HSBC biz banking crypto: The case of the vanishing green padlock and... what domain are we on again?
8-char password limits? HTTP-YES
HSBC has been faulted for redirecting business customers to a website that is not obviously secure.
Rob Jonson, director of Hobbyist Software, who alerted us to the issue, was concerned that he'd fallen victim to a phishing scam.
I logged into my HSBC business account, and the site failed to give me any info.
Then I looked again at the URL and saw it was not showing as secure.
I started worrying that I had clicked on a bad link from Google.
I clicked back to hsbc.co.uk (green padlock) and clicked again on the business tab at the top left. It sends me to http://www.business.hsbc.uk/?DCSext.nav=foot-mat (yup – not https).
Notice the subtle domain change as well (hsbc.co.uk to hsbc.uk)
Surely the one company that would never mess around with changing domains, and which would always show the 'safe' green padlock would be a large international bank....
My conclusion is that HSBC is just shamefully bad.
Before we go any further, The Reg wants to make it clear that HSBC does not show account details through non-https sessions.
Scott Helme, an independent information security consultant and an expert in website security, agreed that Jonson had a point.
"It's certainly not a great practice to downgrade the user like that, especially not with the change in domain," Helme told El Reg. "Once on https, we should remain on https. We're also constantly trying to combat phishing by teaching users to ensure they're on the correct domain. How do they know if we keep bouncing them between domains (click login and the domain changes back again)?
"Consistency in the UI is crucial if we want the user to spot unexpected change. Just clicking a few basic links on that site takes me between http, https with DV, https with EV and three different domains."
Jonson explained that the issues are:
- Some pages are non-https (as outlined previously, HSBC doesn't show account details through non-https sessions)
- Bouncing around the domains, and
- Some https pages are not fully secure (generating a Chrome warning as a result)
Jonson has further reservations about HSBC. "When you set up mobile banking (Android app), they essentially switch you from a token generator to a password. Naturally, they have strict requirements on that password. Including... not more than eight characters long."
Independent security consultant Paul Moore confirmed the password feature while talking down the significance of the issue. "The app is very limited in terms of what you can do after you've logged in," Moore explained. "For instance, you can't pay/transfer to a new payee without first logging in via the site (which requires the PIN too). You can only pay people you've previously paid before. The eight-character limit is pretty bad, however, there are multiple layers of security to prevent brute force attacks from the front-end."
We've asked HSBC for comment and will update when we hear back.
Almost a week after publishing, HSBC has sent us a statement:
"Protecting customers' accounts is a top priority for us and we have robust, multi-layered controls in place to ensure customers can access their accounts safely.” ®