11 Aug 2006

news flash! keylogging hackers may steal your password

i have no idea what this story is about regarding researchers saying that "a machine compromised with a key-logger would quickly reveal all the information a criminal would need to gain fraudulent access to an account."

hang on a second, if a keylogger was on my system, that wouldn't be the only thing it could compromise. and why are they singling out HSBC? isn't any online banking websites that use passwords vunerable? then there is no way in the world that you will be able to keep your password away from a keylogger unless you use one time pads/passwords.

i am an HSBC customer, and their login system isn't the best in the world, but it is better than a simple username password system. the system relies on you remembering a 6 to 10 digit number, and then you have to type in permutation of those numbers. for example, you are requested to type the second, third and sixth number. now it isn't rocket science to know that if there was a keylogger, then you only have to monitor a couple of password entries and the challenge it gives you to figure out the whole pin number.

so either bbc and the guardian are jumping the gun here and sensationalising some non-event or that the researchers have found a systematic flaw that is specific to HSBC's implementation. i don't know, but i believe researchers aren't that stupid, especially ones that are called professors.

[UPDATE: so it looks like there's a good explaination of the statistical flaw here. the flaw boils down to the fact that HSBC requests the numbers in order rather than in random order, (eg. FIRST THIRD SIXTH instead of SIXTH FIRST THIRD.) i suppose they are going after HSBC because they should know to fix it. then again, maybe that is not the whole story?]

You can reply to me about this on Twitter: