Several HSBC websites are subject to scripting flaws that create a possible mechanism for crooks to create more convincing phishing scams. Security blog xssed.com has posted a list of affected domains, which include HSBC sites in multiple territories including the UK. Xssed has been tracking problems on the bank's sites since …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Wednesday 25th June 2008 11:58 GMT Mark

HSBC / First Direct - Clueless muppets.

I contacted them the other week with regards to EVV Certificates, and the fact that First Direct seemed to be failing (according to Opera's strict EVV implementation), they had no idea at what EVV was, let alone cross site scripting that was breaking the site.

I would move banks, but experience says that they are all pretty much clueless when it comes to security..

0 0
Wednesday 25th June 2008 12:01 GMT amanfromMars

Cutting to the Chase and Chastened.....

A Right Royal Cock Up in other Words?

And a Question for Modesty's Sake/Stake.

cc ... HMGCC re Cinderella ProgramMIng.

And just so atypical of Python Psyche to Fail Delivery with False Modesty.

There's Work to be Done, Empire States 42 Build.

0 0
Wednesday 25th June 2008 12:01 GMT Anonymous Coward

Two months? What a bunch of optimists

Two months is a rather optimistic estimate for HSBC security process.

Their Verified by Visa marketing gimmick was storing state in clients in a way where you could skip all verification steps with Konqueror. I tried to explain this to them and they simply did not care. So I gave up and registered with Mozilla. This was more than a year ago and last time I had a look at it the bug was still there.

Paris, as the symbol of their (and not only their) UK banking coding quality and security.

0 0
Wednesday 25th June 2008 12:01 GMT Anonymous Coward

Muppets

The UK site is still open to SQL injection attack. They also took 6 months to add a major city's branch details back to their search results, long after I had told them about the problem a total of 6 times by various means.

0 0
Wednesday 25th June 2008 12:49 GMT Ian Michael Gumby

Global Bank + global workforce = ...

Clueless-ness on a global level.

This is what happens when you have teams of people who don't know more than the basics and are used to thinking of security as an afterthought.

Want someone to blame? Blame Microsoft. Yeah Microsoft. Not because they use Microsoft's products but because Microsoft was the first major software company who's mantra was "Rush to be first to market, then clean up the mess later."

0 0
Wednesday 25th June 2008 12:49 GMT Anonymous Coward

@Mark

Yep, I think they are all about as bad as each other. Nat West/RBS assured me that if my browser passed their user agent verification then they were prepared to *guarantee* that my system was secure and they were extremely confident in this security system.

0 0
Wednesday 25th June 2008 12:49 GMT Anonymous Coward

Co-op too?

Been getting a lot of phish-bait in the spamtrap which claims to tbe Co-op related recently.

0 0
Wednesday 25th June 2008 22:27 GMT Solomon Grundy

Screw It

You know, all this Internet banking stuff is total crap. The world worked just find (some would argue better) before everyone expected instant responses. The crap coding coming out of so many professionals these days, combined with the dishonest attitudes of so many people completely take away any advantage the online world offers. Except of course to get online and comment on various websites for no gain.

Back to cash and barter.

0 0
Thursday 26th June 2008 07:42 GMT MrT

First Direct

I'm with them, but since I know how secure Internet banking is I always pick up the phone - hard-line, not VOIP. They are there 24/7 and I would rather talk than type.

Not quite face to face, but it's on my terms and not some 'closed by 3:30' local-ish sales office (that'd be Lloyds-TSB mostly; don't know why my wife puts up with their 'annual review' insults).

0 0