Researchers at Cardiff University have uncovered a flaw in HSBC's online banking system that has left the accounts of 3.1 million UK customers exposed to hackers for at least two years.
According to a report by UK newspaper The Guardian the defect was discovered by researchers at Cardiff University. Anyone exploiting the flaw in the Web banking system was guaranteed to be able to access any account within nine attempts, says the paper.
The flaw, which has not been detailed by the newspaper, centres on the way HSBC customers access the online banking service and involves the use of keylogging programs.
The newspaper says that other banks use a different system which researchers claim is more secure.
But a HSBC spokesman told the paper that the "supposed flaw" is not one the bank has seen criminals use.
"It is an extremely sophisticated attack that would require a particular and time-consuming focus on one individual victim. It is therefore not likely to be a profitable way for criminals to behave," he told the newspaper.
But the Cardiff research team argue that hackers could access accounts with ease once the flaw is spotted.
Professor Antonia Jones, the computer scientist who led the research team, told the paper that hackers "will most likely get in within five attempts, and definitely within nine".
She says fraudsters would be able to change the account information and address, transfer funds or arrange bank loans.
She told The Guardian: "As long as this flaw exists, customers are at risk. For banks or institutions that are making huge amounts out of their customers not to protect them is pretty scandalous."
The Cardiff researchers were planning to publish full details of the flaw in security journals this year, but decided to go public.