24 February 2018
Visit www.avoka.com

US banks failing to protect online customer interaction - Javelin

08 December 2009  |  5686 views  |  0 anonymous figure in front of stock exchange

Nearly half of large US banks are leaving themselves unprotected against hijacking of online customer interaction, according to Javelin Strategy & Research.

Javelin analysed the home and log-in page security at the top 24 US financial institutions, for SSL/TLS or EV-SSL encryption, which it says are critical for guarding against compromise by insertion of incorrect links or information.

The research shows that 46% of the firms have an opportunity to more fully protect "contact us", "help", or other interaction pages against criminal hijacking.

Furthermore, one in five sites uses easy-to-guess authentication information such as date-of-birth, e-mail addresses, and ZIP codes while just one in four requires users to choose a new password longer than six digits.

Only a quarter of banks minimise data exposure by truncating social security numbers during enrolment, with as many providing alternatives to SSN for enrolment or username and password retrieval.

Finally, over nine in ten use generic error messages when a customer's login fails, but one in ten still gives specific information that can be used in a brute force attack, says Javelin.

James Van Dyke, president, Javelin, says: "We were surprised to find so many banks overlooking this potential area of exploit. A cross-site scripting flaw on a customer-facing Web site could allow criminals to access the internal network or at the very least, insert counterfeit content alongside legitimate content on a site and redirect customers to a fraudulent third-party site."

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

US retailers face $100bn in ID fraud losses a year - study

US retailers face $100bn in ID fraud losses a year - study

10 November 2009  |  8088 views  |  0 comments
Which? criticises online banking security

Which? criticises online banking security

27 August 2009  |  10755 views  |  2 comments
ID fraud continues to climb - Javelin study

ID fraud continues to climb - Javelin study

09 February 2009  |  7447 views  |  0 comments
Security fears hindering take up of mobile P2P payments - study

Security fears hindering take up of mobile P2P payments - study

18 March 2008  |  5846 views  |  0 comments

Related blogs

Create a blog about this story (membership required)
Visit https://www.capgemini.comRegister for the webinarvisit www.swift.com/your-needs/instant-payments

Top topics

Most viewed Most shared
Ripple makes new connections to emerging marketsRipple makes new connections to emerging m...
11792 views comments | 16 tweets | 10 linkedin
hands typing furiouslySome Interesting Applications Of The Inter...
10325 views 3 | 9 tweets | 1 linkedin
Basel Committee outlines disruptive fintech scenariosBasel Committee outlines disruptive fintec...
8568 views comments | 15 tweets | 26 linkedin
Investment Association sets up fintech accelerator for asset managersInvestment Association sets up fintech acc...
8089 views comments | 19 tweets | 10 linkedin
R3 creates Legal Centre of Excellence for blockchain technolgyR3 creates Legal Centre of Excellence for...
7772 views comments | 10 tweets | 14 linkedin

Featured job

Find your next job