Hacker News new | past | comments | ask | show | jobs | submit login

You can't get at the $ but you can get at the individual transaction data. They really should not have third party js on banking and medical sites, especially not for logged in users.

Are you absolutely sure about this (would love a reference)? Letting another party running code removes at least many layers of defence. I would not trust a bank which is doing that it's just a sign of gross incompetence.

2FA should at least in theory stop them from doing that. But if the script rewrites the page then maybe there are interesting ways around that.

Third party code within your banking website has access to anything you can do from the UI.

That includes siphoning money from your account.

I have a hardware token and a chipcard to stop that from happening, still, there may be some way to do it that I'm not aware of. One way I can think of is to display one set of destination details for a transfer to the user and use another for the actual transfer.

The hardware token I use shows amount and recipient. At least you could notice.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact