back to article HSBC now stands for Hapless Security, Became Compromised: Thousands of customer files snatched by crims

HSBC has admitted miscreants have probably made off with personal details of thousands of its online-banking customers. The bank submitted paperwork [PDF] to the California Attorney General's office late last week outlining its plan to notify folks of the significant data theft. California law requires that the AG be notified …

  1. Ian 69

    "out of an abundance of caution"

    They possibly decided to wait a month before notifying affected customers?

    Would be interesting if any of the US customers turn out to be European.

    1. katrinab Silver badge

      Re: "out of an abundance of caution"

      I would guess a higher than average proportion of their customers will be European. People move to the US, and pick HSBC because the recognise the name from their home country. Also, if you are moving to the US, you can open a US account from your local branch and have it ready for when you arrive.

  2. John Robson Silver badge

    regular password changes...

    So how long does it take you to tell me that there has been a (failed) attempt to log in to my account? or any attempt from an unrecognised device/location?

    If the answer is anything longer than 5 minutes then I'm sorry, but there is no rotation frequency I can use that will protect either of us.

    If the answer is under 5 minutes then that's great, that's when I need to consider password rotation...

    1. Anonymous Coward
      Anonymous Coward

      Re: regular password changes...

      I smell bullshit from HSBC on this one, both my personal and business accounts use 2FA tokens, so quite how anyone could access accounts with only a password is a bit odd, unless 2FA is only available on this side of the pond.

      1. katrinab Silver badge

        Re: regular password changes...

        On my HSBC account, you can get in to the account without the 2FA token, and you can make payments to existing payees. But if you want to transfer money to someone you've never paid before, you need the token.

        Without the token, they won't be able to steal any money, but they can still look.

        1. h4rm0ny

          Re: regular password changes...

          Without the token, they won't be able to steal any money, but they can still look.

          And that's quite sufficient to cause a lot of problems. I complained to HSBC when they suddenly reduced their security and got one of the most patronising brush-offs I've ever had. I suggested they make the downgraded security ("which our customers love for its convenience, please install our mobile phone app") optional, but not a chance.

    2. Version 1.0 Silver badge

      Re: regular password changes...

      This is BANKING .... security is not important so long as the appearance of security is there and the GUI looks attractive. If it "looks" secure then nobody cares ... let's face it, 2FA is actually 2 times FA when they send the "authorization" code the the phone running the mobile app.

      I just removed my bank app from my phone and called the support center to cancel all digital access - it does feel a lot more secure now.

  3. Alister Silver badge

    I don't know about the US HSBC Online Banking site, but for the UK one you have to use a unique numeric ID, a passphrase, and an electronic pin generator to access your account. It would therefore be unlikely in the extreme that you could use the same credentials anywhere else.

    1. Oliver Mayes

      I'm using the UK one, you can bypass the 2-factor bit and just use your old password. The HSBC app takes about 45 seconds to load on my phone for some reason, I can't be arsed with waiting that long every time I want to log into my account.

  4. Severus

    There's no excuse...

    It's unforgivable that banks do not enforce two factor authentication when customers access their services comprising something the customer has (e.g. mobile phone / token / card reader) and something the customer knows (e.g. password / PIN) so that even if one factor is compromised the customer is still protected.

    It's also unforgivable that the fines levied by the financial authorities on companies that lose customer data are simply kept by those authorities rather than re-invested in those companies to fix the security problems that allowed those companies to lose the data in the first place. The bigger the data loss = the bigger the fine = the bigger the investment in fixing it.

    1. Giovani Tapini

      Re: There's no excuse...

      @severus "It's unforgivable that banks do not enforce two factor authentication..."

      I'd very much like to agree with you but the general public think 2FA is a time consuming annoyance, to the point where people even change provider to avoid it.

      As far as I am concerned its a 2FA is great, but good luck in making it the norm. Don't forget that with "open banking" people are even authorising third parties to operate banking on their behalf. Technically, fairly secure but the more doors you have into your account the more likely one of them is to be compromised.

      People seem to have forgotten that digital currency is still currency just like old school cash but its now just an "app".

      1. Flywheel Silver badge

        Re: There's no excuse...

        the general public think 2FA is a time consuming annoyance

        I agree, but I'd rather be slightly annoyed for a few moments while I find and use my 2FA token - much better than being majorly annoyed when some remote spiv rolls my account for everything in it and steals all my credentials. Until technology really improves, the public will have to suck it up if they want to be safe.

        1. Julian Bradfield

          Re: There's no excuse...

          So how many tokens do you carry around with you? I would change banks if I had to carry around a card-reader or token just to do everyday transactions - one reason I'm ditching Barclays, in addition to their appalling SmartInvestor.

          1. Ben Tasker Silver badge

            Re: There's no excuse...

            So how many tokens do you carry around with you? I would change banks if I had to carry around a card-reader or token just to do everyday transactions

            That, I think, is a big part of the problem/annoyance. If they'd all just agree to use something standard, whether a U2F token, TOTP or something else like that so that I can carry one dongle to rule them all it'd be much simpler.

            I'd also be less worried about losing/breaking it because I could buy a second one and register it then keep it somewhere safe.

            I do use 2FA, but the banks seem to have done a wonderful job of making it as inconvenient as possible without actually gaining much over other routes they could go.

            Hell, some of them (cough HSBC) are trying to make it worse. When the battery ran low on my dongle, I had to fight them to get a new one because they wanted me to install their crapware on my phone to generate codes instead. And the HSBC app aint just a code generator, it's full access to your account. Fuck.... Right.... Off.

            1. FrogsAndChips Silver badge

              Re: new dongle

              Just walk into a branch, they'll hand a shiny new one to you in 30 seconds, won't even check you're a customer (it's useless if you're not anyway).

              1. Doctor Syntax Silver badge

                Re: new dongle

                "Just walk into a branch"

                A branch? What's that?

            2. DJV Silver badge

              @Ben Tasker

              "U2F token, TOTP or something else"

              As long as it's not a TOTP compered by a certain Mr Saville! Shudder!

          2. Huw D

            Re: There's no excuse...

            "I would change banks if I had to carry around a card-reader or token just to do everyday transactions - one reason I'm ditching Barclays, in addition to their appalling SmartInvestor."

            Barclays PinSentry comes as an app on your phone. Nothing extra to carry.

  5. Robert Carnegie Silver badge

    Of course,

    Make sure that the letter actually is from HSBC. If I was evil and had that data, I'd see if I could get in first.

  6. Phil Kingston

    I'm still suspicious of the credit monitoring folks actually being behind these kind of things.

  7. FozzyBear

    another week and another bank admits to a data breach. Seems like a good time to start stashing money under the mattress

    1. Glen 1 Silver badge


  8. Anonymous Coward
    Anonymous Coward

    it wont do the hackers any good...

    if the code base is as bad as Barclays Smart Investor

    a year in it still will not work with a linux based system no matter how many times you tell it that the browser is actually in windows....

    1. h4rm0ny

      Re: it wont do the hackers any good...

      What on Earth are they doing in a web app that means it wont run on GNU/Linux?

  9. Valeyard

    "password changes" mean your customers still log in with a username and password? for online banking? no 2FA?

    well fuck me

  10. teebie

    'That suggests the accounts were accessed using so-called credential stuffing'

    I don't think it does. Its just as plausible that the bank is trying to imply they haven't messed up.

    The quote should probably be

    "We are reminding our customers to protect access to their banking accounts by regularly changing their passwords, by using unique passwords they are not using elsewhere, and by switching to another bank"

    1. scrubber

      Use different passwords

      I'd hate to think my Twitter account got hijacked because someone hacked my bank.

  11. jms222

    Closing my account

    In common with many small businesses they have decided to close my business account soon. They're trying to be seen to distance themselves from laundering of except

    * If I really wanted to launder money I'd possibly use HSBC as they're pretty good at it

    * I get some of my income from HSBC (specialist network equipment)

    * Depending on what you measure my track record with the Midland back goes back more than thirty years and the businesses's twenty something

    Good riddance to them.

    1. Doctor Syntax Silver badge

      Re: Closing my account

      "Depending on what you measure my track record with the Midland back goes back more than thirty years and the businesses's twenty something

      Good riddance to them."

      My business only went back a bout 10 years but my track record went back 40 years to Midland days. And by the time I retired and no longer needed the business account I felt exactly the same way as you and took exactly the same step.

    2. Adrian 4 Silver badge

      Re: Closing my account

      They told me they'd close my account unless I filled in some business review form. On the last page of the form, you're supposed to agree that they can share all your details with unspecified third parties.

      I refused.

  12. ISYS

    Shared responsibility

    I am in no way defending banks here but online banking security has to be a shared responsibility.

    I agree that all banks should use 2FA for access to online services, geo-location restrictions could be implemented but this needs to be a discussion between the user and the bank especially if the user travels a lot. Restricting which devices can access an account is another measure that is not difficult to implement.

    However I also know that Joe Public on the whole does not like using 2FA. Joe Public has to wake up and realise that using the same password for all their Internet accounts is a bad idea and that 2FA is there to protect their data (and money).

  13. Anonymous Coward
    Anonymous Coward


    How Simple Becomes Complicated.

    Used to work for them hence Anon.

  14. FrogsAndChips Silver badge

    Surprised at the amount of data...

    that they were able to steal just from credentials stuffing.

    I'm on the UK version of the website, if I log in without 2FA, the only information I'll be able to access is my account numbers, those of my payees, my transaction history and my postal address (the latter by downloading a statement). All other information (email address, DoB, phone number..) is protected by 2FA, so the security of the US website must be absolutely terrible if that's not the case.

  15. mark jacobs

    If https is enforced and passwords stored as salted sha256 hashes, then how did these thieves get anything useful from the leak? It seems as though HSBC weren't following best practices in security.

    1. Alister Silver badge

      @mark jacobs

      You seem to have a misunderstanding of the "breach".

      Thieves used valid usernames and passwords leaked from other sites, not from the HSBC site, so whether HSBC salted their hashes or used HTTPS is irrelevant.

  16. Anonymous Coward
    Anonymous Coward

    Payee account information?

    If payee account information was also compromised, doesn't that mean that significantly more than 1% of HSBC's 1.4 million customers have been affected?

    If you've ever been paid by someone with a compromised account, your details will very likely have been compromised too – they're saved automatically.

  17. h4rm0ny

    Voice authentication.

    HSBC is the bank that decided Two-Factor Authentication was too much hassle for its customers and now only requires their dongle for things like setting up payments. You can login, view all sorts of financial information without it. They also, and this is the one that really gets me, are really pushing hard on voice authentication. Convince the machine you sound enough like the target and in you go!

  18. Caver_Dave Silver badge

    2FA via your phone app

    Great idea until you realise how much of the country does not get a mobile signal. I'd have to drive (too far to walk) to near where my bank's nearest branch used to be before I'd get a signal!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020