Heise have also been pushing their latest comment on frameset issues, which, as they quite rightly point out, have been public for some time. (And, you can engineer their exploit to work on the HSBC site, at least with IE6. Sorry, my error, Firefox 1.5)
Well, Bank security is a complicated thing. Part of the problem is that technical solutions often aren't possible and lots of this is not visible to the users. This, of course, causes other problems when the invisible stuff goes wrong, 'cause the bank can lie about it, but just read Ross's stuff on this. A lot of the fundamental security is built into fraud monitoring processes and back-office systems and the sort of inter-bank co-operation that would scare the conspiracy theorists.
The core processes are not technological therefore are driven by people and people make errors (deliberate or otherwise.) And, irritatingly, banks tend to be large organisations and the customer-facing people (suffering in the call centre) will not have the detailed knowledge of how / why the risk management decisions were taken or the compensating controls already or now in place.Oh, and now please explain this to your on-call media relations person, without using any technical terms, so that they can sound suitably convincing in front of the MSM.
S-E