Over three quarters of banking Web sites contain fundamental design flaws that could put customers at risk from cyber thieves, according to a study conducted by researchers at the University of Michigan.
In an examination of 214 bank Web sites, researchers at the university found design flaws in more than 75% which leave cracks in security that hackers could exploit to access customer information and accounts.
According to the study the flaws are not bugs that can be easily fixed with a patch but are systemic, stemming from the flow and layout of the sites.
Says Atul Prakash, professor in the department of electrical engineering and computer science: "To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."
Prakesh and his team found that 47% of banks placed secure login boxes on insecure pages. He says this allows hackers to re-route data entered in the boxes or create a spoof page to harvest information.
Prakash says in a wireless situation, it's possible to conduct this man-in-the-middle attack without changing the bank URL for the user, so even a vigilant customer could fall victim.
Banks could solve this problem by using the standard secure socket layer (SSL) protocol on pages that ask for sensitive information, he adds.
Over half (55%) of sites examined put contact information and security advice on insecure pages. This opens the door for hackers to change addresses and phone numbers and then re-route customers and trick them into handing over confidential details.
In addition the team found sites that use social security numbers or e-mail addresses as user IDs, making it easy for thieves to obtain them. The team also looked for sites that didn't state a policy on passwords or allowed weak passwords. Of the sites surveyed, 28% had one of these flaws.
The researchers also warn that it is risky for banks to e-mail passwords or statements to customers, yet 31% use this insecure method of communication.
Prakesh also criticises the 30% of firms that redirect customers to a site outside of the bank's domain for certain transactions without warning. Often the look of the site changes, as well as URL and it's hard for the user to know whether to trust the new site. He says this often happens when banks outsource some security functions.
The results won't help ease security concerns over Internet banking, which have traditionally been the main obstacle to take up. In 2006 Gartner claimed that almost nine million US adults have stopped using online banking, while another estimated 23.7 million won't even start because of fears over security.