back to article Sealed with an XSS: IT pros urge Lloyds Group to avoid web cross talk

A pair of IT workers have criticised banks within the Lloyds Banking Group (LBG) for substandard security. The group denies anything is amiss, maintaining it follows industry best practice on cyber-security. Each of the three LBG banks – Lloyds, Halifax, and Bank of Scotland – has implemented transport layer security by …

  1. Bronek Kozicki

    "We employ multi-layered security controls across our systems"

    That's what you get when you employ PR-bots who are the only people allowed to talk to the press. There is only one official line, which must be religiously followed in all communication (until it is replaced, that is).

    1. teebie

      Of course they didn't say "We employ adequate multi-layered security controls across our systems"

    2. john.jones.name
      Stop

      no DNS security or client-initiated renegotiation protection either

      for a start the web server allows for client-initiated renegotiation, which is NOT good at all..

      Although the option does not bear a risk for confidentiality, it does make a web server vulnerable to DoS attacks within the same TLS connection. Therefore you should not support it.

      they have not enabled DNSSEC... spoof away !

  2. Anonymous Coward
    Anonymous Coward

    Multi-layered security controls across our systems

    I got a similar answer from EDF when I asked them why I needed to disable 'Auto remove overlays', 'uBlock Origin' and Safescript in order to access the site. So while I use these sites I'm totally open to click-jacking and running malware scripts. Are these sites run on a hacked together script based on some school project of ten years ago?

    1. Wellyboot Silver badge

      Re: Multi-layered security controls across our systems

      >>>Are these sites run on a hacked together script based on some school project of ten years ago?<<

      Is that a rhetorical question given most banks history of long periods of 'No problem here' followed by a fertilised fan incident and 'There was a small problem affecting only a few users..'

    2. Anonymous Coward
      Anonymous Coward

      Re: Multi-layered security controls across our systems

      >> Are these sites run on a hacked together script based on some school project of ten years ago?

      More likely it's some PHB who thinks they are god's gift to programming.

    3. Captain Badmouth
      WTF?

      Re: Multi-layered security controls across our systems

      "I got a similar answer from EDF when I asked them why I needed to disable 'Auto remove overlays', 'uBlock Origin' and Safescript in order to access the site."

      With noscript you have to enable google.com and gstatic.com and sometimes an amazonaws script in addition to the edf script in order to log in. The google and gstatic scripts seem to be there for supplying the captctha. The amazonaws is not always present but if it is you have to enable it. I've complained about this excessive use of 3rd party stuff but they seem not to understand, their ssl labs rating was a B until I told them about it, they've since improved it.

  3. 0laf
    FAIL

    SWMBO contracts for banks says they are filled with bad tempered self-serving psychopaths at pretty much all levels. They are the only personality type that can survive. Hence she is trying her best to find work elsewhere.

    Back OT I'm sure I've read in the comments many times these exact vulnerabilities being pointed out.

    1. Bronek Kozicki

      Good luck to her.

  4. Gerry 3
    Facepalm

    D'oh !

    The Halifax website has a very obvious weakness: the password characters entered via the drop down menu are displayed permanently rather than momentarily.

    Their 2FA is also poor because it relies on an SMS. They've never considered that mobile numbers can easily be hijacked.

  5. This post has been deleted by its author

  6. amanfromMars 1 Silver badge

    Moving the Goalposts

    All SCADA Systems are Susceptible and Vulnerable to XSS/Cross Site Scripture. Done Remarkably Well, IT Provides Raw Novel Core Source Supply for Augmenting Virtual Realisations Presenting Future Almighty Paths for Exploring and Exploiting ........ Mapping and Mining.

    What are the Available Defences against such AI LOVE RATs ..... Advanced IntelAIgent Live Operational Virtual Environment Remote Access Trojans/Real Administrative Tools?

  7. WibbleMe

    https://observatory.mozilla.org/analyze/https://lloydsbank.com

  8. Anonymous Coward
    Anonymous Coward

    Complaint

    As a Lloyds customer, I have just sent in a complaint, with a link to this news item. I told them not to respond to me but to The Register. Will be interesting to see how they handle it.

    1. Wellyboot Silver badge
      Coat

      Re: Complaint

      Bank... Mark this ones card for 'special' treatment.

      Mines the one with the car-park <-> (rapidly thining) branch map

  9. MS-Surface

    "Moore's (benign) proof-of-concept demo from Halifax Bank" is broken...

    The link under "Launch Halifax Site" calls: https://translate.googleusercontent.com/translate_c?depth=1&hl=en&rurl=translate.google.com&sl=fr&sp=nmt4&tl=en&u=https://isitsafe.co.uk/SecurityHeaders/halifax/indexIFRAME.html&xid=17259,15700019,15700124,15700149,15700186,15700190,15700201,15700214&usg=ALkJrhh6WZqsRcnKoavKG3J9R0LnWk1NHA ???

    1. Paul Moore

      Re: "Moore's (benign) proof-of-concept demo from Halifax Bank" is broken...

      It's not broken. The use of Google translate is crucial to this attack, as only code residing on Google's subdomain will execute.

      (And 7 other Lloyds domains and 1 IBM wildcard)

  10. StuntMisanthrope

    RPI.basketofeggs.com

    Seem to have lost access to the Barclays story. Must be another out and in the river it’s a full house at the head shed. All the cards except the joker. Might be a double deck with 8 of a kind. #imallout

  11. Ken Moorhouse Silver badge

    "Lloyds Group should avoid cross talk"

    I thought this was about Noel Edmonds' latest XS (Cross Scripted) comments in the press yesterday regarding the Archbishop of Canterbury.

  12. streaky

    Full Disclosure.

    If they're not even acknowledging you got two options. Send it to the ICO for one thing, secondly just release a PoC - they won't do that again.

  13. Anonymous Coward
    Anonymous Coward

    Banks - Can't live with them / Can't live without them

    Here's a shout out to Allied-Irish-Bank for any passing Hacker. Max Password length is 5 numbers of which 3 must be entered at any one time.

    WTF?

    1. Anonymous Coward
      Anonymous Coward

      Re: Banks - Can't live with them / Can't live without them

      First Direct dont recognise the difference between capitals and small letters in user names; greatly increasing the chances someone will be able to brute force the first security layer; and the same password "x" letter combos seem to be used for hours at a time, giving hackers plenty of time to try and gain access. I once had "1st, 2nd and last" as the prompt for several days.

      Kind of reminds me of the near ATM apocalypse of the 1980's/90's; where only 3 pin numbers were being issued to all customers, and you had 3 chances to enter the PIN number............

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like