[racket] Question about the double submit bug 'in the wild'

From: Neil Van Dyke (neil at neilvandyke.org)
Date: Fri Aug 20 19:53:34 EDT 2010

You'd think that financial institutions would have some of the highest 
standards for information systems, but in reality, for various reasons, 
their Web sites are often littered with substandard-ness.

There is one huge bank which, besides having subsystem integration 
problems apparent in their Web interface, has a flaw in their touted 
security mechanism.  I know the researcher  who reported it to them, and 
he even had a meeting with key people there, but I don't believe that 
they addressed the problem.

And the home-banking setup that the credit union of a certain big-name 
engineering school uses is downright scary with all its brokenness and 
klunkiness and kludginess.  I called them up over one surprising 
security flaw, and the technical person I reached was not willing/able 
to fix it.

There are multiple reasons for some of the brokenness in Web apps of 
financial institutions.  I think a lot of it is difficulty of 
integration with legacy-technology systems, like mainframes and 
networks.  Another contributor can be that, when your application is so 
sensitive, there can be a huge barrier to modifying even 
modules/subsystems that your organization controls and that are using 
modern technologies.  Another is the usual problem of managing large 
systems (a colleague of mine actually helped design the overall Web 
experience for one of the huge banks, as an outside consulting firm, and 
just the interface for everything it had to cover was a major 
undertaking even for the initial system, before it started evolving).  
Then you sometimes have long-term MIS employees who have been 
"retrained" poorly or who are not well-suited to the different kind of 
work.  Then you might have the problem of running Web shops like old 
mainframe chief-programmer shops.  Then you have banks not necessarily 
hiring the same caliber of software talent as Google, R&D labs, and 
startups can.  (Some Wall Street firms do focus on top software talent, 
by paying huge salaries+bonuses and/or giving interesting quant work, 
but your home banking Web app is generally not done by those people.)

Less seriously... Then there is the classic strategic error of hiring a 
fresh self-assured Young Republican business-degree graduate to do 
conscientious engineering. :)  And also, using Java makes you dumber. :)

I should add that not all bank Web sites are bad, and even some of the 
ones with bad parts have parts that are done conspicuously well.


Posted on the users mailing list.