The problem being that these are not simple programming errors. It is not the kind of code glitch that can be patched up and put right with the application of a digital sticking plaster. Instead, Prakash argues that they fundamental flaws which stem from the flow and layout of the web pages themselves.
The kind of thing that the report authors are talking about include the placing of login boxes as well as contact information on insecure pages, for example. Or how about a simple failure to keep the user within the boundaries of the actual site they initially visited?
Flaws, the study suggests, that "leave cracks in security that hackers could exploit" in order to gain access to private information and accounts.
Where are the banks going wrong and what can be done to protect the end user? Read on for more from Professor Prakash...
The United States Federal Deposit Insurance Corporation, in a recent Technology Incident Report that was compiled using data from the suspicious activity reports filed quarterly by banks themselves, lists a total of 536 cases of computer intrusion. In 80 percent of these, while the source remains unknown, the intrusion took place during online banking sessions.
It would be possible, they say, to use a wireless connection to perform such a man-in-the-middle attack without ever changing the bank URL as far as the end user is concerned.
Prakash says that the solution is as simple as ensuring that such pages are designed to use standard secure socket layer (SSL) protocol wherever sensitive information is being collected. Sadly while some pages will be secured like this, the survey found that only a minority applied the measure to all pages.
"The research is notable as many of the site flaws are structural in nature" Geoff Sweeney, Chief Technology Officer with security outfit Tier-3 told us, continuing "Short of many of the site operators designing their portals from the ground up, it's likely there is no short-term fix."
Sweeney is looking forward to how the paper is received today, telling us "Some banks are reported to have reworked their sites as a result of the team notifying them of their problems, but I suspect that many will take time to change their portals."