On Mon, 2 Nov 2015 22:53:03 +0000 Brian <a...@cityscape.co.uk> wrote:
> > An attacker must inject a payload into a web page that the user > visits. When the page loads in the user’s browser the attacker’s > payload will be executed. A user would likely have no knowledge of > this, irrespective of whatever browser or user-agent string is being > used. > > Without the payload (which the bank's site has delivered) the security > of the browser is not compromised. If a password were to be obtained > the bank is complicit in the action. I expect they would take > responsibilty for this. > > You were going fine until the last sentence... -- Joe