Majority of online banking sites insecure by design

Davey Winder
Friday, 25 July 2008 03:35

Your IT - Home IT

The United States Federal Deposit Insurance Corporation, in a recent Technology Incident Report that was compiled using data from the suspicious activity reports filed quarterly by banks themselves, lists a total of 536 cases of computer intrusion. In 80 percent of these, while the source remains unknown, the intrusion took place during online banking sessions.

The University of Michigan study 'Analyzing Web sites for user-visible security design flaws' found that some 47 percent of banks surveyed were guilty of placing login boxes on insecure pages. This, it suggests, enables the potential hacker to reroute inputted data or create spoof pages to harvest fresh data.

It would be possible, they say, to use a wireless connection to perform such a man-in-the-middle attack without ever changing the bank URL as far as the end user is concerned.

Prakash says that the solution is as simple as ensuring that such pages are designed to use standard secure socket layer (SSL) protocol wherever sensitive information is being collected. Sadly while some pages will be secured like this, the survey found that only a minority applied the measure to all pages.

"The research is notable as many of the site flaws are structural in nature" Geoff Sweeney, Chief Technology Officer with security outfit Tier-3 told us, continuing "Short of many of the site operators designing their portals from the ground up, it's likely there is no short-term fix."
 
Sweeney is looking forward to how the paper is received today, telling us "Some banks are reported to have reworked their sites as a result of the team notifying them of their problems, but I suspect that many will take time to change their portals."