Finance > Banks & institutions > Bank general
labels: IT news
Online banking unsafe, finds University of Michigan study news
24 July 2008

To all those who extol the virtues of online banking, a new study about security problems with financial Web sites may give reason for pause. And to add to their misery, a separate study found widespread security problems in corporate computers across numerous industries.

More than 75 per cent of the Web sites of more than 200 financial institutions were found to have at least one design flaw that could put customer data at risk, according to a study released this week Symposium on Usable Privacy and Security (SOUPS) at Carnegie Mellon University in Pittsburgh.

The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders.

The flaws stemmed from the flow and the layout of the sites. For example, nearly half of the banks were found to have placed secure login boxes on insecure pages, putting customers at risk of hitting spoofed pages.

55 per cent of the sites were found to have contact information and security advice on insecure pages, which could allow an attacker to change an address or phone number that could be used to gather customer information.

30 per cent of the sites redirected customers to a site outside the bank's domain without warning, and 28 per cent allowed customers to use weak or inadequate user IDs and passwords, the study found. And more than 30 per cent offered to e-mail passwords or statements to customers.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said in a statement. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Prakash said that some of the issues have been addressed since they were discovered, but that more work needs to be done. At the same time, he advises not panicking because exploiting the vulnerabilities that he and his students found is not easy. In general, he said these flaws become an issue on potentially insecure networks, such as a wireless network not under your control or on a hotel's network.

Prakash and his colleagues point to a recent quarterly FDIC Technology Incident Report, which tracks suspicious activity at banks, to show the extent of the bank security shortcomings. The report identifies 536 computer intrusion incidents with an average loss of $30,000, a total loss of $16 million in the second quarter of 2007.

Corporate networks also aren't so clean either, with internal threats rising from the use of unauthorized removable storage and instant messaging and lack of up-to-date antivirus software, according to a separate study released on Wednesday.

In security audits of more than 100,000 corporate PCs and servers during the first half of this year, 12 per cent of infected computers had a missing or disabled antivirus program, according to the study, conducted by Promisec, an audit and management software firm.

More than 10 per cent had unauthorized personal storage like USB sticks or external hard drives; 9 per cent had unauthorized peer-to-peer applications installed and 8.5 per cent had a missing third-party desktop agent, the study found.
 search domain-b
  go
Legal Policy | Copyright © 1999-2008 The Information Company Private Limited. All rights reserved.  
Online banking unsafe, finds University of Michigan study