A group of researchers at Cardiff University claim to have discovered a defect in HSBC's online banking system which could leave over three million customers vulnerable to attacks.

Customers using the internet service may have been vulnerable to attack for at least two years. The researchers found that anyone exploiting the flaw could succeed in cracking an account within nine attempts.

The Cardiff researchers are planning to publish full details in security journals this year, but decided to go public now.

'There are serious issues here,' said Professor Antonia Jones, the scientist leading the research team.

'Banks are in the business of safeguarding your money, and if they tell you that it's safe then you assume that's the case. But as long as this flaw exists, customers are at risk.'

The scam requires installing keylogging devices on PC's which record keystrokes. These can be in the form of physical devices, as in the attempted £220m Sumitomo Mitsui hack, or viruses which sit on the hard drive.

A spokesman for HSBC said: 'The supposed flaw uncovered is not one we have seen criminals use. It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim. It is therefore not likely to be a profitable way for criminals to behave.

'Online fraud via HSBC's internet banking system is substantially lower than the market average and we are satisfied our customers are adequately protected.'

HSBC has issued devices for two-factor authentication – a more secure form of online authentication - to online business customers, but does not yet plan to do so with individual consumers.

What do you think? Email us at feedback@computing.co.uk

Further Reading:

Barclays to tighten web security

HSBC to issue security tokens to online business customers

Phishers crack two-factor authentication

Mobiles set for key role in card authentication