The World’s Local Bank Just Got Hacked
Two days ago the California Attorney General’s Office disclosed that on 2nd November HSBC Bank USA sent out an alert of a serious data breach impacting approximately 1% of its 1.4m customers (14,000) that had occurred 3 to 4 weeks earlier, between 4th and 14th October.
Details are limited but those HSBC customers who have been compromised will suffer severe security risk as the following information was stolen: full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information and statement history. HSBC has offered to provide those compromised with a year of credit monitoring and identify theft protection service but there is no prevention of further loss.
'Credential Stuffing' the Likely Cause
It is possible that an isolated customer database was compromised but given HSBC announced it had “suspended online access to prevent further unauthorized entry”, it seems the most likely cause of the breach was 'credential stuffing'. This is now the most common form of attack and is growing fast. Usernames and their respective passwords are inferred, captured or purchased from databases on the dark web and used to access even bank accounts. U.S. consumer banks alone lost nearly $50 million per day to credential stuffing in 2017.
Moreover, 4.6 billion credentials were breached in the first 6 months of 2018 according to a recent report by Gemalto, an increase of 133% over the same period in 2017 so the risks of this attack vector are substantial and growing fast. Indeed, the sole reliance on credentials is eroding the trust in Public Key Infrastructure, the 30 year old system that is considered the gold standard in securing connections.
HSBC Bank USA’s response to customers in its letter was to announce: “We have enhanced our authentication process for HSBC Personal Internet Banking”.
Authentication is Only Part of the Problem
While these basic measures will assist, authentication is only part of the problem. In a report published in August, Swansea University analysed and scored 25 UK banks on their websites’ adherence to best security practices. Their findings make alarming reading. For example, 14 of the 25 allow access to their websites with browsers using old and potentially insecure versions of encryption.
What is also disturbing is the lack of standardisation that is evident across different banks leaving unsuspecting customers vulnerable. See the report here.
Despite being the largest bank in Europe with total assets of US$2.374 trillion and quarterly revenue of $13.8bn, HSBC did not score well. Out of a potential 100 points, HSBC achieved a lowly 32 – joint fifth from bottom of the 25. Its subsidiary bank, First Direct, scored just 20 – the joint worst of all.
What's Needed?
Current cyber solutions are not adequately solving these problems because the underlying security on which they are based was never designed for networks of the scale and complexity that we see today.
While it is too early to conclude definitively what caused this specific HSBC breach, the pattern is clear; the shortcomings of Public Key Infrastructure, which relate not just to authentication but also cryptographic security and key management, are leaving even the best resourced operators lacking resilience and exposed. What is needed is a solution that addresses these components in one integrated and discrete system, which can either supplement or replace PKI without requiring additional hardware.
To find out more about Omlis' vision of authenticated security, drop me a line: [email protected]
#PKIproblems