"out of an abundance of caution"
They possibly decided to wait a month before notifying affected customers?
Would be interesting if any of the US customers turn out to be European.
HSBC has admitted miscreants have probably made off with personal details of thousands of its online-banking customers. The bank submitted paperwork [PDF] to the California Attorney General's office late last week outlining its plan to notify folks of the significant data theft. California law requires that the AG be notified …
I would guess a higher than average proportion of their customers will be European. People move to the US, and pick HSBC because the recognise the name from their home country. Also, if you are moving to the US, you can open a US account from your local branch and have it ready for when you arrive.
So how long does it take you to tell me that there has been a (failed) attempt to log in to my account? or any attempt from an unrecognised device/location?
If the answer is anything longer than 5 minutes then I'm sorry, but there is no rotation frequency I can use that will protect either of us.
If the answer is under 5 minutes then that's great, that's when I need to consider password rotation...
On my HSBC account, you can get in to the account without the 2FA token, and you can make payments to existing payees. But if you want to transfer money to someone you've never paid before, you need the token.
Without the token, they won't be able to steal any money, but they can still look.
Without the token, they won't be able to steal any money, but they can still look.
And that's quite sufficient to cause a lot of problems. I complained to HSBC when they suddenly reduced their security and got one of the most patronising brush-offs I've ever had. I suggested they make the downgraded security ("which our customers love for its convenience, please install our mobile phone app") optional, but not a chance.
This is BANKING .... security is not important so long as the appearance of security is there and the GUI looks attractive. If it "looks" secure then nobody cares ... let's face it, 2FA is actually 2 times FA when they send the "authorization" code the the phone running the mobile app.
I just removed my bank app from my phone and called the support center to cancel all digital access - it does feel a lot more secure now.
It's unforgivable that banks do not enforce two factor authentication when customers access their services comprising something the customer has (e.g. mobile phone / token / card reader) and something the customer knows (e.g. password / PIN) so that even if one factor is compromised the customer is still protected.
It's also unforgivable that the fines levied by the financial authorities on companies that lose customer data are simply kept by those authorities rather than re-invested in those companies to fix the security problems that allowed those companies to lose the data in the first place. The bigger the data loss = the bigger the fine = the bigger the investment in fixing it.
@severus "It's unforgivable that banks do not enforce two factor authentication..."
I'd very much like to agree with you but the general public think 2FA is a time consuming annoyance, to the point where people even change provider to avoid it.
As far as I am concerned its a 2FA is great, but good luck in making it the norm. Don't forget that with "open banking" people are even authorising third parties to operate banking on their behalf. Technically, fairly secure but the more doors you have into your account the more likely one of them is to be compromised.
People seem to have forgotten that digital currency is still currency just like old school cash but its now just an "app".
the general public think 2FA is a time consuming annoyance
I agree, but I'd rather be slightly annoyed for a few moments while I find and use my 2FA token - much better than being majorly annoyed when some remote spiv rolls my account for everything in it and steals all my credentials. Until technology really improves, the public will have to suck it up if they want to be safe.
So how many tokens do you carry around with you? I would change banks if I had to carry around a card-reader or token just to do everyday transactions
That, I think, is a big part of the problem/annoyance. If they'd all just agree to use something standard, whether a U2F token, TOTP or something else like that so that I can carry one dongle to rule them all it'd be much simpler.
I'd also be less worried about losing/breaking it because I could buy a second one and register it then keep it somewhere safe.
I do use 2FA, but the banks seem to have done a wonderful job of making it as inconvenient as possible without actually gaining much over other routes they could go.
Hell, some of them (cough HSBC) are trying to make it worse. When the battery ran low on my dongle, I had to fight them to get a new one because they wanted me to install their crapware on my phone to generate codes instead. And the HSBC app aint just a code generator, it's full access to your account. Fuck.... Right.... Off.
'That suggests the accounts were accessed using so-called credential stuffing'
I don't think it does. Its just as plausible that the bank is trying to imply they haven't messed up.
The quote should probably be
"We are reminding our customers to protect access to their banking accounts by regularly changing their passwords, by using unique passwords they are not using elsewhere, and by switching to another bank"
In common with many small businesses they have decided to close my business account soon. They're trying to be seen to distance themselves from laundering of except
* If I really wanted to launder money I'd possibly use HSBC as they're pretty good at it
* I get some of my income from HSBC (specialist network equipment)
* Depending on what you measure my track record with the Midland back goes back more than thirty years and the businesses's twenty something
Good riddance to them.
"Depending on what you measure my track record with the Midland back goes back more than thirty years and the businesses's twenty something
Good riddance to them."
My business only went back a bout 10 years but my track record went back 40 years to Midland days. And by the time I retired and no longer needed the business account I felt exactly the same way as you and took exactly the same step.
I am in no way defending banks here but online banking security has to be a shared responsibility.
I agree that all banks should use 2FA for access to online services, geo-location restrictions could be implemented but this needs to be a discussion between the user and the bank especially if the user travels a lot. Restricting which devices can access an account is another measure that is not difficult to implement.
However I also know that Joe Public on the whole does not like using 2FA. Joe Public has to wake up and realise that using the same password for all their Internet accounts is a bad idea and that 2FA is there to protect their data (and money).
that they were able to steal just from credentials stuffing.
I'm on the UK version of the website, if I log in without 2FA, the only information I'll be able to access is my account numbers, those of my payees, my transaction history and my postal address (the latter by downloading a statement). All other information (email address, DoB, phone number..) is protected by 2FA, so the security of the US website must be absolutely terrible if that's not the case.
If payee account information was also compromised, doesn't that mean that significantly more than 1% of HSBC's 1.4 million customers have been affected?
If you've ever been paid by someone with a compromised account, your details will very likely have been compromised too – they're saved automatically.
HSBC is the bank that decided Two-Factor Authentication was too much hassle for its customers and now only requires their dongle for things like setting up payments. You can login, view all sorts of financial information without it. They also, and this is the one that really gets me, are really pushing hard on voice authentication. Convince the machine you sound enough like the target and in you go!
Biting the hand that feeds IT © 1998–2019