UK researchers today warned that thousands of HSBC customers are vulnerable to a potentially devastating flaw in the bank's online banking system.

Two researchers working within Cardiff University's School of Computer Science, Professor Antonia J Jones and Joseph R Rabaiotti, together with a third independent researcher, Stuart P Goring, uncovered the vulnerability in HSBC's web banking system.

Without in any way hacking or even entering the system, the researchers demonstrated that the problem, together with the use of a key-logger to record keystrokes, could allow an attacker to gather all the necessary information required to enter any customer account.

The researchers stressed that the bank was informed of the issue prior to publication. HSBC and Cardiff University are now working together to address a number of issues raised by this research, according to the academics.

The team said that no illegal access took place during the research, and that it was possible "by perfectly proper use of the system" (a legal log-in which fails due to a typing error) and by intelligent observation to logically prove a weakness without even passing the gatekeeper or entering the system.

While they were able to do this because of a rather trivial problem, the scientists claimed that "an interesting point of principle has been established and a significant loophole identified".

"What is truly amazing about this particular problem is that it apparently has not been illegally exploited for at least two years, during which time all user accounts were in principle open to the access procedure we describe," said Professor Jones.

"This fact alone raises some serious questions about the wisdom of having any sensitive system online and about online banking in general."

Andrew Moloney, senior product manager at RSA Security's consumer solutions division, said: "HSBC has been heavily criticised for not addressing this flaw, but I don't believe this criticism is valid.

"No banks' systems are 100 per cent secure, and even if every flaw was patched immediately this would not mean that online banking users were safe from fraudsters. Far from it.

"Online fraud attacks rarely rely on technology flaws. They flourish because of the one flaw that cannot be addressed by a security patch: the user."