HSBC Security Flaw: Don't Overreact

The HSBC security flaw is very low on my list of security issues. If the client (or end point) is compromised there is very little that may be done.

The HSBC vulnerability prompted Martin McKeay to blog about it:

“And unless the endpoint, your desktop, is properly protected, there’s no way they [banks] can guarantee that the banking transaction is going to be safe. This is where the unwritten, unspoken contract between the bank and the customer comes into play: While the money is in the bank’s possession, they’ll do their best to protect it, but when you are accessing your money, it’s on you to do your best to protect your side of the transaction.”

This dead on accurate and is true of any e-commerce site too, not just banks.

McKeay also reports that:

“The vulnerability HSBC has is apparently extremely difficult to actually take advantage of, a factor HSBC took into account when they decided to live with it because other concerns were more pressing. As security professionals, we should understand this balancing act, even if we don’t always agree with the decisions that are reached. The cost to fix the issue was considered to by management to exceed the probability of an exploit multiplied by the possible cost of paying for any such breaches. Pretty standard business reasoning.”

I agree with HSBC on this issue. Reversing the pins to obtain the account number is not meaningful if there is a Trojan installed on the endpoint. See my comments yesterday.

Post a Comment

Your email is never published nor shared. Required fields are marked *