Social media banking

Have a look at this screenshot:

Do you notice the social media buttons? As far as I can tell, this site is a bank. They've decided to sprinkle the cool magic of social media across their site, with buttons from Google Plus, Twitter and Facebook. Of course, in order to do so their highly secure site must run JavaScript delivered over HTTPS from platform.twitter.com, apis.google.com and connect.facebook.net right inside their own page, plus include IFRAMEs from s-static.ak.facebook.com, platform.twitter.com, http://www.facebook.com and plusone.google.com – meaning that an XSS problem or compromise of any of these sites can now potentially be used to take control of their customers' online banking.

And all that in order to ..

let you tell all your social meda friends how incredibly cool it is to have forgotten your online banking password!

What were they thinking? :whistle:

Advertisements

9 thoughts on “Social media banking

  1. No, it's not really a compatibility issue and I'm not a customer either.. just found it funny enough to blog about, but won't follow up further.

  2. They seem to have the same social button bar on every content page, so this is probably a case of a default layout being applied to the forgot password page. Probably also different people working on different parts of the site. It's still very wrong. Have you contacted them about it?

  3. Not the same thing but key.com does/did have google ads (and some other ads) on its login page. For a while, one of the last points in the https redirect for one of the ads went to an http URI and Opera complained about. The actual login form was in an iframe from https://accounts.key.com/ though. If you went directly there, there'd be no problem as there weren't any ads on that page. But, it is/was still shady to have ads on a bank page imo. I reported it them, but they said they couldn't help because my last login showed Opera as my user agent and they said they don't support Opera. I explained that it had nothing to do with Opera and they said they still couldn't help because they saw "Opera". That's a typical bank for ya. I warned a whole bunch of key customers on facebook about it at the time and told them to go to the framed login page directly. But, after I did that, they started blocking direct access to that page. Seems they really wanted people to load the ads (hidden ads at that). It's not blocked atm though.key.com does have links to their facebook and twitter pages. They at least show you a page that you're leaving key.com.key.com also used to require flash to log in. At the time, turning on plug-ins on demand in Opera wouldn't allow you to log in. That doesn't seem to be a problem, but they still use flash and even use vbscript for IE. They have all kinds of code just to detect versions of flash. It's crazy. Again, typical bank for ya.

  4. Originally posted by burnout426:

    I explained that it had nothing to do with Opera and they said they still couldn't help because they saw "Opera"

    Wow. "We don't care about our customers' opinions unless they use a web browser we've heard of". :yuck:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s