Halifax/Lloyds Banking Group have since verified this exploit, even bringing in external consultants to re-test & confirm their results. Halifax don’t offer a “Premier +” account, but would you have spotted the fake/malicious section of the page? We’re looking at a page controlled entirely by an attacker. No usernames, no passwords and no SIM swapping just unfettered access to a user’s communications. A simple exploit in the Halifax site allows an attacker to execute arbitrary scripts. This gives the attacker complete control over the victim’s environment; changing links, buttons, text and crucially perform actions as if they’re the genuine user.”]
Source: https://paul.reviews/bank-mobile-network-security-for-want-of-a-nail/