HSBC Cyber Attack: How Safe Is Online Banking?

HSBC’s online banking website is down, leaving thousands of customers unable to access its services after a cyber attack.

A spokesperson said HSBC had been hit by a distributed denial of service (DDos) attack but did not say if the source was known.

“HSBC internet banking came under a denial of service attack this morning, which affected personal banking websites in the UK,” she added. “HSBC has successfully defended against the attack, and customer transactions were not affected. We are working hard to restore services, and normal service is now being resumed.”

While HSBC tries to play down the seriousness of the attack, the big question raised for customers is: just how safe is online banking? Here is a snapshot of views from the IT security sector.

Jonathan Sander, VP of product strategy at Lieberman Software

“Often DDOS attacks like this are a distraction technique – bad guys hit you hard on the left so you’re too busy to see them sneak in on the right. DDOS attacks where bad guys flood your website with so much work they fold under the pressure aren’t even strictly a security issue on their own. Unless the DDOS is part of a recipe to steal stuff, it’s a nuisance that is more about someone flexing their muscles than doing damage.”

Richard Kirk, SVP telecom and service provider at AlienVault

“Online banking is in use every second of the day by hundreds of millions of people across the world. Although no one has yet calculated the global losses attributed to banking cybercrime, people should feel assured that not only is online banking generally safe, there are some actions that they can take personally to make themselves safer. This includes following best practices on passwords and not sharing online details with anyone else. Nevertheless, banks have a duty and responsibility towards their customers, and there is still work to be done.

“Bank accounts have probably not been safer than they are today however this is no reason for complacency. Cybercriminals often rely on the usual human instincts to perpetrate their crimes, and some of these cannot be mitigated by the banks themselves. This includes never giving out personal banking details over the phone to strangers and avoiding using public computers to access online bank accounts. Banks try hard to educate their customers, and perhaps they could do more, however people should not assume that all the responsibility lies with the banks.”

Lee Munson, security researcher for Comparitech

“The distributed denial of service attack experienced today by HSBC may be bad news for its monthly paid customers and anyone scrambling to pay their self-assessment tax bills at the last minute, but we shouldn’t blow things out of proportion. The bank’s systems have not been breached. No bank accounts have been raided and no personal information has been stolen.

“The UK financial sector remains resilient to cyberattack thanks to operations such as Wire Shark and Resilient Shield which have encouraged sharing of threat intelligence and greater communication between both British and US banks.
Whether that satisfies the minds of HSBC customers – who also experienced technical issues with their online banking accounts earlier this month – remains to be seen though.”

Mark James, security specialist at ESET

“Banks have malware attacks every single day, almost all of them are thwarted immediately, some get stopped before they do any damage and some may well get through without notice. But let’s put this into perspective, because of this knowledge the systems put in place to protect our finances are far superior to what you will find on your desktop machine or even your average company server. Firewalls, host intrusion detection systems (IDS), network and data flow monitoring will be in place to check for anything out of the ordinary.

“A well-placed and maintained chain of command with the right expertise in each field will be on hand to back up the hardware and software systems in place in an attempt to keep not just our finances safe but the finances of the very companies that form the backbone of our country, these procedures will be checked, monitored and adapted if needed to meet any new threats that emerge from the bad guys.

“Of course no system is 100 percent safe but some are safer than others, we have many advances in technology available to us to help combat the ever evolving world of cyber warfare but as they adapt so will we, it will always be a cat and mouse game and we have to win more than we lose.”

Richard Brown, director EMEA channels & alliances at Arbor Networks

“With financial institutions underpinning whole economies, they’re a particularly choice target vertical for impactful attack. Add to this the fact that it’s payday for many people – meaning more people trying to access the website and therefore a bigger audience – HSBC is an ideal target.

“Arbor Networks’ most recent Worldwide Infrastructure Security Report found that 57% of financial institutions have experienced a DDoS attack – the highest of any sector. Many of these will have been mitigated early enough, but as the attack on HSBC today shows, if they are not then they can have huge consequences.

“HSBC will have to ensure that the attack was not used as a ‘smokescreen’, drawing the IT department’s attention towards this event while sensitive data is stolen or malware is implanted in the network.

Brian Spector, CEO of MIRACL

“Not even the largest financial institutions on earth are immune from cyberattacks that disrupt business operations. HSBC is using antiquated authentication technology, what else is not up to speed such that one of the world’s largest banks has been taken offline?

HSBC are claiming to have ‘successfully defended’ the attack but if your main business is taken offline, and your website is unreachable, you have not successfully defended yourself.”

Are you an expert on internet security? Take our quiz to find out!