Study: Security flaws threaten online banking

Share this article:

More than 75 percent of bank websites have at least one design flaw that could lead to the theft of customer information, according to a recent University of Michigan study. 

A research team led by Atul Prakash, a professor in the department of electrical engineering and computer science, examined the sites of 214 financial institutions. Among the design flaws discovered:

  • Sites forwarded users to new pages that had different domains without notifying the user from a secure page.
  • There were login options on insecure pages.
  • Contact information and security advice were shown on insecure pages.
  • Policies for user IDs and passwords were inadequate.

Design flaws such as these mean that customers may struggle to make the best security-related decision when entering confidential data, Laura Falk, who is pursuing a doctorate and is one of the researchers, told on Monday.

“The flaws are ones that even an expert user would find difficult to [detect],” Falk said. “For example, whether to enter login credentials on a page that is insecure. A careful user might recognize that this is not a good decision. However, if he wants to use the infrastructure, he is forced to do so.”

Gartner analyst Avivah Litan said that although most companies are good at protecting the login page, this study shows that security concerns appear to wane on other pages.

“These websites are good for spreading infection because it appears you aren't protecting customer service,” she told

And that, she explained, leaves the site open for trojan attacks and the opportunity for data theft.

Litan added that she was surprised bank websites had so many design flaws.

“I wouldn't have been surprised to hear these results with a small business, but banks usually have more resources dedicated to web security," she said.

To fix the problem, Falk recommended using SSL throughout the entire website and to avoid using links to third-party sites.

“It is our hope that this research will provide helpful information to banks and their security administrators to better secure their sites and provide a less frustrating experience for the user,” she said.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.