It amazes me that there are still sites out there that do not even have the most basic error handling on them. I recently hit an error on a banks web site, which displayed the default asp error handler. This exposed the name of the include file that was being used. It had a .inc extension. Surely, they would have protected that .inc extension from being requested via IIS? No - the inc file could be downloaded and the source was available for all to see, including the location and authentication details for a database that was used.
It should be a no-brainer to have turned off the default error messages for asp on a live site, and to have protected those inc. files - especially for a bank!
I'm sure everyone knows that you can do this in IIS admin easily for asp sites. And asp.net sites make it easy to control using web.config. If you don't and you have some responsibility for the security of your site, then you need to look up that information now!
As far as this bank is concerned, I'm considering how to approach them, because this lack of concern for basic security procedures is worrying. This bank is no small player either...you will have heard of them...