Study: Security flaws threaten online banking

Share this article:

More than 75 percent of bank websites have at least one design flaw that could lead to the theft of customer information, according to a recent University of Michigan study. 

A research team led by Atul Prakash, a professor in the department of electrical engineering and computer science, examined the sites of 214 financial institutions. Among the design flaws discovered:

  • Sites forwarded users to new pages that had different domains without notifying the user from a secure page.
  • There were login options on insecure pages.
  • Contact information and security advice were shown on insecure pages.
  • Policies for user IDs and passwords were inadequate.

Design flaws such as these mean that customers may struggle to make the best security-related decision when entering confidential data, Laura Falk, who is pursuing a doctorate and is one of the researchers, told on Monday.

“The flaws are ones that even an expert user would find difficult to [detect],” Falk said. “For example, whether to enter login credentials on a page that is insecure. A careful user might recognize that this is not a good decision. However, if he wants to use the infrastructure, he is forced to do so.”

Gartner analyst Avivah Litan said that although most companies are good at protecting the login page, this study shows that security concerns appear to wane on other pages.

“These websites are good for spreading infection because it appears you aren't protecting customer service,” she told

And that, she explained, leaves the site open for trojan attacks and the opportunity for data theft.

Litan added that she was surprised bank websites had so many design flaws.

“I wouldn't have been surprised to hear these results with a small business, but banks usually have more resources dedicated to web security," she said.

To fix the problem, Falk recommended using SSL throughout the entire website and to avoid using links to third-party sites.

“It is our hope that this research will provide helpful information to banks and their security administrators to better secure their sites and provide a less frustrating experience for the user,” she said.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.