Majority of banking websites found insecure

Fri Aug 1, 2008 1:41PM EDT

See Comments (8)

A new study from the University of Michigan has found that more than 75 percent of banking websites are not completely up to snuff when it comes to security.

The study looked at 214 financial institution websites and focused on both design flaws and improper security practices. None of these flaws represent catastrophic security issues, but many could allow for easier access to your password and user name should a malicious hacker come calling.

The flaws studied included the following:

Insecure Login System

Nearly half of the banks examined had "secure" login systems on insecure web pages which did not use the SSL protocol. Failure to use SSL, the study says, allows for the possibility of an attack that would allow for the interception of login details if a user was accessing the site wirelessly, called a "man in the middle" attack. The study notes that most banks secure the internal portions of their site, but many leave the login page unsecured.

Putting Contact Info on an Insecure Page

The biggest flaw of the bunch (55 percent failing the test): A similar attack to the above could simply let a hacker change the phone number listed on the contact info page, redirecting customers to a phony call center ready to snap up their user name and password.

Redirecting Outside the Bank Without Warning

When users are directed to third party services (like, say, bill payment sites), the bank doesn't warn them of the change. A user may not know if what he's seeing is trustworthy or not.

Using Social Security Numbers or Email Addresses as User IDs

These are simple things to guess or find out, especially email addresses. Banks should allow users to create a custom user name, as well as have a policy on weak passwords, but 28 percent of banks tested did not.

Emailing Secure Information Insecurely

Things like password resets and financial statements should be sent securely: Passwords, for example, should never be sent as plain text, yet 31 percent of banks failed this test.

The full study (10 pages, PDF link) can be reviewed here. Specific sites failing the various tests were not revealed. Also note that the study was performed back in 2006 (the results are only being published now), so things may have improved since the original analysis.

Poll: Do you access your bank account online?

Comments on Majority of banking websites found insecure

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 7 Posted by dpdwilson1 on Thu Sep 3, 2009 3:47PM EDT Report Abuse

    Two years to publish the report? Why even bother? Also, why wait until the last lines and then add that the report is 2 years old??? Could have saved readers wasted time!!

  • 8 Posted by gigarath on Thu Sep 3, 2009 4:09PM EDT Report Abuse

    I believe that this is yet another epidemic that can not be ignored. This is our money, our freaking most valuble asset to us all, and they want to cheap us out. I say shame on the financial institutions.

More Posts: First Prev 1 2 Next Last

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.