29 April 2016
Visit wolterskluwer.com

Security flaws plague majority of e-banking sites - research

23 July 2008  |  10942 views  |  0 biometric  face pointer

Over three quarters of banking Web sites contain fundamental design flaws that could put customers at risk from cyber thieves, according to a study conducted by researchers at the University of Michigan.

In an examination of 214 bank Web sites, researchers at the university found design flaws in more than 75% which leave cracks in security that hackers could exploit to access customer information and accounts.

According to the study the flaws are not bugs that can be easily fixed with a patch but are systemic, stemming from the flow and layout of the sites.

Says Atul Prakash, professor in the department of electrical engineering and computer science: "To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Prakesh and his team found that 47% of banks placed secure login boxes on insecure pages. He says this allows hackers to re-route data entered in the boxes or create a spoof page to harvest information.

Prakash says in a wireless situation, it's possible to conduct this man-in-the-middle attack without changing the bank URL for the user, so even a vigilant customer could fall victim.

Banks could solve this problem by using the standard secure socket layer (SSL) protocol on pages that ask for sensitive information, he adds.

Over half (55%) of sites examined put contact information and security advice on insecure pages. This opens the door for hackers to change addresses and phone numbers and then re-route customers and trick them into handing over confidential details.

In addition the team found sites that use social security numbers or e-mail addresses as user IDs, making it easy for thieves to obtain them. The team also looked for sites that didn't state a policy on passwords or allowed weak passwords. Of the sites surveyed, 28% had one of these flaws.

The researchers also warn that it is risky for banks to e-mail passwords or statements to customers, yet 31% use this insecure method of communication.

Prakesh also criticises the 30% of firms that redirect customers to a site outside of the bank's domain for certain transactions without warning. Often the look of the site changes, as well as URL and it's hard for the user to know whether to trust the new site. He says this often happens when banks outsource some security functions.

The results won't help ease security concerns over Internet banking, which have traditionally been the main obstacle to take up. In 2006 Gartner claimed that almost nine million US adults have stopped using online banking, while another estimated 23.7 million won't even start because of fears over security.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Canadians top for online banking

Canadians top for online banking

11 July 2008  |  7918 views  |  0 comments
Internet banking growth slows in US

Internet banking growth slows in US

15 April 2008  |  8882 views  |  0 comments
Internet banking goes mainstream in US and UK - Gartner

Internet banking goes mainstream in US and UK - Gartner

20 February 2008  |  11568 views  |  0 comments
One slip up and Brits would ditch Web banking - study

One slip up and Brits would ditch Web banking - study

18 September 2007  |  6540 views  |  0 comments
Younger customers shunning Web banking

Younger customers shunning Web banking

29 March 2007  |  8364 views  |  0 comments
Security fears scare off US customers from online banking, shopping

Security fears scare off US customers from online banking, shopping

27 November 2006  |  11194 views  |  0 comments
Visit www.abe-eba.euFind out moreFind out more

Top topics

Most viewed Most shared
Morgan Stanley report dampens distributed ledger hypeMorgan Stanley report dampens distributed...
8456 views comments | 26 tweets | 28 linkedin
The digital interface is the future of bankingThe digital interface is the future of ban...
8403 views comments | 31 tweets | 25 linkedin
Deutsche Bank prepares for digital futureDeutsche Bank prepares for digital future
7617 views comments | 27 tweets | 52 linkedin
Apple Pay picks up 1 million new users a week; comes to ANZ customersApple Pay picks up 1 million new users a w...
7082 views comments | 20 tweets | 20 linkedin
ECB investigates use of distributed ledger but warns of far-reaching consequencesECB investigates use of distributed ledger...
6172 views comments | 16 tweets | 23 linkedin

Featured job

£100,000 basic, £180,000 OTE + Benefits
London

Find your next job