back to article HSBC websites fell in DDoS attack last night, bank admits

HSBC has blamed a denial of service attack for the downtime of many of its websites worldwide on Thursday night. Various Reg readers told us they were unable to reach the HSBC UK and First Direct websites on Thursday, leaving them unable to carry out internet banking services. Problems kicked in just before 20.00 BST and …

COMMENTS

This topic is closed for new posts.
  1. JaitcH
    FAIL

    I don't need no bloody DDoS, I've got a SecureKey which ...

    has denied me access to my HSBC accounts for TEN WEEKS.

    And to Merrelee D (Quality Assurance). in HSBC Vancouver who said: "Just for your information, our internet banking site has never been hacked or breached. Merrilee " Say again, Merrilee, I can't hear you!

    Of course, HSBC boasts of all it's high tech chappies who cut your connection if your IP changes during banking. Unfortunately they haven't heard that Win 7 can handle more than one InterNet connection as can our server.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't need no bloody DDoS, I've got a SecureKey which ...

      > Say again, Merrilee, I can't hear you!

      It was a denial of service attack. The site was neither breached or hacked.

      > Of course, HSBC boasts of all it's high tech chappies who cut your connection if your IP changes during banking. Unfortunately they haven't heard that Win 7 can handle more than one InterNet connection as can our server.

      Good for your server and Win 7. I'll let you into a secret. HSBC's servers can also handle more than one connection from you (and on different IPs) but they choose not to. The reason they choose not to accept your IP address changing during a session is security. Admittedly, this decision will only protect against certain known attacks (and against some unknown) but it isn't the only security measure they apply.

      1. DF118

        Re: I don't need no bloody DDoS, I've got a SecureKey which ...

        The site was neither breached or hacked.

        Either/or

        Neither/nor

        </pedant>

      2. JaitcH
        WTF?

        Re: I don't need no bloody DDoS, I've got a SecureKey which ...

        I know what HSBC can do, mine was jumping from my home country to HongKong where our satellite service terminates/originates.. Of course their servers can handle more than one connection from customers but the fact is their so called 'security' doesn't, or at least didn't, allow changing IP connections which has annoyed many of their customers which isn't exactly 'service'.

        They should accept that they, HSBC, have to adapt to customers not vice versa.

        Merilee's quote was truncated.

        Various HSBC sites have been hacked over the years, not DDoS, 2012 February; 2011 August; 2009 September.for example. No intelligent computer user would say they are impervious to any attack - ask the US government.

        1. Anonymous Coward
          Anonymous Coward

          Re: I don't need no bloody DDoS, I've got a SecureKey which ...

          > They should accept that they, HSBC, have to adapt to customers not vice versa.

          The customer should accept that security comes at a price. HSBC have decided that their security model will not allow changing IP during a session. If you do not like this then you can change your bank for one that uses less security.

          1. the-it-slayer

            Re: I don't need no bloody DDoS, I've got a SecureKey which ...

            People forget that the SecureKey is a good trade-off. It doesn't rely on generating keys using the card (like Barclays which is annoying - but I believe you can get the code generator as an app now?), but is secure enough that it acts another level of authentication other than a password or you inserting specific characters of the password (that CapitalOne uses - which is relatively secure).

            I did wonder why I couldnt access it yesterday. Idiots.

            1. Vince

              Re: I don't need no bloody DDoS, I've got a SecureKey which ...

              Actually the Barclays solution is better because:

              (a) You can have multiple "PinSentry" devices - so you haven't got to carry it around.

              (b) There is an app to act as a pinsentry

              (c) You can also get "basic access" (at least on Premier you can), which lets you do basic stuff without the need for PINsentry at all.

              (the latter being what I use and hasn't caused me to lose my money through the oh-so-terrible fraud risk yet).

              1. the-it-slayer

                Re: I don't need no bloody DDoS, I've got a SecureKey which ...

                Not that I'm discounting the convenience of the PINSentry device being able to read all cards, but surely that makes it easier for someone to get into your account once they have your username and card? At least SecureKey is unique to the account AFAIK. Not difficult to attach it to your car keys or something you carry around a lot with you.

        2. Tom 38
          FAIL

          Re: I don't need no bloody DDoS, I've got a SecureKey which ...

          Sorry, your IP for your session was flapping between Hong Kong and (another unspecified country), and you think HSBC are the twats for logging you out?

    2. Vince
      FAIL

      Re: I don't need no bloody DDoS, I've got a SecureKey which ...

      Yeah thanks for the "SecureKey" I no longer check my account daily as I used to, because I would have to carry the sodding key about with me. As a result I just rely on the monthly statement, so if there is fraud then they'll not hear about it for some time (although the non-fraud they detect will no doubt continue).

      1. Arrrggghh-otron

        Re: I don't need no bloody DDoS, I've got a SecureKey which ...

        Securekey is a pain in the arse... prompted me to sign up for text alerts (a paid for service) that texts me when something over £n goes in or out of my account plus a weekly text statement. Good for keeping an eye on things. Shame the lower limit for transactions is => £20. Be warned if you decide to set it up, the call centre staff in India have no idea (or at least they didn't at the time) how the service works and setting it up is painful if you get someone who speaks English but doesn't appear to understand it.

      2. Anonymous Coward
        Anonymous Coward

        Re: check my account daily

        I use the HSBC fast balance app for android which helps a lot, would be nice to be able to do a little more, like the mini-statement being for more transactions but alas.

        Still have to use the bloody secure key if I need to login and sort something out, though.

        // hate secure key

        // better than some other banks 'solutions' though

        1. Vince

          Re: check my account daily

          Yeah that's nice - you can see the balance of your "current" account. You can't see your Credit Cards. Or many other HSBC account types. Or see detailed transactions. That's er, useless.

    3. Vince

      Re: I don't need no bloody DDoS, I've got a SecureKey which ...

      Of course you could also configure your setup properly[1], so that a single session to a particular place is routed through the same link for its duration so this issue doesn't occur.

      [1] Given that this type of connection load balancing isn't exactly "proper", the "fix" is "proper" in the same sense.

      1. JaitcH
        Unhappy

        Re: I don't need no bloody DDoS, I've got a SecureKey which ...

        @Vince

        Why should a Customer have to adapt to a supplier?

    4. Anonymous Coward
      Anonymous Coward

      Re: I don't need no bloody DDoS, I've got a SecureKey which ...

      >>Of course, HSBC boasts of all it's high tech chappies who cut your connection if your IP changes during banking. Unfortunately they haven't heard that Win 7 can handle more than one InterNet connection as can our server.

      Actually, it was originally seen as a bug; when the IP changed the proxy hashed the connection differently, sent it to a different load-balanced machine in the cluster and because of the session had absolute references, the session couldn't be shared between nodes (data couldn't be serialised) the new node didn't recognise the session and logged you out - as this was seen as really tricky to fix (loads of locally cached data), some bright spark said, actually, lets pretend it's deliberate - "problem" goes away!

    5. aaronj2906_01
      Boffin

      Re: I don't need no bloody DDoS, I've got a SecureKey which ...

      " if your IP changes during banking"

      You should thank them.... Security. If you were the victim of a man in the middle attack, your session were hijacked, and the only giveaway was a changed IP, wouldn't you WANT them to pull the plug?

  2. I See Fridges
    WTF?

    Wrong Target?

    If it is the muslims, then I don't get what they hope to achieve by launching a DDoS against HSBC. I should have thought they would have been better off trying to bring YouTube down.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wrong Target?

      Most likely to be, banks support Google by Card processing and banking services, therefore they are legitimate services. Same sort of crap that Anon believe in.

      Most are clueless that banks and businesses don't transfer money via a web portal and all it affects are normal everyday people.

      1. This post has been deleted by its author

    2. JakeyC

      Re: Wrong Target?

      Certainly does seem an odd choice, as I thought HSBC were rather Islam-friendly: HSBC Amanah

      1. Anonymous Coward
        Anonymous Coward

        Re: Wrong Target?

        I dont like tescos, so I think im going to protest outside kwik fit, as I bet they supply tyres to their delivery vans!

    3. Anonymous Coward
      Anonymous Coward

      Re: Wrong Target?

      "If it is the muslims"

      Are all Muslims working as one? Do Anonymous speak for all Internet users?

      No. They are both small groups of people who pretend to represent more than they actually do.

  3. Anonymous Coward
    Anonymous Coward

    Solving "Panetta"

    If the post title is to be believed, and 8 == 0, then Panetta+8 and Panetta-8 are both equal to Panetta. Whether 16 (as 2 * 8) also == 0 or not, it's hard to say. Lord knows what 5 equals...

    Of course, it's fair to say that the puzzle could be complete nonsense, while not drawing any parallels with religion...

    1. Anonymous Coward
      Anonymous Coward

      Re: Solving "Panetta"

      Panetta = 6/7

      Possibly something about 6 July or 7 June ??

      Or 14 December for that matter.

  4. Chris Harden

    "Thus the chain of cyber attacks on U.S. banks will continue this week."

    You would have thought that the NAME of the bank would have given away their mis-assumption.

    1. Anonymous Coward
      Anonymous Coward

      Agreed, everybody should understand it is PRC-based ;-)

      To be fair, they do force their customers to comply to USoA IRS laws, even those who've never set foot in the US.

  5. Anonymous Coward
    Anonymous Coward

    Big Fish

    Either this was one of the biggest ever DDOS attacks considering it managed to keep such a large site offline for so long, or HSBC are not set up very well to deal with it. In comparison to other well know companies and sectors such as betting sites which deal with this on a regular basis I would have thought a banking giant could cope with a DDOS 99% of the time.

    1. Kirbini
      Meh

      Re: Big Fish

      Word in security circles is that the sheer volume of these attacks, in excess of 6 Gbps, coupled with the fact that they are multivector attacks makes them very difficult to defend against. Certainly it can be done, but at what cost? Is it really worth €50,000,000 to prevent the occasional 24 hours downtime for single customer web access? For a gambling website, each and every transaction generates revenue and is their primary source of revenue. For banks, web access is a cost center, not a revenue generator.

    2. No, I will not fix your computer
      Boffin

      Re: Big Fish

      DDOS doesn't always depends on a large "attacking" force, in fact depending on exploits and bugs it can be trivial to bring down organisations, remember "ping of death", even http connection exhaustion could be accomplished by a handful of servers, while a "D"DOS does imply multiple attacks, different operating systems handle attacks in different ways, "half open listen drop" thresholds etc.

      It could well be a relatively newly discovered exploit/bug, unpatched servers (the larger you are the slower you can move).

    3. Anonymous Coward
      Anonymous Coward

      Re: Big Fish

      HSBC executive management regard IT as a cost centre. Ship development work to India, dispose of qualified, experienced UK IT staff and slowly but inexorably fall behind. Innovations in Banking like First Direct was 20+ years ago are IT based - but FD was created by Midland Bank. HSBC would lack the imagination and see it solely as a cost centre. Indeed I believe FD doesn't earn its keep (e.g. uses some HSBC core IT systems with no cross charging, so effectively subsidised by the rest of HSBC) but it was first 24x365 Telephone Banking service, the other banks had to play catch up providing poorer service at higher cost.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: Big Fish AC 22/10 08:43

        I have a strong feeling that AC is/was at "FD" simply by their use of the initials...

        I'd agree with the first 4 sentences, and the latter half of the 5th, but the first half isn't strictly accurate. They do "contribute to HSBC's profits" and there's plenty of cross charges (although all cross charges are funny money anyway, regardless of parent/child companies).

        AC for what should be obvious reasons.

  6. Nigel 11
    Alert

    Good publicity for that movie

    The more these idiots do this sort of thing, the more all the sane people in the world will start thinking that there must be a good reason to find and watch that movie.

    Definition of a fanatic - someone who redoubles his efforts when he's forgotten his aims.

  7. Nigel 11

    FirstDirect

    Did anyone who was blocked from accessing Firstdirect online, pick up the phone to do their business that way?

    I'd be interested to know whether the telephone service was also DoS'ed ("experiencing high volume of calls, please try later") or whether Firstdirect was able to handle the increased telephone traffic with aplomb.

    1. Pabloid

      Re: FirstDirect

      Yes, I couldn't access FirstDirect online, and I phoned them about 11pm. It took about 3 minutes to get through, most unusual for FD who normally answer immediately.

  8. Anonymous Coward
    Anonymous Coward

    Unconfirmed reports again

    Saddam had weapons of mass destruction you know

  9. Anonymous Coward
    Coat

    Well, if the comments here are anything to go by, then the attackers have completely failed to make their point.

    What a waste of a botnet.

  10. Anonymous Coward
    Anonymous Coward

    The controversial Innocence of Muslims video?

    "Unconfirmed reports suggest that HSBC was targeted by the Izz ad-Din al-Qassam Cyber Fighters as part of a current campaign (see Pastebin post*) to get the controversial Innocence of Muslims video removed from YouTube"

    It's the Islamic 'Life of Brian` ...

This topic is closed for new posts.

Other stories you might like