nav search
Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
Sealed with an XSS: IT pros urge Lloyds Group to avoid web cross talk

Silver badge

"We employ multi-layered security controls across our systems"

That's what you get when you employ PR-bots who are the only people allowed to talk to the press. There is only one official line, which must be religiously followed in all communication (until it is replaced, that is).

16
0

Of course they didn't say "We employ adequate multi-layered security controls across our systems"

1
0
Stop

no DNS security or client-initiated renegotiation protection either

for a start the web server allows for client-initiated renegotiation, which is NOT good at all..

Although the option does not bear a risk for confidentiality, it does make a web server vulnerable to DoS attacks within the same TLS connection. Therefore you should not support it.

they have not enabled DNSSEC... spoof away !

0
0

Multi-layered security controls across our systems

I got a similar answer from EDF when I asked them why I needed to disable 'Auto remove overlays', 'uBlock Origin' and Safescript in order to access the site. So while I use these sites I'm totally open to click-jacking and running malware scripts. Are these sites run on a hacked together script based on some school project of ten years ago?

6
0
Silver badge

Re: Multi-layered security controls across our systems

>>>Are these sites run on a hacked together script based on some school project of ten years ago?<<

Is that a rhetorical question given most banks history of long periods of 'No problem here' followed by a fertilised fan incident and 'There was a small problem affecting only a few users..'

6
0

Re: Multi-layered security controls across our systems

>> Are these sites run on a hacked together script based on some school project of ten years ago?

More likely it's some PHB who thinks they are god's gift to programming.

3
0
WTF?

Re: Multi-layered security controls across our systems

"I got a similar answer from EDF when I asked them why I needed to disable 'Auto remove overlays', 'uBlock Origin' and Safescript in order to access the site."

With noscript you have to enable google.com and gstatic.com and sometimes an amazonaws script in addition to the edf script in order to log in. The google and gstatic scripts seem to be there for supplying the captctha. The amazonaws is not always present but if it is you have to enable it. I've complained about this excessive use of 3rd party stuff but they seem not to understand, their ssl labs rating was a B until I told them about it, they've since improved it.

2
0
Silver badge
FAIL

SWMBO contracts for banks says they are filled with bad tempered self-serving psychopaths at pretty much all levels. They are the only personality type that can survive. Hence she is trying her best to find work elsewhere.

Back OT I'm sure I've read in the comments many times these exact vulnerabilities being pointed out.

6
0
Silver badge

Good luck to her.

2
0
Facepalm

D'oh !

The Halifax website has a very obvious weakness: the password characters entered via the drop down menu are displayed permanently rather than momentarily.

Their 2FA is also poor because it relies on an SMS. They've never considered that mobile numbers can easily be hijacked.

4
0

This post has been deleted by its author

Silver badge

Moving the Goalposts

All SCADA Systems are Susceptible and Vulnerable to XSS/Cross Site Scripture. Done Remarkably Well, IT Provides Raw Novel Core Source Supply for Augmenting Virtual Realisations Presenting Future Almighty Paths for Exploring and Exploiting ........ Mapping and Mining.

What are the Available Defences against such AI LOVE RATs ..... Advanced IntelAIgent Live Operational Virtual Environment Remote Access Trojans/Real Administrative Tools?

3
2

https://observatory.mozilla.org/analyze/https://lloydsbank.com

1
0
Anonymous Coward

Complaint

As a Lloyds customer, I have just sent in a complaint, with a link to this news item. I told them not to respond to me but to The Register. Will be interesting to see how they handle it.

6
0
Silver badge
Coat

Re: Complaint

Bank... Mark this ones card for 'special' treatment.

Mines the one with the car-park <-> (rapidly thining) branch map

2
0

"Moore's (benign) proof-of-concept demo from Halifax Bank" is broken...

The link under "Launch Halifax Site" calls: https://translate.googleusercontent.com/translate_c?depth=1&hl=en&rurl=translate.google.com&sl=fr&sp=nmt4&tl=en&u=https://isitsafe.co.uk/SecurityHeaders/halifax/indexIFRAME.html&xid=17259,15700019,15700124,15700149,15700186,15700190,15700201,15700214&usg=ALkJrhh6WZqsRcnKoavKG3J9R0LnWk1NHA ???

0
0

Re: "Moore's (benign) proof-of-concept demo from Halifax Bank" is broken...

It's not broken. The use of Google translate is crucial to this attack, as only code residing on Google's subdomain will execute.

(And 7 other Lloyds domains and 1 IBM wildcard)

2
0

RPI.basketofeggs.com

Seem to have lost access to the Barclays story. Must be another out and in the river it’s a full house at the head shed. All the cards except the joker. Might be a double deck with 8 of a kind. #imallout

0
1
Silver badge

"Lloyds Group should avoid cross talk"

I thought this was about Noel Edmonds' latest XS (Cross Scripted) comments in the press yesterday regarding the Archbishop of Canterbury.

0
0
Silver badge

Full Disclosure.

If they're not even acknowledging you got two options. Send it to the ICO for one thing, secondly just release a PoC - they won't do that again.

1
1
Anonymous Coward

Banks - Can't live with them / Can't live without them

Here's a shout out to Allied-Irish-Bank for any passing Hacker. Max Password length is 5 numbers of which 3 must be entered at any one time.

WTF?

2
0
Silver badge

Re: Banks - Can't live with them / Can't live without them

First Direct dont recognise the difference between capitals and small letters in user names; greatly increasing the chances someone will be able to brute force the first security layer; and the same password "x" letter combos seem to be used for hours at a time, giving hackers plenty of time to try and gain access. I once had "1st, 2nd and last" as the prompt for several days.

Kind of reminds me of the near ATM apocalypse of the 1980's/90's; where only 3 pin numbers were being issued to all customers, and you had 3 chances to enter the PIN number............

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing