28 February 2017
Visit EBAday.com

Security flaws plague majority of e-banking sites - research

23 July 2008  |  11212 views  |  0 biometric  face pointer

Over three quarters of banking Web sites contain fundamental design flaws that could put customers at risk from cyber thieves, according to a study conducted by researchers at the University of Michigan.

In an examination of 214 bank Web sites, researchers at the university found design flaws in more than 75% which leave cracks in security that hackers could exploit to access customer information and accounts.

According to the study the flaws are not bugs that can be easily fixed with a patch but are systemic, stemming from the flow and layout of the sites.

Says Atul Prakash, professor in the department of electrical engineering and computer science: "To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Prakesh and his team found that 47% of banks placed secure login boxes on insecure pages. He says this allows hackers to re-route data entered in the boxes or create a spoof page to harvest information.

Prakash says in a wireless situation, it's possible to conduct this man-in-the-middle attack without changing the bank URL for the user, so even a vigilant customer could fall victim.

Banks could solve this problem by using the standard secure socket layer (SSL) protocol on pages that ask for sensitive information, he adds.

Over half (55%) of sites examined put contact information and security advice on insecure pages. This opens the door for hackers to change addresses and phone numbers and then re-route customers and trick them into handing over confidential details.

In addition the team found sites that use social security numbers or e-mail addresses as user IDs, making it easy for thieves to obtain them. The team also looked for sites that didn't state a policy on passwords or allowed weak passwords. Of the sites surveyed, 28% had one of these flaws.

The researchers also warn that it is risky for banks to e-mail passwords or statements to customers, yet 31% use this insecure method of communication.

Prakesh also criticises the 30% of firms that redirect customers to a site outside of the bank's domain for certain transactions without warning. Often the look of the site changes, as well as URL and it's hard for the user to know whether to trust the new site. He says this often happens when banks outsource some security functions.

The results won't help ease security concerns over Internet banking, which have traditionally been the main obstacle to take up. In 2006 Gartner claimed that almost nine million US adults have stopped using online banking, while another estimated 23.7 million won't even start because of fears over security.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Canadians top for online banking

Canadians top for online banking

11 July 2008  |  8215 views  |  0 comments
Internet banking growth slows in US

Internet banking growth slows in US

15 April 2008  |  9179 views  |  0 comments
Internet banking goes mainstream in US and UK - Gartner

Internet banking goes mainstream in US and UK - Gartner

20 February 2008  |  11813 views  |  0 comments | 1 linkedin
One slip up and Brits would ditch Web banking - study

One slip up and Brits would ditch Web banking - study

18 September 2007  |  6803 views  |  0 comments
Younger customers shunning Web banking

Younger customers shunning Web banking

29 March 2007  |  8594 views  |  0 comments
Security fears scare off US customers from online banking, shopping

Security fears scare off US customers from online banking, shopping

27 November 2006  |  11502 views  |  0 comments
Visit capgemini.comvisit BNP paribas

Who is commenting?

A Finextra member Finextra Member Commented on: Really really really K...
A Finextra member Finextra Member Commented on: In wake of Cloudflare...

Top topics

Most viewed Most shared
EBA to relax controversial PSD2 authentication rulesEBA to relax controversial PSD2 authentica...
14256 views comments | 53 tweets | 74 linkedin
BNY Mellon seeks blockchain experts for new emerging biz and tech teamBNY Mellon seeks blockchain experts for ne...
8241 views comments | 7 tweets | 4 linkedin
hands typing furiouslyBlockchain Technology
8011 views 1 | 18 tweets | 8 linkedin
Starling releases Open API, talks up marketplace modelStarling releases Open API, talks up marke...
7913 views comments | 19 tweets | 18 linkedin
Barclaycard strikes new wearable deals for contactless jewellery and watchesBarclaycard strikes new wearable deals for...
7341 views comments | 17 tweets | 15 linkedin

Featured job

Six Figure Base + Commission + Stock Options
London

Find your next job