Majority of banking websites found insecure
Fri Aug 1, 2008 1:41PM EDT
See Comments (8)
A new study from the University of Michigan has found that more than 75 percent of banking websites are not completely up to snuff when it comes to security.The study looked at 214 financial institution websites and focused on both design flaws and improper security practices. None of these flaws represent catastrophic security issues, but many could allow for easier access to your password and user name should a malicious hacker come calling.
The flaws studied included the following:
Insecure Login System
Nearly half of the banks examined had "secure" login systems on insecure web pages which did not use the SSL protocol. Failure to use SSL, the study says, allows for the possibility of an attack that would allow for the interception of login details if a user was accessing the site wirelessly, called a "man in the middle" attack. The study notes that most banks secure the internal portions of their site, but many leave the login page unsecured.
Putting Contact Info on an Insecure Page
The biggest flaw of the bunch (55 percent failing the test): A similar attack to the above could simply let a hacker change the phone number listed on the contact info page, redirecting customers to a phony call center ready to snap up their user name and password.
Redirecting Outside the Bank Without Warning
When users are directed to third party services (like, say, bill payment sites), the bank doesn't warn them of the change. A user may not know if what he's seeing is trustworthy or not.
Using Social Security Numbers or Email Addresses as User IDs
These are simple things to guess or find out, especially email addresses. Banks should allow users to create a custom user name, as well as have a policy on weak passwords, but 28 percent of banks tested did not.
Emailing Secure Information Insecurely
Things like password resets and financial statements should be sent securely: Passwords, for example, should never be sent as plain text, yet 31 percent of banks failed this test.
The full study (10 pages, PDF link) can be reviewed here. Specific sites failing the various tests were not revealed. Also note that the study was performed back in 2006 (the results are only being published now), so things may have improved since the original analysis.
Top 5 Posts
More About Services
Comments on Majority of banking websites found insecure
Post a Comment
Join in the discussion. Here you'll see the comments in the order they were posted.
-
2 Posted by aa4mw on Thu Sep 3, 2009 2:43PM EDT Report Abuse
The Social Security Administration violates every single one of these guidelines! They even insist on a 7 digit NUMERIC "password", but "advise" you not to use a phone number! When I drew this to their attention, the response was "we use 128 bit encryption on most of our web pages"!!!! Can you see another major identity theft leak waiting to happen?
-
3 Posted by snowflakehenri on Thu Sep 3, 2009 9:30PM EDT Report Abuse
I find it interesting that they don't list specific bank names. Like I would want to know is my bank one of those? How does this study help the consumer?
-
4 Posted by menehuner on Thu Sep 3, 2009 7:16PM EDT Report Abuse
Why does it take 2 yrs to publish this study & without bank names! Are the banks involved in suppressing the report?
-
5 Posted by gregandbevmail on Thu Sep 3, 2009 4:12PM EDT Report Abuse
What kind of a therapist do banks see to work on their "insecurity?" C'mon, the word is UNSECURE. I'm not even reading the rest of the article.
Sponsored Links
My Tech
Please enable your browser's cookies to activate the My Tech column.
Also on Yahoo! Tech
| Computers | Home Office | Wi-Fi & Networking | Phones & PDAs | Cameras & Camcorders | TV & Home Theater | Portable Audio |
|---|---|---|---|---|---|---|
1 Posted by meganmckechnie on Thu Sep 3, 2009 7:15PM EDT Report Abuse
that's really no surprise,a lot of places do things half way.