A CYBER attack against HSBC has caused disruption for customers trying to log in on a key day for managing their money.
The bank said it successfully defended itself against a “denial of service attack” on Friday morning - but many customers still struggled to log on to its website.
The last Friday of the month is payday for many people, and taxpayers are also trying to get their finances in order ahead of the self-assessment deadline on Sunday, when tax returns must be returned and any tax owed must be paid.
HSBC pledged to waive any fees racked up by customers as a direct result of the latest incident and said it will help customers with any issues that have arisen.
Frustrated HSBC customers pointed out that it is not the first time this month that they have been blocked from accessing their accounts online.
HSBC apologised to customers earlier in January after it suffered online banking glitches lasting for two days running.
Those problems in early January were due to a “complex technical issue” with its internet banking systems and not a cyber attack or any other malicious act, HSBC said.
This time around, HSBC said it had been the subject of a cyber attack - but customers’ personal details have not been compromised.
A denial of service attack happens when hackers attempt to prevent people from using a service by overloading it with huge numbers of requests and web traffic, forcing the system to crash.
HSBC’s announcement has many users questioning how protected their personal information is, following in the wake of several other high-profile hacks.
• How safe is banking online?
Security expert Richard Kirk from cyber security firm AlienVault said that people should feel assured that “online banking is generally safe”, but did add that there was still work to be done by the banks in order to improve responsibility to customers.
“Surely it is time for cyber security risk to become a regular board level discussion. I wonder if the HSBC board, or any bank for that matter, regularly discusses how it should approach preparing and responding to cyber attacks and the growing risk to the business.”
• Does this mean little action is currently taken beyond basic measures?
No, according to Lee Munson, a security researcher for Comparitech, a security analysis firm, banks are relatively well-prepared for the threat of hackers.
“The UK financial sector remains resilient to cyber attack thanks to operations such as Wire Shark and Resilient Shield which have encouraged sharing of threat intelligence and greater communication between both British and US banks,” he said.
Wire Shark is a program for collaboration that banks in the UK and US are using to share information about possible threats and new security issues. Operation Resilient Shield was a simulation involving the Bank of England and US authorities in 2015 where a mock cyber attack took place to test their security capabilities.
“Whether that satisfies the minds of HSBC customers - who also experienced technical issues with their online banking accounts earlier this month - remains to be seen though,” added Mr Munson.
• Are there other protocols in place?
Yes, according to Mark James, a security specialist from anti-virus firm ESET, who suggests that given how often banks encounter hackers, they can generally repel them.
“Banks have malware attacks every single day, almost all of them are thwarted immediately, some get stopped before they do any damage and some may well get through without notice,” he said.
“But let’s put this into perspective, because of this knowledge the systems put in place to protect our finances are far superior than what you will find on your desktop machine or even your average company server.”
Jonathan Sander from Lieberman Software said: “Having seen the sophisticated and comprehensive things banks do to protect online banking, it’s safe to say there are many layers of the latest security tech protecting major banks.
“They are doing everything every other IT shop does and more of it. They are patrolling activities searching for fraud with sophisticated intelligence. Banks have complex systems to ensure that IT admins on the inside of the banks can’t just do as they please with their privileges. And there are layers and layers of security checks and balances to attempt to give users convenient yet secure access.
“Every bank with online banking will check to see if they’ve seen your laptop before. They make multi-factor authentication available to allow for a second check of your login by sending a code for you to enter to your phone, for example. Of course, users can often turn much of this off and do. Security seems annoying until you’re reading an article about how your bank got attacked and you’re wondering if your account was on the list of the exploited.”
The analysts also said that customers should continue to be “vigilant” and follow best practices when it came to not sharing passwords or other information with anyone else.
Mr Sander added that the weakest links in security “tend to be the users”.