Three out of four bank Web sites examined by the University of Michigan had at least one security vulnerability that could leave customers' at the mercy of cybercrooks (10 of the Worst Moments in Network Security). 

Like with a lot of research, the results take a while to emerge. In this case, the researchers took a look at web sites from 214 financial institutions back in 2006. Their findings will be presented at this week's  Symposium on Usable Privacy and Security (SOUPS) meeting at Carnegie Mellon University and are outlined in a paper titled "Analyzing Web sites for user-visible security design flaws."

The security shortcomings cited fall into the category of flow and layout issues, not software bugs fixable with patches. For example, about half the sites put log-in boxes on insecure pages and a third of sites surveyed created unsafe situations in redirecting customers to other sites. Use of sensitive data such as Social Security numbers as IDs was also seen as a problem, as was putting security advice and contact info on unsecured pages that could be changed by cyber thieves to direct customers unknowingly to bogus customer service reps, etc. Overall, a lack of SSL usage was cited as a reason many pages were less secure than they should be.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," said Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, in a statement. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Prakash launched the project after noticing security issues with the web site for a bank he uses.

MUST-READS FROM BOB BROWN:

* 25 Radical network research projects you should know about

* Alice and Bob: Security's inseparable couple

* What "The Sopranos" taught me about technology (plus our Sopranos tech quiz)

 

* Behind the scenes of MIT's network

 

* What makes Harvard's net tick

 

* The network industry's most colorful story ever

 

* A brief history of the Bob-ification of the computing industry

 

* When animals attack...corporate networks

 

* Earthquakes, fire and lightning: Must be a NEBS test

 

* For the record: Guinness book open to industry's greatest hits

 

* Whirling through the world of propeller beanies