bar will always result in the correct domain coming up.

  10. Anonymous Coward
    Anonymous Coward

    Limits on password

    Halifax (which IIRC is part of HSBC) dont even use case sensitivity, however you can have a longer than 8 char password, just who wants to try and remember where you put the capital letters in PaSSwoRD123...

    1. Aladdin Sane

      Re: Limits on password

      Halifax was part of HBOS, now Lloyds Banking Group.

  11. Halcin

    People are Strange

    People will spend hours, days, weeks bitching about the crap service they get from a company. Why should that company care what you think? They have your money!

    The ONE and ONLY time a company will care is when you STOP giving them your money. Yes but nothing. Instead of wasting your time bitching, use that time to take your money elsewhere. It's only difficult if you insist on making it difficult. Yes but nothing. It's your money, you decide. you give the instructions.

    1. Doctor Syntax Silver badge

      Re: People are Strange

      "use that time to take your money elsewhere"

      Good advice but sooner or later you run out of elsewheres.

  12. Anonymous Coward
    Anonymous Coward

    The Secure Key being limited to 8 characters must only apply to the Business banking app (not entirely clear from the article) as mine is over double that in the consumer version.

    1. Charlie Clark Silver badge

      If we follow that logic: legislation for seatbelts in cars would never have been required as safety conscious consumers would have only bought cars with them.

      No market is perfect which is why we have regulation. Due to the systemic nature of banks, the banking market is even less competitive (the barriers to entry are higher) than other industries. And if the onus is not on the bank to provide security by making them liable for losses incurred by fraud, then they have little incentive to improve things.

      That said: I avoid all apps and websites for online banking and use only HBCI.

    2. Wensleydale Cheese
      Unhappy

      "The Secure Key being limited to 8 characters must only apply to the Business banking app (not entirely clear from the article) as mine is over double that in the consumer version."

      Are you sure about that?

      Back around the turn of the century I thought I was using a 12 character password for my ISP, but as I later discovered, it was silently ignoring all but the first 8 characters.

  13. JimmyPage Silver badge
    Stop

    2009 ?????

    8 character passwords were obsolete in 1989 ....

    As an aside, has anyone else encountered that wonder of design: the website that doesn't know the rules for the database ?

    There has been more than one "professional" website I have come across where the database fields allows [x] characters. But the login page only allows [y] where [y]<[x].

    You'd think that the account creation or change password pages would be the same .... only they're not.

    Result. No one with a password > [y] can log in .

    1. Charlie Clark Silver badge

      Re: 2009 ?????

      Depends a bit on the logic. Frontends should contain hints about fields but not necessarily all relevant constraints. A good frontend will validate as much as possible inline and might include additional constraints that are not in the schema. Specifically regarding passwords: if you're only ever storing the salted hash this will be bound to be different in length.

      But, of course, the login should be implemented as a testable service with a detailed API… I think you've lost > 90% of the web monkeys with that kind of requirement.

      1. Boothy

        Re: 2009 ?????

        I've had similar with emails with + chars in them (essentially an alias).

        Create a new account, + is fine, log in, no issue, then get to some internal settings page that includes the email, and it refuses to accept the +! So edit the + out, save settings, then go to the main admin page and change the email back again, as that page is fine with the +!

        Promptly followed by two emails arriving asking me if it was me that changed the address!

        1. Anonymous Coward
          Anonymous Coward

          Re: I've had similar with emails with + chars in them

          Best one I had was some hand-rolled code (because no one could possibly write a better version) which "validated" email addresses. Only it did it according to the authors idea of an email address, rather than the RFC.

          Now, it may be deprecated. It's certainly not advisable. But it's perfectly valid to have an apostrophe (') in an email address ... as a johnyo'rourke@somewhere.com had.

  14. LewisRage

    Their personal banking experience is a bit wanky too.

    I have a passphrase, something that clearly should be memorable, and a password.

    They ask me to enter the entirety of the passphrase (something that I can remember) and then only certain letters of the password.

    The password is a randomly generated 42 char string. Working out the 2nd, 5th and last letters is always a pain...

    ...although it is made easier by the fact that they only ever ask me for the 1st-6th and the last, ignoring the intermediary 30 odd characters in the middle.

    So I ended up changing my passphrase to a 42 char randomly generated string and the password is a memorable word. I'm sure next time I have to use their phone system they will ask me for my passphrase and having to read out that random string will be the end of me.

  15. anthonyhegedus Silver badge

    They're a bank

    They haven't got a clue about security because they're a bank and banks' priority is not security.

  16. amanfromMars 1 Silver badge

    cc Bank of England/Mark Carney ....... RSVPamfM

    My conclusion is that HSBC is just shamefully bad.

    I prefer to run with Shamelessly Fabulously Rad.

    With IT is it a Virtual Gold Mining Operation. Are HSBC into CryptoCurrencies???

  17. Anonymous Coward
    Facepalm

    MarkMonitor Inc. Idaho USA

    The question is who at HSBC decided to allocate domain registration to a company in Meridian, Idaho USA ..

    Domain: hsbc.uk

    Registrar: Markmonitor Inc

    Name: HSBC Group Management Services Limited

    Address: 8 Canada Square

    London

    E14 5HQ

    United Kingdom

    Domain: markmonitor.com

    Registrar: MarkMonitor Inc.

    Organization: MarkMonitor Inc.

    Street: 3540 East Longwing Lane, Suite 300

    City: Meridian

    State: ID

    Postal Code: 83646

    Country: US

    1. Jamie Jones Silver badge
      Facepalm

      Re: MarkMonitor Inc. Idaho USA

      So? I bet the majority of uk domains use UK registrars.

      In addition, markmonitor specialise in checking/investigating/registering similar domains for companies to avoid phishing and other scams.

      They also have a large physical presence in London, if that makes you happier.

      A good idea to use them, no?

      I presume you've never heard of them: https://www.markmonitor.com/company/

      Not to worry, over half the fortune 500 have: https://www.markmonitor.com/customers/brand-protection-real-life-customer-success

      1. Anonymous Coward
        Anonymous Coward

        Re: MarkMonitor Inc. Idaho USA

        "So? I bet the majority of uk domains use UK registrars."

        Well for instance, if I wanted to execute a DNS hijack against HSBC, no one at HSBC would notice. The site says 'Fighting financial crime with HSBC Safeguard'. Obviously not applying the magic sauce to themselves.

        "markmonitor specialise in checking/investigating/registering similar domains for companies to avoid phishing and other scams."

        Is it wise relying on some under-paid third party intern in India for your Internet Banking security?

  18. VinceH

    Since we're all having fun criticising HSBC, I'm just going to leave this here.

    1. JimmyPage Silver badge
      Pint

      @VinceH

      I applaud your dedication and zeal. But don't you sometimes wonder if it's actually worth it ? Especially with such a spectacularly useless shower as HSBC (or BT, or Virgin, or Barclays ....)

      Have one of these, you'll feel better ->

      1. VinceH

        Re: @VinceH

        *shrugs*

        In this case, complaining vocally about HSBC on Twitter resulted in a telephone conversation with someone at HSBC (who I referred to that post), and being paid £50 compensation.

        I need to do a follow-up post at some point, in which that'll get mentioned, but I want to know what the ICO did, so I'm keeping half an eye on the ICO website to see if any outcome pops up there, now that they say they won't notify complainants.

        FWIW, the issue was that there was a disconnection between their 'no spam please' settings in their online banking website, and the database they used for marketing, which has its own settings. It took the guy I spoke to logging in to his own account to see his settings versus those in the database to establish that.

  19. sitta_europea Silver badge

    HSBC - The World's Local Bank.

    I live in Alfreton. One day when I was due to catch a train to Sheffield from Alfreton station I didn't have time to get to the Alfreton branch of HSBC to pay salary cheques into some employees' accounts, so I thought I'd just pay them in at a branch in Sheffield.

    So I popped into the branch at 251 Fullwood Road, Sheffield and handed over the cheques.

    The girl at the counter said, "Ooohh, you can't do that here, you have to do it at your own branch".

    I invited her to swivel her seat around and read out to me what it said in large red letters on the wall behind her (something about "The World's Local Bank").

    She fetched her manager.

    We had a conversation.

    They took the cheques.

    Last July they closed the Alfreton Branch.

    They still haven't implemented DNSSEC for their domains.

  20. Chris 3
    Mushroom

    HSBC trains its customers to be phished.

    I’ve been having a back and forth with HSBC about the text messages that they send you, if they believe that your card has been compromised.

    You get a text from a random number, purporting to be from HSBC telling you to phone another random number urgently to discuss your account.

    That number isn't a publicised number. Moreover, even if you search for it on the HSBC website to check if it is legit, nothing turns up.

    I’ve had several arguments, but am unable to get through to anyone who seemingly understands.

    Yes, I understand that you may not want to publicise the number on the site, but at least arrange things so that if a customer checks, the search function returns a page saying 'yes, this is a legit number for the department'.

    To add insult to injury, HSBC keeps sending me marketing brochures explaining how important it is that I keep a look out for phishing attempts.

    Is there anyone? FSA, ombudsman who would be interested in this issue? It’s only a matter of time before someone is spoofed and loses money.

  21. Anonymous Coward
    Anonymous Coward

    To be fair to HSBC.

    They do at least understand that someone born in China might possibly have a UK passport.

    I spent 3 months trying to hammer that into Natwest.

    (Account application for my wife)

    Place of Birth = blah, blah, China

    Please provide copy of your Chinese passport.

    I am a naturalised UK citizen, here is my UK passport.

    Please provide a copy of your Chinese passport.

    China doesnt allow dual citizenship, here is my UK passport.

    Please provide your Chinese passport.

    I DONT HAVE A FRIGGING CHINESE PASSPORT, I AM A UK CITIZEN!!!

    Please provide your Chinese passport.

    AAAAAAAAAAAAARRRRRRRRRRRGGGGGGGGGH!!!!!!!

    1. razorfishsl

      Re: To be fair to HSBC.

      If you were born in China , you will have a Chinese passport... how else did you get out?

      Or are you one of these Chinese that carries multiple passports and swaps at immigration, only to get caught out crossing the ShenZhen boarder, when thy do a bag search?

      1. SImon Hobson Bronze badge

        Re: To be fair to HSBC.

        Try reading CAREFULLY.

        Would have HAD (past tense) a Chinese passport at some point, when becoming a naturalised UK citizen the person would only have a UK passport.

  22. Anonymous Coward
    Anonymous Coward

    Bouncing domains - Http vs. Https - UI inconsistency

    HSBC, a bank that's aggressively pushing Banking Biometrics, go figure! Anyone noticed more domain bouncing / Http vs. Https switching, after so much corporate consolidation and mergers and acquisitions etc...???

    Airlines etc... You login securely / insecurely only to be taken to another site that's the complete reverse. Often the older airline site, where you have to enter all your details unencrypted just to pick a seat / print a bordering pass...

    WTF corporations...??? Wake up- Politicians! We need legislation / fines / GDPR urgently... This is what happens when you shitcan tech staff and outsource everything! Just so the master-of-the-universe 'CEO' gets paid!

  23. razorfishsl

    Yep , these dumb MOFO's did the same in HK.

    new web interface for banking, than redirecting to a non-HSBC site to ask "how was your experience"

    in a separate window OVER the HSBC site.

    Are you F***ing insane?, so i cracked open my developer tools to take a look at their new page source

    Well, at least they have removed all their todo & bug reports out of the javascript, but clearly that are making savings on thier web developers.

  24. This post has been deleted by its author

  25. Anonymous Coward
    Anonymous Coward

    Their banking website is a pile of manure anyway. Industry standard - credits and debits in different columns so it's easy to see the ins and outs; HSBC site - put them in one column to make it as hard as possible. Industry standard - show sort codes in nn-nn-nn format; HSBC site - refuse to accept anything but nnnnnn and "helpfully" tell me that no I can't copy & paste the information so "don't do it".

  26. Galit

    Detecting such email phishing scams

    I may be biased, but people can detect fraudulent emails and avoid falling for phishing scams by installing the Chrome extension Scam Block Plus, which is free for private users. In this particular case, since it was a dummy site pretended to be HSBC website, one wouldn't have been able to enter his personal details.

  27. Steve Graham

    8-char password

    Limits on password size often means that the programmer has reserved a fixed space to store it. Unencrypted.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon