[dm319]

I'm not sure the ship has sailed. If HSBC switched to only mailing out text-only emails with URLs written out in full, after a while HSBC users would get used to only receiving text correspondence from their bank. I think that would be a step towards reducing phishing attempts, though certainly not a complete answer.

[anthonybullard]

Disclosure: I work for a fintech company that utilizes HTML emails almost exclusively for customer communications.

I think one thing that is not being considered is that for most customers, branding and the consistency thereof are key indicators of trustworthiness - especially when dealing with financial information. HN users are rare creatures, they have technical context the average end user does not have. The rise of phishing has lead users to pay a great amount of attention to subtle hints of impropriety, like being taken from one sort of visual experience to a vastly different one. We saw vast improvement across all meaningful metrics when we switched from plain text to HTML emails that utilized branding consistent with our website.

As with everything that humans deal with, there are tradeoffs here. And I'm extremely concerned that this position taken to it's logical extreme would lead to the web being transformed into something that is "safer" but much less useful and dynamic. One outcome of this could be the slow death of the open web in favor of siloed networks and platforms serving actually functional content in "safe" ways.

[alkonaut]

That would require HSBC to value some kind of improved security so much that they'd accept not having the HSBC logo in the email. That's what I think is out of the question.

You could maybe see banks having plaintext communication as an optional, but I doubt they'd make it default (allowing users to switch to html).

Isn't this problem already solved with certificates online? Shouldn't this be solvable the same way? E.g. a bank sends an email containing a link to the content with some special attribute. The web browser displays the content if and only if the sender domain of the email (e.g. hsbc.com) is also the domain from which the content will be downloaded.

[dm319]

Problem is you've already received the rogue html before accessing the secure webpage. It's a shame email signing and encryption never took off.

[alkonaut]

The solution assumed mail clients would be adapted to enforce this. So if you send me a forged email claiming to be from hsbc, the mail client would allow showing html content only from a https connection to somewhere on hsbc. Kind of like the same-origin policy but where the origin is the domain the email claims it came from.

[breakintheweb]

They could still have the HSBC logo, it would just need to be in ascii....