I was looking at xetrade (online currency conversion from GB pounds to US dollars and there are a few security issues I’m not happy about. Looking at Loosewires post on phishing they have the same issues – they will ring you back to confirm some bank details (which could be open to interception/spoofing.)
They then have some more worrying security issues.

1. They require you to fax or email copies of your passport/social security number/birth certificate to an email address (which is stored on an exchange public folder). The fact that email is not secure is drummed into people yet they are using this method of communication to verify data. Surely a secure upload facility should be enabled on the website (the rest of the login procedure is ssl encrypted).
2. Their SSL certificate expires in 3 days time – this makes me nervous.
3. The “contact us if you have any security questions” link at https://www.xe.com/fx/background.htm is broken, tells you to inform the webmaster but doesn’t have a link to the webmaster for this site (it assumes the referring link comes from another site.

I’ve put these questions in an email to xetrade – will be interesting to see what they say.
Update
xetrade reply, answering all the questions I posed (phew!)

1) We do offer a secure upload service which can be found at:

https://www.xe.com/sft/

As you can see from the address (https) this is located on our secure server and will upload the files directly to our system with no public exposure.

2) The security certificate has of course been renewed and is already on our server. However, in order to complete the process we need to re-start the web server which is something we do not like to do without preparation. For your information, the new certificate should be uploaded within the next 24 hours, and most likely some time later this afternoon. Please feel free to check back at any stage to see the new certificate.

I have reported the broken link and this has now been updated. We are very careful to ensure that all of our links work correctly and I am very sorry that this link was broken. Thank you for bringing this to our attention.

3) We do understand this concern. Generally, we initiate the call to you using the supplied telephone numbers which helps us to ensure we are dealing with the person who signed up for the account. Once we have initiated the call and spoken to you, we are happy for you to call back to us to continue the conversation on our contact numbers in order for you to cross reference and check that the person you are speaking to is part of our organization.

Once again, we do fully understand your concerns, Andy, and are happy to work with you as necessary so that you are confident you are dealing with the correct people. We must however do this from within the frameworks that we are provided to ensure that we are not helping clients to launder money or fund terrorism.

I hope that this helps answer your questions but if you require anything else do not hesitate to contact us.