Three out of four bank Web sites examined by the University of Michigan had at least one security vulnerability that could leave customers' at the mercy of cybercrooks (10 of the Worst Moments in Network Security).
Like with a lot of research, the results take a while to emerge. In this case, the researchers took a look at web sites from 214 financial institutions back in 2006. Their findings will be presented at this week's Symposium on Usable Privacy and Security (SOUPS) meeting at Carnegie Mellon University and are outlined in a paper titled "Analyzing Web sites for user-visible security design flaws."
The security shortcomings cited fall into the category of flow and layout issues, not software bugs fixable with patches. For example, about half the sites put log-in boxes on insecure pages and a third of sites surveyed created unsafe situations in redirecting customers to other sites. Use of sensitive data such as Social Security numbers as IDs was also seen as a problem, as was putting security advice and contact info on unsecured pages that could be changed by cyber thieves to direct customers unknowingly to bogus customer service reps, etc. Overall, a lack of SSL usage was cited as a reason many pages were less secure than they should be.
"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," said Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, in a statement. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."
Prakash launched the project after noticing security issues with the web site for a bank he uses.
MUST-READS FROM BOB BROWN:
* 25 Radical network research projects you should know about
The future of networking as seen through the works of university and other labs.
Our mission is to give you a peek into the future of networking by tracking "alpha" research at university and other labs and at companies based on this work. Your Alpha Doggs are Network World editors Bob Brown, Linda Leung and Neal Weinberg.
|
|
bank web sites full of holes...
Given the financial markets turmoil - publishing this article with this title is misleading and poorly timed. The fact that this refers to 2006 data not 2008 data but the title is stated in present tense leads people to assume current web sites are vulnerable. In addition, since the article does not reveal the banks surveyed it casts all banks in the same light. Many banks have overhauled their web sites since 2006 so these results are really only an interesting footnote.
Please consider rewording the article title to reflect that this is a past finding not a present tense finding.