steven36 Posted June 1, 2015 Share Posted June 1, 2015 Two major US banks -- HSBC, and Chase -- are "working on borrowed time" with their online banking security. The last thing you might think of when logging into your online banking pages are, "is this site really secure?" You tend to take it for granted.But if you've visited banking giants HSBC and Chase in recent days, you may be missing something you should normally expect -- your browser's address bar lighting up in bright green to assure you that your connection is secure.That's because Chrome, used by more than one-third of all visitors to US government websites, flags up these two sites -- and many others -- as using a "weak security configuration," while warning you that your connection "may not be private."Security researchers say that things aren't as bad as you think. After all, the same websites visited in Internet Explorer, Firefox, and Safari appear to be "secure."But it's a far cry from being as sound as they could be -- and could pose a significant risk to customer security if left unchecked."Dangerously weak"Chrome will flag both HSBC and Chase's websites because they are using a security certificate, used to encrypt data flowing between your computer and a website, signed with "dangerously weak" SHA-1 cryptography, says encryption expert Eric Mill.The good news is that SHA-1 has since been replaced by a newer, better version -- the aptly named SHA-2. The bad news is that SHA-1 is still used to sign about 90 percent of all website security certificates, and hackers are closer every year to finding an attack that allows them to decrypt secure traffic."As time goes on, new weaknesses in hashing algorithms are revealed by researchers, and faster hardware makes it easier to exploit those weaknesses," said Mike MacCana, founder of SSL startup CertSimple, in an email. "The result is that it becomes possible to create two documents with different contents but the same hash, so a digital signature can be re-used on another document -- allowing hacking groups, organized crime, and governments to impersonate others." That's why the latest versions of Chrome will flag these sites as potentially risky.Google, which develops the browser, previously said it will no longer accept SHA-1 certificates in 2017. (Microsoft and Mozilla will also follow suit.)Simply put, those "secure" websites won't appear secure for much longer."Working on borrowed time"Veteran security expert Dan Kaminsky said in an email that Chrome is being "remarkably aggressive" deprecating SHA-1. "Unlike pretty much everything else in security, cryptographic quality is easily measured," he added.In other words, these red flags could have been avoided.According to Chrome developers, an obsolete warning can mean that the connection between your computer and the site is using an outdated cipher suite. To get a "modern cryptography" status, the developers write, forward secrecy and a more up-to-date cipher suite are needed.Cryptographer Justin Troutman said in an email that HSBC and Chase are "working on borrowed time," but the sites do not pose an immediate risk to customers."It's best to take on a sense of practical paranoia, where we actively take steps to move away from functions that are showing signs of failure," he said. "In the meanwhile, they need to step up to the plate and migrate to SHA-2. That's the logical step forward at this time. I don't think Firefox is wrong for marking these sites as secure, because they probably are, for all intents and purposes (for the time being)."MacCana, whose firm helps other companies improve their online practices, said there is a "worrying lack of attention to their website security.""The solution for website owners to prevent these attacks -- and get rid of Chrome's warnings -- is simple: migrate to a SHA2 certificate. Most SSL vendors will allow website owners to rekey existing certificates for no additional charge," he said.Neither HSBC nor JP Morgan, which owns Chase, provided a comment at the time of writing. If we hear back, we'll update the story.Source Link to comment Share on other sites More sharing options...
oliverjia Posted June 1, 2015 Share Posted June 1, 2015 This is what people call "irresponsibility" on the bank's side. They could easily upgrade the safety cert to SHA2 at no additional cost, yet they are too lazy to do it. Customers' security doesn't worth a thing in their greedy eyes. Link to comment Share on other sites More sharing options...
212eta Posted June 2, 2015 Share Posted June 2, 2015 Just a clarification... :idea:-Chase is a U.S. bank. :yes: -HSBC is not a U.S. bank. :uhuh: Link to comment Share on other sites More sharing options...
dMog Posted June 2, 2015 Share Posted June 2, 2015 well if this is just been published the hackers already knew it and most likely have exploited it...and for quite some time Link to comment Share on other sites More sharing options...
steven36 Posted June 2, 2015 Author Share Posted June 2, 2015 Just a clarification... :idea:-Chase is a U.S. bank. :yes: -HSBC is not a U.S. bank. :uhuh: They have banks in the US tooHSBC must face US lawsuits over $34 bln mortgage debt losseshttp://www.cnbc.com/id/102724383HSBC Area served WorldwideUS locations https://www.banking.us.hsbc.com/HICServlet?cmd_GetUSMap=&accept-language=en-US#top Link to comment Share on other sites More sharing options...
212eta Posted June 3, 2015 Share Posted June 3, 2015 HSBC is a British multinational banking and financial services companyheadquartered in London, United Kingdom.Source Link to comment Share on other sites More sharing options...
steven36 Posted June 3, 2015 Author Share Posted June 3, 2015 HSBC is a British multinational banking and financial services companyheadquartered in London, United Kingdom.SourceIn July 2002, Arthur Andersen announced that HSBC USA, Inc., through a new subsidiary, Wealth and Tax Advisory Services USA Inc. (WTAS), would purchase a portion of Andersen's tax practice. The new HSBC Private Client Services Group would serve the wealth and tax advisory needs of high-net-worth individuals. In November 2002, HSBC expanded further in the United States. Under the chairmanship of Sir John Bond, it spent £9 billion (US$15.5 billion) to acquire Household Finance Corporation (HFC), a US credit card issuer and subprime lender.source same as yours there's a USA branch as well just like branches all over the world . the USA branch owes $34 bln mortgage debt losses to the USthey went around the world buying stuff up thats how banks do business they buy banks and close smaller outfits down Link to comment Share on other sites More sharing options...
212eta Posted June 4, 2015 Share Posted June 4, 2015 HSBC (= Hong-Kong and Shanghai Banking Corporation) was founded by British in 1865.Later, HSBC became a multinational bank operating in Europe, America, Asia, Africa etc.The U.S. acquisitions you listed above do NOT make HSBC a U.S. bank.It is simply a British bank operating inside the U.S. territoryjust like HSBC is operating inside Germany, Switzerland etc.-Being a U.S. bank, like Bank of America, Citigroup, Wells Fargo, JPMorgan Chase Bank etc. is one thing.-Being a British bank having U.S. subsidiaries, like HSBC, Barcleys, is another thing; a different one.I hope it is clear enough, now... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.