[videoappeal]

Well tomg, when I researched this ~8 months ago there were at least 2 US financial websites that were using the same specialized analytic company that injected JS into banking login pages that were hosted on Linode VPSes.

[tomg]

Oh I don't doubt you. I'm not an expert on this, heck, I wasn't even allowed on to the actual servers (because of said compliance). I don't know the guidelines for login pages or what kind of security third party JS libs are supposed to have (also PCI is not a law, afaik).

What I'm asserting is that the servers that store the actual banking and customer data have very high security standards. It's one thing to store front end website code on a VPS, it's a totally other thing to store your database with customer & bank data on Linode.

The bitcoin breach seems analogous to Bank of America storing your account information on Linode and trusting it as the Real Data. Does that make sense?

[videoappeal]

[quote] The bitcoin breach seems analogous to Bank of America storing your account information on Linode and trusting it as the Real Data. Does that make sense? [/quote]

//reply to tomg, but seem HN stops nested replies beyond a certain level

At the end of day you can have millions of dollar of security, auditing, PCI compliance tests passing, developers that celebrate every Friday that everything is secure, data is hosted on premise etc... But if you leave the login page javascript to a third party hosted on Linode then you might as well be BoA storing your data on a mySQL linode instance. So in a nutshell it kind of undermines the work you guys do.

[tomg]

That's very true, and TBH I'm a bit surprised these banks are allowing that. IME doing frontend code for banks is that they're very strict on third party libs, even ones hosted by the bank itself, right down to only approving certain versions of the lib.