28 May 2016
Visit dovetailsystems.com

Security flaws plague majority of e-banking sites - research

23 July 2008  |  10957 views  |  0 biometric  face pointer

Over three quarters of banking Web sites contain fundamental design flaws that could put customers at risk from cyber thieves, according to a study conducted by researchers at the University of Michigan.

In an examination of 214 bank Web sites, researchers at the university found design flaws in more than 75% which leave cracks in security that hackers could exploit to access customer information and accounts.

According to the study the flaws are not bugs that can be easily fixed with a patch but are systemic, stemming from the flow and layout of the sites.

Says Atul Prakash, professor in the department of electrical engineering and computer science: "To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Prakesh and his team found that 47% of banks placed secure login boxes on insecure pages. He says this allows hackers to re-route data entered in the boxes or create a spoof page to harvest information.

Prakash says in a wireless situation, it's possible to conduct this man-in-the-middle attack without changing the bank URL for the user, so even a vigilant customer could fall victim.

Banks could solve this problem by using the standard secure socket layer (SSL) protocol on pages that ask for sensitive information, he adds.

Over half (55%) of sites examined put contact information and security advice on insecure pages. This opens the door for hackers to change addresses and phone numbers and then re-route customers and trick them into handing over confidential details.

In addition the team found sites that use social security numbers or e-mail addresses as user IDs, making it easy for thieves to obtain them. The team also looked for sites that didn't state a policy on passwords or allowed weak passwords. Of the sites surveyed, 28% had one of these flaws.

The researchers also warn that it is risky for banks to e-mail passwords or statements to customers, yet 31% use this insecure method of communication.

Prakesh also criticises the 30% of firms that redirect customers to a site outside of the bank's domain for certain transactions without warning. Often the look of the site changes, as well as URL and it's hard for the user to know whether to trust the new site. He says this often happens when banks outsource some security functions.

The results won't help ease security concerns over Internet banking, which have traditionally been the main obstacle to take up. In 2006 Gartner claimed that almost nine million US adults have stopped using online banking, while another estimated 23.7 million won't even start because of fears over security.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Canadians top for online banking

Canadians top for online banking

11 July 2008  |  7932 views  |  0 comments
Internet banking growth slows in US

Internet banking growth slows in US

15 April 2008  |  8895 views  |  0 comments
Internet banking goes mainstream in US and UK - Gartner

Internet banking goes mainstream in US and UK - Gartner

20 February 2008  |  11586 views  |  0 comments
One slip up and Brits would ditch Web banking - study

One slip up and Brits would ditch Web banking - study

18 September 2007  |  6553 views  |  0 comments
Younger customers shunning Web banking

Younger customers shunning Web banking

29 March 2007  |  8379 views  |  0 comments
Security fears scare off US customers from online banking, shopping

Security fears scare off US customers from online banking, shopping

27 November 2006  |  11214 views  |  0 comments
Find out moreVisit equens.comFind out more

Top topics

Most viewed Most shared
Barclays opens sandbox for gamification challengeBarclays opens sandbox for gamification ch...
14772 views comments | 41 tweets | 40 linkedin
Deloitte launches financial services blockchain labDeloitte launches financial services block...
7110 views comments | 23 tweets | 13 linkedin
Santander taps Ripple blockchain tech for international payments appSantander taps Ripple blockchain tech for...
7097 views comments | 29 tweets | 34 linkedin
Thieves steal Y1.4 billion in two hours from cash machines in JapanThieves steal Y1.4 billion in two hours fr...
6971 views comments | 17 tweets | 34 linkedin
Swift outlines new security protocols as crisis escalatesSwift outlines new security protocols as c...
6369 views comments | 11 tweets | 29 linkedin

Featured job

Find your next job