24 July 2016
Find out more

Security flaws plague majority of e-banking sites - research

23 July 2008  |  11019 views  |  0 biometric  face pointer

Over three quarters of banking Web sites contain fundamental design flaws that could put customers at risk from cyber thieves, according to a study conducted by researchers at the University of Michigan.

In an examination of 214 bank Web sites, researchers at the university found design flaws in more than 75% which leave cracks in security that hackers could exploit to access customer information and accounts.

According to the study the flaws are not bugs that can be easily fixed with a patch but are systemic, stemming from the flow and layout of the sites.

Says Atul Prakash, professor in the department of electrical engineering and computer science: "To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Prakesh and his team found that 47% of banks placed secure login boxes on insecure pages. He says this allows hackers to re-route data entered in the boxes or create a spoof page to harvest information.

Prakash says in a wireless situation, it's possible to conduct this man-in-the-middle attack without changing the bank URL for the user, so even a vigilant customer could fall victim.

Banks could solve this problem by using the standard secure socket layer (SSL) protocol on pages that ask for sensitive information, he adds.

Over half (55%) of sites examined put contact information and security advice on insecure pages. This opens the door for hackers to change addresses and phone numbers and then re-route customers and trick them into handing over confidential details.

In addition the team found sites that use social security numbers or e-mail addresses as user IDs, making it easy for thieves to obtain them. The team also looked for sites that didn't state a policy on passwords or allowed weak passwords. Of the sites surveyed, 28% had one of these flaws.

The researchers also warn that it is risky for banks to e-mail passwords or statements to customers, yet 31% use this insecure method of communication.

Prakesh also criticises the 30% of firms that redirect customers to a site outside of the bank's domain for certain transactions without warning. Often the look of the site changes, as well as URL and it's hard for the user to know whether to trust the new site. He says this often happens when banks outsource some security functions.

The results won't help ease security concerns over Internet banking, which have traditionally been the main obstacle to take up. In 2006 Gartner claimed that almost nine million US adults have stopped using online banking, while another estimated 23.7 million won't even start because of fears over security.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Canadians top for online banking

Canadians top for online banking

11 July 2008  |  7980 views  |  0 comments
Internet banking growth slows in US

Internet banking growth slows in US

15 April 2008  |  8942 views  |  0 comments
Internet banking goes mainstream in US and UK - Gartner

Internet banking goes mainstream in US and UK - Gartner

20 February 2008  |  11643 views  |  0 comments
One slip up and Brits would ditch Web banking - study

One slip up and Brits would ditch Web banking - study

18 September 2007  |  6607 views  |  0 comments
Younger customers shunning Web banking

Younger customers shunning Web banking

29 March 2007  |  8425 views  |  0 comments
Security fears scare off US customers from online banking, shopping

Security fears scare off US customers from online banking, shopping

27 November 2006  |  11281 views  |  0 comments
Find out moreVisit www.abe-eba.euVisit capgemini.com

Top topics

Most viewed Most shared
MasterCard agrees £700m VocaLink acquisitionMasterCard agrees £700m VocaLink acqu...
8069 views 14 comments | 32 tweets | 36 linkedin
hands typing furiouslyWhat Every FinTech CEO Should Know About R...
7843 views 0 | 14 tweets | 8 linkedin
hands typing furiouslyBanking on IoT: Security in the Internet o...
7763 views 3 | 19 tweets | 7 linkedin
Santander doubles down on fintech fundSantander doubles down on fintech fund
7583 views comments | 22 tweets | 28 linkedin
Brexit-scarred London fintech startups enquire about moving to BerlinBrexit-scarred London fintech startups enq...
7491 views comments | 16 tweets | 16 linkedin

Featured job

Brussels (Belgium) or Paris (France)

Find your next job