For the past five months, a website for investment services giant Ameriprise Financial contained bugs that allowed even low-level criminals to inject malicious content into official company webpages and steal user's cookies, according to a web security expert. The XSS, or cross-site scripting, flaws made it possible for phishers …
Obviously these guys handle CCard details and therefore need to PCI DSS compliant..... this is one of those occasions where the Security Standards Council / Card Issuers need to use the big stick and impose sanctions (ie revoke certification and resultant fines) as they would for a company that size that has not achieved compliance by their target date.
To say... 'I have no idea if someone reported a vulnerability. But I am going to do nothing about how we handle vuln reporting" is tottally unacceptable and quite apart from the failure to comply to Requirement 6.5 (secure development of websites) it is surely also refusing to comply with 12.9 "Implement an Incident Response plan" or Req 5 "Maintain a Vulnerability Management Program".
Tottally lame..... if I had any business with them (which I don't) I would be pulling it and moving to someone else. If the PCI SSC is not going to use the big stick, then the public needs to when companies display this type of attitude..... by voting with their feet!
"Please to fix this pwntastic code"? I wouldn't be inclined to take them seriously either.
- 'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
- Crawling from the Wreckage THE DEATH OF ECONOMICS: Aircraft design vs flat-lining financial models
- Pics Facebook's Oculus unveils 360-degree VR head tracking Crescent Bay prototype
- Moon landing was real and WE CAN PROVE IT, says Nvidia
- Apple's iPhone 6 first-day sales are MEANINGLESS, mutters analyst