HSBC attacks data leakage, financial information security needs upgrading


HSBC attacks data leakage, financial information security needs upgrading

Original title: HSBC data leakage, financial information security urgent need to upgrade

Hao Yajuan and Zhang Rongwang

Recently, HSBC was exposed that its customer accounts were attacked between October 4 and October 14, and about 1% of American customers'personal information was leaked.

HSBC (China) responded exclusively to China Business News, saying: "This data leak is only related to the United States. At the same time, HSBC provides further security for the digital services of all individual and enterprise bank accounts by enhancing the process of account login and authentication.

With the impending of a new round of scientific and technological revolution and the in-depth integration of new technologies such as Internet, big data, cloud computing, artificial intelligence and financial fields, the application of information technology in the global banking industry has been comprehensively promoted. Information technology brings convenience and efficiency to the banking business management and organizational operation, at the same time, it also brings convenience and efficiency to the banking business. It brings great security risks. The data and information that the financial industry, especially the banking industry, has great economic value, which makes the banking industry become the key target of network attacks in recent years.

In China, safe and controllable information technology is an important guarantee for the development of banking industry. Reporters learned that in the process of rapid development by means of information technology, domestic commercial banks attach great importance to customer information protection. With the cooperation of wind control system and information technology departments, they check at all levels to ensure the safety and controllability of data and user information.

Hacker intrusion

According to foreign media reports, on November 8, HSBC announced that its customer accounts were attacked between October 4 and October 14, and about 1% of American customers'names, dates of birth, telephone numbers, e-mail and other information were leaked. HSBC said that the hacker intrusion was caused by the login certificate attack, that is, the hacker obtained personal information from other ways to invade HSBC bank accounts. In this regard, HSBC suspended some accounts online access. At the same time, additional security protection is added to the authentication process of personal online banking platform to protect its customers from future attacks.

Since this year, the phenomenon of cyber attacks against banks has gradually increased. According to reports, in August this year, hackers attacked the Kosmos banking system in India and stole nearly 944 million rupees (about 13.5 million US dollars); in addition, the Central Bank of Russia issued news that Russian banking industry lost 76.5 million rubles in January-August this year due to cyber attacks; in May, Bank of Montreal and Imperial Commerce in Canada. Banks have been attacked by cyber hackers, resulting in the theft of data from nearly 90,000 customers, which should be the largest cyber attack against financial institutions.

Generally speaking, there are three ways to hack: software, hardware and network. If the hacker grasps the password information of the customer on other platforms and thus invades the customer's bank account, it means that the login account can be verified, but after the successful login of the hacker, the authority of the account has to be set by the bank. If the bank's permission settings are not well designed, then the hacker can log in to the customer account and do what he wants. A R & D Manager of Shanghai Unicom told reporters.

According to an IT engineer of a securities company in Shanghai, in the case of HSBC's customer information leak, hackers used the password information of bank customers from other places to log into their bank accounts, that is, to "collide with the bank", among which the bank itself has a certain responsibility. "Generally speaking, if the customer's login IP address or device changes, the need to send authentication codes to the mobile phone for verification, and if hackers can log into the account directly without authentication, it means that the bank is not strictly controlled in this regard."

An engineer from a financial IT company analyzed to reporters that hackers could log into customers'bank accounts without verification, which could also happen. "Credit cards, for example, are mainly classified into two categories: confidential consumption and non confidential consumption. For credit cards without secret consumption, hackers can use accounts after they have successfully logged in.

Loopholes still exist

At present, information technology is more and more widely used in the field of banking business. Banks attach great importance to the protection of data security, but there are still loopholes. Individual banking institutions lack effective management and repair mechanism for security loopholes, which are easy to be exploited by attackers, and consequently, it will exert a great influence on bank business security and user information. Coerced. Reporters learned that customer information data flow mainly through data collection, data transmission, data storage three links. Generally speaking, banks do well in these three links, and the probability of customer information leakage is not high.

In terms of data collection and transmission, banks usually have clear rules on operations to ensure that customer information does not leak in the process of collection. Take the credit card as an example, an insider in the credit card center of a joint-stock bank told reporters that when a customer applies for a credit card, the relevant information submitted by the branch is collected and sealed, and it is taken by the head office specialists, and then sent to the head office for opening and inputting, so that the customer information system can be controlled. Summarized to the head office; and in the credit card application review process, each employee is responsible for the corresponding plate, so bank employees can not access the complete information of customers.

Once the customer information enters the "database" of the bank, it enters the "data storage" link. A staff member of the Ministry of Science and Technology of a joint-stock bank told reporters that in terms of customer information protection, banks strictly abide by the "Network Security Law of the People's Republic of China", regularly patch system security, and conduct security checks before the system is put into operation to ensure the system and network security of banks.

An innovative product manager from China Recruitment Bank who did not want to be named told reporters that besides special security teams, bank customers'information protection should also meet relevant auditing and wind control requirements, and the requirements for customer information protection are very strict.

After the customer information enters the bank, although some of the customer information will be contacted by the bank staff, because the bank staff signed the Confidentiality Agreement, it stipulates that the employees have the confidentiality responsibility for the bank information, so as to ensure the security of customer information in the bank.

The engineer interviewed said: "At present, the level of information security protection of domestic banks is very high. At present, no large-scale leakage of bank data has occurred. From the defense line of data security, it can be simply divided into three steps: network security, application security and database security. The intranet of the bank is isolated from the Internet, which ensures the information security of the customers from the first line of defense. Nowadays, banks attach great importance to information security. Many banks have their own computer rooms. If outsourcing personnel come to test, banks usually provide outsourcing personnel with computers, and do not allow outsourcing personnel to bring their own computers in.

In the HSBC data leak incident, lawyer Zhang Zhicheng of Shanghai Shanghua Law Firm said that the responsibility of judging the bank is mainly based on three aspects: whether there are obvious loopholes in the system; whether the bank is prudent enough; and whether the bank has taken reasonable measures in this regard. "Based only on the information currently disclosed, because many details of the leak are not clear, it is not yet possible to determine the specific responsibility of HSBC." Zhang Zhicheng said.


Waonews is a news media from China, with hundreds of translations, rolling updates China News, hoping to get the likes of foreign netizens