Nine out of 10 financial and commercial Web sites contain security flaws that make then vulnerable to online hackers and phishing attacks, according to research by UK consultant Next Generation Security Software (NGS).
The white paper shows that 90% of the 100+ Web applications audited by NGS in the past year were potentially vulnerable to advanced phishing attacks. Furthermore, about a third of sites also contained flaws that could be used to access confidential customer information stored in back-end databases.
Phishing involves the use spam e-mail to direct computer users to fake Web sites in order to deceive them into giving over their personal financial data.
The study also found that many sites contained configuration errors that could be used to redirect customer data from a legitimate Web site to a fake one without the customer knowing.
Commenting on the study, Gunter Ollmann, professional services director at NGS, says: "There is so little vendor-neutral technical information about modern phishing threats. We were surprised at how naive many businesses are, and how poorly prepared they were for responding against phishing attacks targeting their own customers."
Direct losses from ID fraud against victims of phishing attacks cost US banks about $1.2 billion in 2003, according to recent research from Gartner.