An undetectable Online Bank Vulnerability?

[Mark Peterson <apalamen () sbcglobal net>]

December 20, 2003

RE: Banking/eCommerce Basic Vulnerability - Undetectable

Due to the well-known documented ability of XSS/CSS capabilities and the proliferation of 3rd-party web-services, can 
anyone confirm the following:

If an Online Bank utilizes 3rd-party webservices (javascript/.JS) via either web-analytic measurements or a banner-ad 
server - Is there not indeed a theoretical backdoor to the client-side browser if this 3rd-party webservice/webserver 
was compromised with malicious code?

All one has to do is attack the server that is providing the commercial webservice and in theory, one would have 
complete control over the consumer's webbrowser (client-side browser), without detection from an Online Bank - or 
internal security intrusion detection from the Bank itself.

Is this not correct?

Behind closed doors, I have confirmation of this independently.  Although no one in public seems to be willing to 
formally acknowledge these basic vulnerabilities in Online Banking.

I have a list of Banks that currently utilize webservices from another 3rd-party.

I have searched the entire Internet for anyone else who may have reported this obvious vulnerability to an online bank. 
 What I haven't found is a technical solution to it, nor dissemination on the basics of just how vulnerable online 
banking is to consumers.

Can anyone debate me publicly on this on grounds of the technical merits of this Online Banking Security issue? Without 
throwing accusations around?

I am a writer, and wanted to address the fact that there is a theoretical backdoor, that could escape detection from 
Intrusion Countermeasures - because this theory is made up of the following:

1) Find a COMMERCIAL WEBSITE with 3rd-party services running on it.
2) Attack the weakest part - the company providing webservices to this website.
3) Compromise the code on the server that is providing it to the COMMERCIAL WEBSITE.
4) This compromised code could in theory launch a new Popup() window or new browser session mimicking the entire 
content of the COMMERCIAL WEBSITE.
5) This technique bypasses the COMMERCIAL WEBSITE's SERVER and INTRUSION DETECTION capability, by launching straight 
into the users client-browser session (client-side).

In theory would this not be a Backdoor to Online Banking/Commerce?  It is also undetectable because of its client-side 
orientation, is this not also correct?

Obvious solutions: Remove 3rd-party webservices from sensitive websites.  Inform customers to disable Javascript or 
Mobile Code.

Any comments would be appreciated.