Cross Site Scripting Holes / Insecure Logins / Banking Security

[ Back to Introduction ]

Last update: May 29, 2009 (Over 8 years after this site was created, and still some sites with such basic problems)
These sample links will alert you with your cookie information from the site. If the site fixes the problem, there will be no alert for Cross Site Scripting problems. For insecure logins, the site should redirect you to https or not show the login form. To best see what information is vulnerable, First, go to the site and login, then come back and see what info is alerted. As you can see, these are some of the top sites on the internet. We have not tested every site on the internet. Test the sites you use, if you find a hole, let us know. If your site is on here, fix the hole, then let us know.
In the news: Bank Sites Still Driven by Marketers

Company	Domain	Exploit Link
US HSBC Personal Banking	us.hsbc.com	(I'm Withholding Details ) Resent message to bank 9/13/2006
First National	firstnational.com	Insecure Login Form
US Bank	usbank.com	Insecure Login Form & XSS hole
TD Ameritrade	tdameritrade.com	Insecure Login Form
Ally Bank (formerly GMAC Bank)	ally.com	Insecure Contact Info
INGDirect	ingdirect.com	Insecure Contact Info & XSS (What Happened to INGDirect?)

3 out of 4 banking sites suffer from basic security flaws found a University of Michigan Study

Top Banking Flaws:

Important Unsecured Pages
XSS Vulnerabilites
Improper Emailing
Improper session handling

What can you do?
1. Always login to your financial accounts on a secure (https) page
2. File a complaint with the government agency appropriate for the bank.
3. If you are a reporter or other person in with a blog, MAKE SOME NOISE! This needs attention to get fixed!

1. If the bank has the word National or the letters N.A. in its title, the complaint should be sent to Comptroller of the Currency, Customer Assistance Group, 1301 McKinney Street, Suite 3710, Houston TX 77010, 1 (800) 613-6743.

2. A complaint about a state-chartered bank that is a member of the Federal Reserve System should be sent to the Board of Governors of the Federal Reserve System, Director, Division of Consumer and Community Affairs, Washington, D.C. 20551, (202) 452-3693. http://www.federalreserve.gov/feedback.cfm

3. Complaints regarding state-chartered, federally insured banks that are not members of the Federal Reserve System should be sent to the Office of Bank Customer Affairs, Federal Deposit Insurance Corporation, Washington, D.C. 20429, 1 (800) 934-3342.

4. Complaints about federal-chartered savings banks should be sent to the Office of Thrift Supervision, Division of Consumer Affairs, Washington, DC 20552, 1 (800) 842-6929.

NOTE: The banks listed because of insecure login place login data on an insecured, non https page. They often make it worse by placing a lock icon next to the login form. Do not trust lock icons on webpages! Always check your browser's lock icon, or select page info to see if the page is truely secure. Never type in your login information on an insecure webpage (even if it's submitting to a secure page see my example of a hacked action field). This type of login can easily be hijacked, proxied, or otherwise intercepted. More on Spoofing

Banks should also list any contact information or other sensitive information where financial data is exchanged on secure sites. Users should not trust any content on any page that is not https.

Please report any other banks or websites with insecured (http) login forms using my email ( david at this domain ) .

Just a quick sponsor message

Photo Editor

Online Photo Editor for facebook!