Study: Security flaws threaten online banking

Share this article:

More than 75 percent of bank websites have at least one design flaw that could lead to the theft of customer information, according to a recent University of Michigan study. 

A research team led by Atul Prakash, a professor in the department of electrical engineering and computer science, examined the sites of 214 financial institutions. Among the design flaws discovered:

  • Sites forwarded users to new pages that had different domains without notifying the user from a secure page.
  • There were login options on insecure pages.
  • Contact information and security advice were shown on insecure pages.
  • Policies for user IDs and passwords were inadequate.

Design flaws such as these mean that customers may struggle to make the best security-related decision when entering confidential data, Laura Falk, who is pursuing a doctorate and is one of the researchers, told on Monday.

“The flaws are ones that even an expert user would find difficult to [detect],” Falk said. “For example, whether to enter login credentials on a page that is insecure. A careful user might recognize that this is not a good decision. However, if he wants to use the infrastructure, he is forced to do so.”

Gartner analyst Avivah Litan said that although most companies are good at protecting the login page, this study shows that security concerns appear to wane on other pages.

“These websites are good for spreading infection because it appears you aren't protecting customer service,” she told

And that, she explained, leaves the site open for trojan attacks and the opportunity for data theft.

Litan added that she was surprised bank websites had so many design flaws.

“I wouldn't have been surprised to hear these results with a small business, but banks usually have more resources dedicated to web security," she said.

To fix the problem, Falk recommended using SSL throughout the entire website and to avoid using links to third-party sites.

“It is our hope that this research will provide helpful information to banks and their security administrators to better secure their sites and provide a less frustrating experience for the user,” she said.


Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.