tag:blogger.com,1999:blog-20011960.post1415272914734428232..comments2024-01-15T00:25:02.006-08:00Comments on HolisticInfoSecâ„¢: Online finance flaw: U.S. Bank & National City Bank XSS and moreRuss McReehttp://www.blogger.com/profile/05647342839278416757noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-20011960.post-29100585259885409952008-12-13T19:24:00.000-08:002008-12-13T19:24:00.000-08:00@alex: Are you serious? You're either a troll (tr...@alex: Are you serious? You're either a troll (trying to get someone to flip out and respond) or you're just ridiculous.<BR/><BR/>I have a little experience working for a bank (or few) in my past so I can appreciate the "bigger fish to fry" comment but an issue that is (1) relatively trivial to fix and (2) damaging to a huge customer base should be a high-priority, especially given the comment you posted on my blog.<BR/><BR/>Anyway - this is *exactly* the reason there are so many excessive IT-based risks out there...people just don't care!<BR/><BR/>... WOW.Rafal Loshttps://www.blogger.com/profile/18106347834259269413noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-33679171868885166122008-12-13T06:29:00.000-08:002008-12-13T06:29:00.000-08:00Um, as an NCC customer, an InfoSec professional an...Um, as an NCC customer, an InfoSec professional and, more importantly, an IRM professional - I couldn't care less.<BR/><BR/>These banks know about these issues, they've had to do the risk assessments already, and they figured they have bigger fish to fry. So what?<BR/><BR/>Of course, I have more informative priors about their IRM practices than you do...Unknownhttps://www.blogger.com/profile/13259421662913673571noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-82911578973726695072008-12-10T08:54:00.000-08:002008-12-10T08:54:00.000-08:00They aren't the only ones around. I'm aware of a ...They aren't the only ones around. I'm aware of a mortgage company who, in addition to being riddled with XSS holes, use timestamps as session IDs.<BR/><BR/>Another bank that I have used with in the past have XSS holes, lack of SSL on the login page, and publicly accessible access logs. When I brought it to their attention they simply told me that since they outsource their online banking, it isn't important. They never did fix the issues.<BR/><BR/>I have since found a new bank.Anonymousnoreply@blogger.com