RSSStudy says bank Web sites leave clients vulnerable to theft
By Michael Hatamoto | Published July 24, 2008, 1:08 PM
When you hop on the Internet to check your online bank statement or pay some bills, do you ever wonder how secure your bank's computer network is? A new study claims most bank Web sites are vulnerable to identity theft.
A study done by Atul Prakash, a professor at the University of Michigan who teaches in the department of electrical engineering and computer science, found that more than 75 percent of 214 financial institutions checked in 2006 had at least one design flaw that could open up online bank users to potential identity theft.
Each discovered flaw simply isn't a bug or security hole that can be easily repaired with a patch. For example, Prakash and his research team found that 47 percent of the banks placed secure login boxes on insecure pages, 55 percent of those tested put contact information and other sensitive data on insecure pages, and many banks still use Social Security numbers or e-mail addresses as user IDs or passwords for logins.
Also discovered during the study, 30 percent of the banks had a "break in the chain of trust," which means they would redirect clients to other Web sites where a different security certificate was required.
"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said in a press statement. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."
Prakash's findings will be presented during a meeting of privacy experts tomorrow at Carnegie Mellon University.
Although the FDIC says check fraud and mortgage fraud are still more serious problems than computer intrusion among US financial institutions, the issue is getting worse. According to an FDIC Technology Incident Report of 536 filed cases of confirmed computer intrusion, the average loss per case was $30,000. Furthermore, the number of computer intrusions reportedly grew by 150 percent between the first quarter of 2007 and the second quarter.
This is awesome information to know. If i ever go back to '06 I'll know what banks not to use online. Is there a more recent study? My banks website design and security features (and i mean noticeable) changed like 4 or 5 times over the past year. So from '06 were probably like 8 or so generations down the road. I guess what i'm having a hard time understanding is the head line, shouldn't it be more like "Study says bank Web sites used to leave clients vulnerable to theft (we don't know about today)"
Score: 0
|The study was conducted in 2006. In today's technology "years" that like 15 years ago, isn't it? Come on two years is enough to make me question the validity of this data today.
Score: 0
|"47 percent of the banks placed secure login boxes on insecure pages"
It is the form method that needs to be secure, though it can't hurt to have both secure.
Score: 0
|Reading through the study their point is more that user's don't know if hitting the submit will take them to a secure page. They go on to say that there's no guarantee that an SSL page will POST to an SSL page, either, but its just assumed. They make it sound like you do something to a page to make it "SSL enabled" and therefore it must be legit.
"In principle, even if an SSL-protected page provides a login window, there is no guarantee that the logic for the login window's Submit button is properly implemented to send the information securely. However, from a customer's perspective, there is an implied understanding with a financial institution that an SSL-protected page provided by that institution has trustworthy contents, including handling of contents submitted to that page."
Score: 0
|Exactly. Couldn't put it better myself.
Score: 0
|