alt Hacker NewsThe http:// thing is what stands out to me. Someone had to actively choose to serve content over http in 2026. Even if the original template was ancient, any security review would have caught that - unless they skipped that step entirely, which honestly tracks.
I work with banking data day to day and the internal systems are often just as rough. CSV exports with inconsistent date formats between the same bank's own products. Transaction descriptions that are random truncated strings with no standardisation. Every bank formats their statements differently and some of them can't even stay consistent between their own account types.
You'd think with the regulatory pressure around data accuracy this stuff would be sorted by now. But the reality is most banks treat their digital infrastructure like legacy plumbing - it works well enough that nobody wants to risk touching it.
Replies
Does HTTP really matter in this particular case though?
HTTPS still typically exchanges the Server Name Identification. So you know somebody is talking to HSBC. And the rest of the URL is just an anonymized tracking ID. So I'm having a hard time seeing what the threat is this particular instance.
> But the reality is most banks treat their digital infrastructure like legacy plumbing - it works well enough that nobody wants to risk touching it.
They don't seem to have nearly the same concern for their online banking web UIs, though. Or even the UIs presented on screen at ATMs.