×

Warning

JUser: :_load: Unable to load user with ID: 3286
Friday, 25 July 2008 03:35

Majority of online banking sites insecure by design

By
That is the surprising conclusion of a University of Michigan study which discovered that more than 75 percent of bank sites surveyed had at least one flaw which could make customers vulnerable to financial or identity loss. The findings, which will be presented today at a Symposium on Usable Privacy and Security meeting  at the Carnegie Mellon University, suggest that these are design flaws that cannot be fixed with a simple patch...

Professor Atul Prakash from the Department of Electrical Engineering and Computer Science at the University of Michigan, along with doctoral students Laura Falk and Kevin Borders, looked at a total of 214 online financial institutions while undertaking the study. None expected to find that such a large number of them would be vulnerable to potential data and identity theft.

Professor Prakash says that "To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country." While focusing on those users who attempt to be careful in their online banking, Prakash found that "unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

The problem being that these are not simple programming errors. It is not the kind of code glitch that can be patched up and put right with the application of a digital sticking plaster. Instead, Prakash argues that they fundamental flaws which stem from the flow and layout of the web pages themselves.

The kind of thing that the report authors are talking about include the placing of login boxes as well as contact information on insecure pages, for example. Or how about a simple failure to keep the user within the boundaries of the actual site they initially visited?

Flaws, the study suggests, that "leave cracks in security that hackers could exploit" in order to gain access to private information and accounts.

Where are the banks going wrong and what can be done to protect the end user? Read on for more from Professor Prakash...

CONTINUES


The United States Federal Deposit Insurance Corporation, in a recent Technology Incident Report that was compiled using data from the suspicious activity reports filed quarterly by banks themselves, lists a total of 536 cases of computer intrusion. In 80 percent of these, while the source remains unknown, the intrusion took place during online banking sessions.

The University of Michigan study 'Analyzing Web sites for user-visible security design flaws' found that some 47 percent of banks surveyed were guilty of placing login boxes on insecure pages. This, it suggests, enables the potential hacker to reroute inputted data or create spoof pages to harvest fresh data.

It would be possible, they say, to use a wireless connection to perform such a man-in-the-middle attack without ever changing the bank URL as far as the end user is concerned.

Prakash says that the solution is as simple as ensuring that such pages are designed to use standard secure socket layer (SSL) protocol wherever sensitive information is being collected. Sadly while some pages will be secured like this, the survey found that only a minority applied the measure to all pages.

"The research is notable as many of the site flaws are structural in nature" Geoff Sweeney, Chief Technology Officer with security outfit Tier-3 told us, continuing "Short of many of the site operators designing their portals from the ground up, it's likely there is no short-term fix."
 
Sweeney is looking forward to how the paper is received today, telling us "Some banks are reported to have reworked their sites as a result of the team notifying them of their problems, but I suspect that many will take time to change their portals."

BACK TO HOME PAGE

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

INVITE DENODO EXECUTIVE VIRTUAL ROUNDTABLE 9/7/20 1:30 PM AEST

CLOUD ADOPTION AND CHALLENGES

Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.

REGISTER HERE!

BACK TO HOME PAGE

BACK TO HOME PAGE

Webinars & Events

VENDOR NEWS

REVIEWS

Comments