July 28, 2008

Study: Security flaws threaten online banking

More than 75 percent of bank websites have at least one design flaw that could lead to the theft of customer information, according to a recent University of Michigan study. 

A research team led by Atul Prakash, a professor in the department of electrical engineering and computer science, examined the sites of 214 financial institutions. Among the design flaws discovered:

  • Sites forwarded users to new pages that had different domains without notifying the user from a secure page.
  • There were login options on insecure pages.
  • Contact information and security advice were shown on insecure pages.
  • Policies for user IDs and passwords were inadequate.

Design flaws such as these mean that customers may struggle to make the best security-related decision when entering confidential data, Laura Falk, who is pursuing a doctorate and is one of the researchers, told SCMagazineUS.com on Monday.

“The flaws are ones that even an expert user would find difficult to [detect],” Falk said. “For example, whether to enter login credentials on a page that is insecure. A careful user might recognize that this is not a good decision. However, if he wants to use the infrastructure, he is forced to do so.”

Gartner analyst Avivah Litan said that although most companies are good at protecting the login page, this study shows that security concerns appear to wane on other pages.

“These websites are good for spreading infection because it appears you aren't protecting customer service,” she told SCMagazineUS.com.

And that, she explained, leaves the site open for trojan attacks and the opportunity for data theft.

Litan added that she was surprised bank websites had so many design flaws.

“I wouldn't have been surprised to hear these results with a small business, but banks usually have more resources dedicated to web security," she said.

To fix the problem, Falk recommended using SSL throughout the entire website and to avoid using links to third-party sites.

“It is our hope that this research will provide helpful information to banks and their security administrators to better secure their sites and provide a less frustrating experience for the user,” she said.

 

Related Articles
Related Topics

Sign up to our newsletters

More in News

Bitcoin mining botnet has become one of the most prevalent cyber threats

Fortinet researchers have tracked 100,000 new ZeroAccess trojan infections per week, making the botnet very lucrative to its owners.

House Intelligence Committee OKs amended version of controversial CISPA

House Intelligence Committee OKs amended version of controversial ...

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

Judge rules hospital can ask ISP for help ...

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.