HSBC Card Details Theft Building

HSBC Card Customer Details Theft

Earlier today I was attempting to purchase something for our business over the phone from a household-name retailer. After 4 failed attempts at making payment it became apparent that there was a problem with taking payment from my business card. I know there’s no shortage of money behind it, so I couldn’t understand the problem.

HSBC Card Details Theft Building

I phoned our business bank – HSBC – to try and understand why my payment wouldn’t go through. I spoke with someone on a helpdesk in UK who told me that the HSBC Fraud Team had stopped my card, and that I needed to talk with them. He put me through to India.

Now talking with a lady in India, and struggling a little with her thick accent on a poor quality international line (I’m guessing VOIP), and a lot of background noise at her end, I tried to understand the problem. As best I could ascertain:

HSBC Card Details Theft Indian HelpdeskHSBC IT systems have been hacked (not that that was the word she used!), and a number of customer card details have been “compromised” (I think that means “stolen” in plain English), and my card was amongst those “affected” (another word for “stolen” I guess). HSBC had reacted by blocking my card to prevent the theft of money from my business account.

What HSBC had not done, based on a check of my postbox, email inbox and telephone for voicemail and/or SMS was tell me that they had done this! They had decided to keep it as a real surprise for me the next time I tried to use my card!!! How kind, I don’t think…

I eventually managed to make the payment and purchase what we needed by having the retailer on one phone, and a man from HSBC Fraud Department on the other simultaneously. Not convenient, and organising it took several hours more out of my working day than I wanted to waste on simply accessing my own company’s money, but at least it happened.

The Man From HSBC India Fraud Team (who was nowhere near as cheery as the Man From Delmonte…) finished our call by saying that “Your card ending **** is no longer valid and you can destroy it.”

Apparently it will take anywhere up to 2 weeks for my new card to arrive, during which time I have no card access to the funds in this business account and must use another instead. In English that means: I now have to use my personal card to make business purchases, then claim them all back afterwards.

A few thoughts on HSBC IT:

  • Why are the HSBC IT systems so poor and insecure that sufficient details of any card were stored together in a format where they were either unencrypted, or easily decrypted? My understanding is that this is a clear breach of the PCI DSS 2 standard (which, as it’s been around nearly 5 years, they should really have adopted by now!).
  • Why are the HSBC IT systems so poor and insecure that details of any card were able to be stolen (let alone all details for a single card, and unencrypted at that, which is what I understand has happened)?

From a customer service service perspective:

  • Why did HSBC not contact me to tell me of the problems with my card, rather than wait for me to find out and then call them? Perhaps they were hoping I wouldn’t notice their massive IT security inadequacies and would simply accept the new card when it arrived and not ask any questions?
  • Given that the fault was HSBC’s and not mine, why must I wait nearly 2 weeks without a card to get a new one? Surely they could deliver an express service, by way of an apology for their failings, if they were truly contrite? Which suggests to me there is no corporate contrition for their incompetence.

All in, I’m very disappointed with HSBC, both as a customer and as an IT professional. I’m now faced with 2 weeks of incurring company expenditure on my personal account, then claiming it all back on expenses afterwards. The time this will waste is on top of the time that HSBC wasted for me yesterday. I can’t get time back, so HSBC is frittering away my life!

HSBC Card Details Theft Internal Computer ScreensI’d like to think that HSBC has now fixed their weak IT security and this will never happen again. Obviously the Man From HSBC wouldn’t comment on this although I did ask. I’d also like to think it wouldn’t have happened in the first place. Will HSBC offer me compensation for the trouble they have caused? I doubt it.

Sadly it’s not as though HSBC IT Security failures are new either, because The Sun reported one 7 years ago.

If you’ve been affected by the IT failings of HSBC, or indeed any other bank, feel free to share your experiences with others by leaving a comment below.

And if you’d like to warn anyone you know who may have an account with HSBC that their card may be blocked, and they may not even know it, why not share this post with them?

Amazon & Repricer Express 1p Sales

Repricer Express sets Amazon products to sell at just 1p, way below cost price.

Repricer Express sets Amazon products to sell at just 1p, way below cost price.

Following the recent problems with Amazon & Repricer Express (, there’s a valuable lesson to be learned about the importance of properly designing and testing software, which in itself derives from proper requirements capture at the start of the exercise. These are lessons for Amazon and/or Repricer Express to learn (although with their combined resources they should already know better), just like anyone else who is commissioning bespoke software development (or customisation) for their business.

In this instance the enforced use of a simple stop-loss minimum price setting in the software would have stopped the problem ever occurring, and it would not have been hard to design in. An image on the Repricer Express website suggests that the facility already exists.

Repricer Express Software Configuration Options

Repricer Express Software Configuration Options

There’s a secondary lesson to learn for any business that’s planning on signing up to use someone else’s software of course, and that’s to understand your business requirements and make sure they’re met by it before you sign up. In this instance a simple requirement would have been “Don’t sell product at less than cost price” and then set things up accordingly.

If your business requirements are not met in third part software, then look for ways to mitigate possible damage. This could be contractual, or (as in this instance) simply moving fulfilment to be handled elsewhere (with a sanity check in between) would perhaps have solved the problem. And if the software you plan to use does have the facility to do what you need, make sure you take the time and trouble to configure it properly.

Unfortunately it looks as though many small businesses will be paying the ultimate price for these failures.

Heartbleed – OpenSSL Security Bug Revealed – Change Your Passwords Now

OpenSSL Heartbleed Security Bug

Thanks to the Heartbleed Bug, the OpenSSL Secure Padlock is not as secure as it looks.

OpenSSL is a cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers. You can see that it (or a rival product) is there because a padlock icon appears in your web browser. For years you’ve been told to trust the padlock icon and, if it’s there, you’re safe.

In conjunction with Codenomicon (a Finnish security company) Google Security revealed earlier this week that a flaw had existed in OpenSSL for more than two years, and that if criminals exploited this flaw they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.

To quote Ari Takanen, Codenomicon’s chief technology officer: “If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested.” Codenomicon has called the bug Heartbleed to reflect data leaking from computer servers

Bruce Schneier, a respected security blogger, summed it up thus: “Catastrophic is the right word. On the scale of one to 10, this is an 11.”

Ollie Whitehouse, associate director of NCC Group (a cybersecurity company that advises many members of the FTSE 250) described the situation as “Grave”.

And all this has been going on for 2 years before we were told about it, and before most server operators knew about it, with criminals potentially exploiting the bug throughout the entirety of that period. And now the knowledge is in the public domain, meaning that anybody with a Raspberry Pi and the skills to write some simple scripts can have a crack at any server that has not yet been patched.

If you think it’s just little sites that are affected, think again. More than 2/3 of the web’s active sites rely on Apache and Nginx, which both use OpenSSL. Even Canada’s Tax Collecting Agency halted online services “to safeguard the integrity of the information we hold”. The only good news is that servers running Microsoft’s Internet Information Services (IIS) web server software have not been affected.


Probably the best advice we can give now is to change your passwords (which is good practice to do periodically anyway), but I wouldn’t rush into doing it right away as it obviously makes sense to ensure that the systems on which you are updating your passwords have been patched to remove their Heartbleed Bug First.

LinkedIn, little doubt mindful of its recent security failings, is already forcing users to change their passwords.

LinkedIn Email Addresses Revealed via SellHack

Millions of LinkedIn email addresses compromised via free SellHack plugin for Chrome browser

Millions of LinkedIn email addresses compromised via free SellHack plugin for Chrome browser

It seems that LinkedIn has suffered yet another security breach, this time courtesy of a free extension to the Chrome browser that reveals the email addresses behind LinkedIn profiles with a simple button click, even when not connected.

The powerful LinkedIn has issued a Cease & Desist notice to try and stop the much smaller SellHack company from giving away the extension. As is often the case the larger company, with the disproportionately bigger legal budget, will probably win the day. Indeed, SellHack has already disabled the plugin.

Certainly we don’t condone SellHack’s actions in making it so simple to access confidential LinkedIn data that even a 2 year old with an Android tablet could do it. That’s obviously wrong. However simply making something harder to do doesn’t make it secure: LinkedIn please take note.

To my mind then the real problem here is that LinkedIn has some major security flaws in its system as we revealed just 3 weeks ago. I personally think LinkedIn would do better to attend to its evident security problems, rather than pick on those who expose them (regardless of how inappropriate that method of exposure may be). I’m beginning to wonder what LinkedIn security vulnerability will be revealed next: Sweepstake anyone?

One lesson here is of course never to trust any system that views you as a content-generating commodity item, and to ensure that you use a disposable email address to communicate with it.

Change Your Passwords Regularly

IT Security - change your passwords regularly

IT Security: Change Your Password Regularly

Information has come to light suggesting that LinkedIn may have been compromised in December 2013 with the resultant loss of around 2,500 passwords. The criminals that infiltrated LinkedIn are only just getting around to using those passwords now, 3 months later, suggesting that it was a speculative or opportunist thief who took a while to find a buyer, rather than targeted to order with an immediate customer or purpose in mind.

2,500 may not sound like a lot compared with the millions of users on LinkedIn, but if it’s your professional profile that’s affected then it’s a big problem for you. Imagine losing most of your professional contacts, or the recommendations (not those worthless endorsements) that people have written for you. LinkedIn are not helpfully and selectively restoring information that has been deleted from those affected.

Perhaps worse, imagine being locked out of your LinkedIn account, unable to get back in, with somebody else masquerading as you… perhaps abusing your timeline, creating content you’d rather not see on it, stealing email addresses for your contacts… while your professional contacts think it’s you, and you can only watch on powerless.

It’s not yet clear precisely where the vulnerability in LinkedIn was. Maybe it was connected with their Q&A user forum, or perhaps something to do with new premium account signups. LinkedIn aren’t saying, although they are working to address the problem.

The message is clear enough though: change your passwords regularly. That way if your password is stolen without your knowledge, but not used for a while, it will hopefully be useless to the thieves when they come to try it.

And if you ever see an email suggesting that something odd is happening in or with your account, on any system, act quickly. Do not click a link in the email though (it may be a phishing scam or virus) but open up a browser, type in the URL manually, log in, and change your password.

For most people it’ll take less than 15 minutes to change all your passwords on LinkedIn, Facebook, Twitter etc. So why not make that investment of time now rather that risk seeing your professional presence compromised, and then waste days picking up the pieces.

The same goes for any other systems you access online too, not least your bank (although they’re generally a lot more secure to begin with).

Change your passwords today.


The website for this book is now up and running, and the book itself is well underway.

In the fullness of time we’ll be sharing the Table of Contents with you, seeking Proof Readers & Editors, and of course looking for a Publisher.

Please visit often to keep abreast of progress, and if you would like to buy a copy of the book please drop us a quick note through the Contact Us page and we’ll let you know when it’s ready.