You can't get at the $ but you can get at the individual transaction data. They really should not have third party js on banking and medical sites, especially not for logged in users.
Are you absolutely sure about this (would love a reference)? Letting another party running code removes at least many layers of defence. I would not trust a bank which is doing that it's just a sign of gross incompetence.
I have a hardware token and a chipcard to stop that from happening, still, there may be some way to do it that I'm not aware of. One way I can think of is to display one set of destination details for a transfer to the user and use another for the actual transfer.
From my banks web site? Effectively zero. Nothing will happen unless you validate the transactions using two factor authentication (user id + code app/single use paper code)
(In my experience all bank web sites work like above here in Finland)
One possible attack is to change the details of a transaction before the page post it. To the user it would appear as she's transferring money to Bob, but it'd go to Eve.
My bank has two-factor using some special applet thingy on my phone (not a regular app, it's tied into the SIM card somehow). It shows me the details (amount and destination account) which I have to confirm using my password (in combination with a key from the SIM).
Much more difficult to circumvent, assuming the user pays attention...
Then, the malicious script can just pop up an official looking dialog box with a message saying that they are 'testing' the confirmation system, and please accept/agree to the next sms/alert from the app.
Having direct control of the user interface is very powerful.
The banks I've used in Canada allow you to send transfers (uip to $3000) to other domestic bank accounts without reautenticating. Fortunately, they don't seem to use any third-party JavaScript.
Nothing. That is not how online banking works. At all. Payments need validation, check and balances (quite literally) at multiple stages before any money changes hands.
