For the past five months, a website for investment services giant Ameriprise Financial contained bugs that allowed even low-level criminals to inject malicious content into official company webpages and steal user's cookies, according to a web security expert. The XSS, or cross-site scripting, flaws made it possible for phishers …
Obviously these guys handle CCard details and therefore need to PCI DSS compliant..... this is one of those occasions where the Security Standards Council / Card Issuers need to use the big stick and impose sanctions (ie revoke certification and resultant fines) as they would for a company that size that has not achieved compliance by their target date.
To say... 'I have no idea if someone reported a vulnerability. But I am going to do nothing about how we handle vuln reporting" is tottally unacceptable and quite apart from the failure to comply to Requirement 6.5 (secure development of websites) it is surely also refusing to comply with 12.9 "Implement an Incident Response plan" or Req 5 "Maintain a Vulnerability Management Program".
Tottally lame..... if I had any business with them (which I don't) I would be pulling it and moving to someone else. If the PCI SSC is not going to use the big stick, then the public needs to when companies display this type of attitude..... by voting with their feet!
"Please to fix this pwntastic code"? I wouldn't be inclined to take them seriously either.
- DINO-SLAYER asteroid strike was a stroke of bad luck, say boffins
- BEST BATTERY EVER: All lithium, all the time, plus a dash of carbon nano-stuff
- Stick a 4K in them: Super high-res TVs are DONE
- Review You didn't get the MeMO? Asus Pad 7 Android tab is ... not bad
- Russia: There is a SPACECRAFT full of LIZARDS in orbit above Earth and WE control it