HSBC scripting flaws play into the hands of phishers
Several HSBC websites are subject to scripting flaws that create a possible mechanism for crooks to create more convincing phishing scams. Security blog xssed.com has posted a list of affected domains, which include HSBC sites in multiple territories including the UK. Xssed has been tracking problems on the bank's sites since …
I contacted them the other week with regards to EVV Certificates, and the fact that First Direct seemed to be failing (according to Opera's strict EVV implementation), they had no idea at what EVV was, let alone cross site scripting that was breaking the site.
I would move banks, but experience says that they are all pretty much clueless when it comes to security..
A Right Royal Cock Up in other Words?
And a Question for Modesty's Sake/Stake.
cc ... HMGCC re Cinderella ProgramMIng.
And just so atypical of Python Psyche to Fail Delivery with False Modesty.
There's Work to be Done, Empire States 42 Build.
Two months is a rather optimistic estimate for HSBC security process.
Their Verified by Visa marketing gimmick was storing state in clients in a way where you could skip all verification steps with Konqueror. I tried to explain this to them and they simply did not care. So I gave up and registered with Mozilla. This was more than a year ago and last time I had a look at it the bug was still there.
Paris, as the symbol of their (and not only their) UK banking coding quality and security.
The UK site is still open to SQL injection attack. They also took 6 months to add a major city's branch details back to their search results, long after I had told them about the problem a total of 6 times by various means.
Clueless-ness on a global level.
This is what happens when you have teams of people who don't know more than the basics and are used to thinking of security as an afterthought.
Want someone to blame? Blame Microsoft. Yeah Microsoft. Not because they use Microsoft's products but because Microsoft was the first major software company who's mantra was "Rush to be first to market, then clean up the mess later."
Yep, I think they are all about as bad as each other. Nat West/RBS assured me that if my browser passed their user agent verification then they were prepared to *guarantee* that my system was secure and they were extremely confident in this security system.
Been getting a lot of phish-bait in the spamtrap which claims to tbe Co-op related recently.
You know, all this Internet banking stuff is total crap. The world worked just find (some would argue better) before everyone expected instant responses. The crap coding coming out of so many professionals these days, combined with the dishonest attitudes of so many people completely take away any advantage the online world offers. Except of course to get online and comment on various websites for no gain.
Back to cash and barter.
I'm with them, but since I know how secure Internet banking is I always pick up the phone - hard-line, not VOIP. They are there 24/7 and I would rather talk than type.
Not quite face to face, but it's on my terms and not some 'closed by 3:30' local-ish sales office (that'd be Lloyds-TSB mostly; don't know why my wife puts up with their 'annual review' insults).
Sign up, sign up for The Register's weekly IT security newsletter - click here
