More than 75% of the bank Web sites surveyed had at least 1 design flaw that could make customers vulnerable to cyber thieves after their money or even their identity.

root cause: a belief that the web site is a cost center, while wasting money on countless branch offices. no wonder they can only afford incompetent web technology.
2013-11-06: if you thought banks encrypt the traffic on their international leased lines, well…
2014-01-11:

90% contained several non-SSL links throughout the application. This allows an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.

50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality was exposed, allowing actions such as sending SMS or emails from the victim’s device.

in the move from shitty websites to shitty “apps”, we’re going backwards several years as implementers have to relearn all security lessons. you probably don’t want to trust any “apps” from your financial institution.

• Uncategorized