Category Archives: IT Security

HSBC Card Details Theft Building

HSBC Card Customer Details Theft

Earlier today I was attempting to purchase something for our business over the phone from a household-name retailer. After 4 failed attempts at making payment it became apparent that there was a problem with taking payment from my business card. I know there’s no shortage of money behind it, so I couldn’t understand the problem.

HSBC Card Details Theft Building

I phoned our business bank – HSBC – to try and understand why my payment wouldn’t go through. I spoke with someone on a helpdesk in UK who told me that the HSBC Fraud Team had stopped my card, and that I needed to talk with them. He put me through to India.

Now talking with a lady in India, and struggling a little with her thick accent on a poor quality international line (I’m guessing VOIP), and a lot of background noise at her end, I tried to understand the problem. As best I could ascertain:

HSBC Card Details Theft Indian HelpdeskHSBC IT systems have been hacked (not that that was the word she used!), and a number of customer card details have been “compromised” (I think that means “stolen” in plain English), and my card was amongst those “affected” (another word for “stolen” I guess). HSBC had reacted by blocking my card to prevent the theft of money from my business account.

What HSBC had not done, based on a check of my postbox, email inbox and telephone for voicemail and/or SMS was tell me that they had done this! They had decided to keep it as a real surprise for me the next time I tried to use my card!!! How kind, I don’t think…

I eventually managed to make the payment and purchase what we needed by having the retailer on one phone, and a man from HSBC Fraud Department on the other simultaneously. Not convenient, and organising it took several hours more out of my working day than I wanted to waste on simply accessing my own company’s money, but at least it happened.

The Man From HSBC India Fraud Team (who was nowhere near as cheery as the Man From Delmonte…) finished our call by saying that “Your card ending **** is no longer valid and you can destroy it.”

Apparently it will take anywhere up to 2 weeks for my new card to arrive, during which time I have no card access to the funds in this business account and must use another instead. In English that means: I now have to use my personal card to make business purchases, then claim them all back afterwards.

A few thoughts on HSBC IT:

  • Why are the HSBC IT systems so poor and insecure that sufficient details of any card were stored together in a format where they were either unencrypted, or easily decrypted? My understanding is that this is a clear breach of the PCI DSS 2 standard (which, as it’s been around nearly 5 years, they should really have adopted by now!).
  • Why are the HSBC IT systems so poor and insecure that details of any card were able to be stolen (let alone all details for a single card, and unencrypted at that, which is what I understand has happened)?

From a customer service service perspective:

  • Why did HSBC not contact me to tell me of the problems with my card, rather than wait for me to find out and then call them? Perhaps they were hoping I wouldn’t notice their massive IT security inadequacies and would simply accept the new card when it arrived and not ask any questions?
  • Given that the fault was HSBC’s and not mine, why must I wait nearly 2 weeks without a card to get a new one? Surely they could deliver an express service, by way of an apology for their failings, if they were truly contrite? Which suggests to me there is no corporate contrition for their incompetence.

All in, I’m very disappointed with HSBC, both as a customer and as an IT professional. I’m now faced with 2 weeks of incurring company expenditure on my personal account, then claiming it all back on expenses afterwards. The time this will waste is on top of the time that HSBC wasted for me yesterday. I can’t get time back, so HSBC is frittering away my life!

HSBC Card Details Theft Internal Computer ScreensI’d like to think that HSBC has now fixed their weak IT security and this will never happen again. Obviously the Man From HSBC wouldn’t comment on this although I did ask. I’d also like to think it wouldn’t have happened in the first place. Will HSBC offer me compensation for the trouble they have caused? I doubt it.

Sadly it’s not as though HSBC IT Security failures are new either, because The Sun reported one 7 years ago.

If you’ve been affected by the IT failings of HSBC, or indeed any other bank, feel free to share your experiences with others by leaving a comment below.

And if you’d like to warn anyone you know who may have an account with HSBC that their card may be blocked, and they may not even know it, why not share this post with them?

Heartbleed – OpenSSL Security Bug Revealed – Change Your Passwords Now

OpenSSL Heartbleed Security Bug

Thanks to the Heartbleed Bug, the OpenSSL Secure Padlock is not as secure as it looks.

OpenSSL is a cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers. You can see that it (or a rival product) is there because a padlock icon appears in your web browser. For years you’ve been told to trust the padlock icon and, if it’s there, you’re safe.

In conjunction with Codenomicon (a Finnish security company) Google Security revealed earlier this week that a flaw had existed in OpenSSL for more than two years, and that if criminals exploited this flaw they could steal the names and passwords of people using the services, as well as take copies of their data and set up spoof sites that would appear legitimate because they used the stolen credentials.

To quote Ari Takanen, Codenomicon’s chief technology officer: “If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested.” Codenomicon has called the bug Heartbleed to reflect data leaking from computer servers

Bruce Schneier, a respected security blogger, summed it up thus: “Catastrophic is the right word. On the scale of one to 10, this is an 11.”

Ollie Whitehouse, associate director of NCC Group (a cybersecurity company that advises many members of the FTSE 250) described the situation as “Grave”.

And all this has been going on for 2 years before we were told about it, and before most server operators knew about it, with criminals potentially exploiting the bug throughout the entirety of that period. And now the knowledge is in the public domain, meaning that anybody with a Raspberry Pi and the skills to write some simple scripts can have a crack at any server that has not yet been patched.

If you think it’s just little sites that are affected, think again. More than 2/3 of the web’s active sites rely on Apache and Nginx, which both use OpenSSL. Even Canada’s Tax Collecting Agency halted online services “to safeguard the integrity of the information we hold”. The only good news is that servers running Microsoft’s Internet Information Services (IIS) web server software have not been affected.

Wow!

Probably the best advice we can give now is to change your passwords (which is good practice to do periodically anyway), but I wouldn’t rush into doing it right away as it obviously makes sense to ensure that the systems on which you are updating your passwords have been patched to remove their Heartbleed Bug First.

LinkedIn, little doubt mindful of its recent security failings, is already forcing users to change their passwords.