Slashdot Mirror
Most Bank Websites Are Insecure
Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy.
The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."
It is actually a surprise, earlier the banks would just cover the damages caused. But with the current global economy it is actually a bit surprising that the banks are letting this happen.
But then again they might not - the study is from 06 and those were diffent times for banks.
Banks are protected from their mistakes by the US Federal Reserve.
Rich And Stupid is not so bad as Working For Rich And Stupid.
...go to a physical bank location and talk to a teller instead of trusting sites you aren't 100% sure are secure.
If this report makes it any harder to login to my account I am going to have to find the publishers, and beat them.
My current bank forced me to select 6 questions, many of which there were no choices I knew the answer to, but that someone stealing my identity could find.
When one of these comes up that I can't answer I call the customer service, and am verified by my mothers maiden name. Defeating the purpose of all the questions anyway.
Also, my user-name is not a password, don't make me change it to one.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Having worked in the banking industry for nearly a decade, I was a bit skeptical. Many times we will have some security firm come in and look at our public facing web site, and come back with a list of 25-30 items that are 'security issues'. Most of them are complete crap, and maybe 1 or 2 are legitimate concerns. Management gets in a tizzy and insists that all items must be addressed, even when many items make no sense or are even counterproductive to implement.
I skimmed the underlying study (the article itself was worthless except for the link), and some of the concerns are very valid. For example, I have NO idea why a bank wouldn't insist on using SSL for any banking transaction.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
You mean banks aren't taking my $1.50 fee to take money out of my own account and using it for something that might be good for me? Shocking!
and was filed from a Caribbean island.
simon
FTA, one of the insecurities are bank websites that forward the secure connection to a third-party website. Even if done securely, the study's authors contend that this makes it harder for the customers to determine if they're on a real or fraudulent website.
But done correctly, this poses no direct security threat.
The can use SSL! Totally secure right? I mean, it is in the name...
Since if I enter my username (composed from my real name) and an incorrect password three times, it locks me out.
I say "my" username, but if I enter any username - easily deductible by composing any two first and last names - and an incorrect password three times... that account gets locked out.
I'm sure that nobody with malice aforethought, a dictionary of names, and a frisky Perl script will ever feel the urge to increase every customers' security by having them locked out.
If you were blocking sigs, you wouldn't have to read this.
The least secure system is the human system; that is almost always the weak point. All it takes is patience, and the right teller.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Having a form on an insecure page isn't necessarily a security risk. The form itself can still POST to a https connection. That said, having a form on a page served over ssl is by far best practice since it lets the user know prior to sending data that it's secured.
For those with signatures off:
"The password entered is too long." - TCF Online Banking
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Some mods clearly have no sense of humour.
I had to call my ISP the other day (Virgin Media, because they're thieving, lying cheats), and had to go through the usual name, address and phone number. Then they asked me for my security password. I gave the wrong answer and the lady on the other end of the phone said the following:
"It's usually your mother's maiden name"
What the fuck?! Are you kidding me?! That's secure isn't it, giving me hints!
"What's your house number?"
"Erm, 11"
"Ooh, 1 out, try again"
"Er... 10?"
"Other way, dear"
"12?"
"OK, great. What can I do for you today Mr. Smith?"
Summation 2
Banks are protected from their mistakes by the US Federal Reserve.
Profits always get privatized, banker's mistakes often get nationalized. The private citizen always gets stuck with bailing the banks out but gets little or no benefit from profits since these shipped of to tax havens like Lichtenstein. Which makes it all the more gratifying when something like this happens.
Send me your login information for your bank and I'll test the security for your - let you know if your money is safe.
my bank now uses one time tokens for transfers to new accounts, so if my login details were ever stolen they would need to already be in my list of trusted accounts to steal the money. since i never reveal bank details online this is never going to happen (always use CC).
the only way i could see anyone cracking this kind of system would be to install a keylogger or something with the first transaction, once they have logged in and done a transfer to you once log in and clean them out with a 2nd transfer. that's pretty lengthy process which would end up with you being caught in no time.
If you mod me down, I will become more powerful than you can imagine....
As this study is US specific is it insinuating that the rest of us are safe (unlikely), or is it that they are so parochial that they have forgotten that 96% of humanity is not in the USA (probable).
Many banks in the UK are now giving you card readers. I suspect that some parts of Europe have been doing it for years. Nothing is foolproof but it shows that they want me to think they are trying anyway...
I'll see your Constitution and raise you a Queen.
Password size does not necessarily equal security. I have no idea what the password requirements for that bank are, but there is a point of diminishing returns for password length. My university recently switched from passwords of 8 to 32 characters (with the requirement for 2 numbers) to passphrases of 16 to 128 characters. The caveat is that everything must be a word now, which makes dictionary attacks much easier.
A complex alpha-numeric password would be just as (if not more) secure as a longer passphrase (albeit harder to remember, but easier to type) because such a password must be brute forced. So simply because your bank has a maximum length requirement does not necessarily equate to insecurity. There are other factors besides length that determine password security.
I have my personal bank account at Scotiabank in Canada, and I have a MasterCard credit card with another company.
On my bank's website, all I need to have is my banking card number and a password, and that's about it for the security features. If I were an average user, I could easily be fooled by a forged website reproducing my bank website and asking me for personal information. Fortunately, THERE'S A WARNING ON THE FRONT PAGE, right beside the month's special promotion and the [Contact Us] link, telling me that the bank never sends an EMail with an enclosed link to their online banking website...
On the other hand, on my credit card company website, they first asked me for a security picture and a security passphrase, and they told me at first that, whatever the page I'm on on their website, once I'm logged in, I should see both the picture and the security passphrase. Also, when I login, I have to use a username and a password, so someone who knows my credit card number could not know what username I have on the website, and they ask me for my home phone number or my city of residence or my mother's maiden name... And the only thing I could do on this website is to view my credit card statement, WITHOUT my credit card number nor any information that could lead to identity theft...
So I think my bank is WAY behind the market on the security technologies side, since someone could transfer all my money to another bank account and they only ask for two very simple informations in order to be able to do that...
Most of the issues in their findings were that the page could be spoofed because it was not SSL; how does that stop me from registering a domain name that's one character different than the bank's, buying a 20$/year godaddy ssl and spoofing their page anyway?
The findings are for the most part complete crap, except for emailing sensitive data.
I thought if you traded in the US you had to comply to Sarbanes Oxley - and that it's now a federal offence [i]not[/i] to comply.
I've got a list somewhere of all the different policies that you're supposed to comply with - like the Data Protection, the Computer Misuse Act, etc. in the UK.
This article is way too sensationalist. They surveyed a handful of banks, and found some to have some flaws that could (not would, there is a big difference) lead to compromise of information. The headline says "Most" banks. This is not reflected in the paper this article references.
This paper mentions potential flaws and potential exploits, especially in regard to doing your online banking on an unsecure network. HELLO? DONT DO YOUR BANKING ON AN UNSECURE NETWORK! Every website in existence where you put in personal information has the same issue there. Encryption is great and all, but it doesn't count for spit on an unsecured network that is set up to compromise you.
Clearly this is just a poor attempt at creating 'news' out of a paper that restates obvious flaws with user error leading to information security issues.
The big problem here is that while our funds are secured by Federal Insurance, our identities are not. And the potential for damage from ID theft are greater than the potential for loss of the little electronic digits that represent our money.
It can take years and lots of money to recover from ID theft. I am currently dealing with my sister-in-law's ID theft. She is a world traveler and spends 10 months out of the year in Africa, India, and the UK. We have signature authority on most of her stateside accounts. The problem is, she loves Internet Cafes and does her banking online.
She opened a new account in NYC before her last trip. She was in Nigeria for less than a week and we started to get alarming indications that something was wrong. Sure enough, some got her on what was her first visit to an cafe, her new account and her old WAMU account had to be shut down before it was raided. We are now getting credit warning letters in her name and we are hoping she doesn't get stopped in some country because someone used her name for a crime. Imagine the passport issues.
The problem might not be the bank's entirely, but there are measures they can take.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
Since this study was conducted all bank websites have implemented FFIEC guidelines outlined at http://www.ffiec.gov/pdf/authentication_guidance.pdf (PDF warning...)
This is why you have to answer the multiple questions and choose an image, etc. It's called multi-factor authentication.
From the actual research:
Well, that's nice, but have things improved in the last 20 months? I know my bank has made some major changes to its online interface that appear to improve security (and are also, sometimes, a royal pain in the butt).
$nice = $webHosting + $domainNames + $sslCerts
the Canadian site for ING only allows numeric passwords. There's no good reason for that.
...bill collectors with wrong phone numbers.
I had one call my phone asking for someone I had never heard of. I was bored and I played along. They asked for my SSN, I told them I forgot and asked them if they could tell me what it was...they did!
So I had this random lady's name and SSN. I also told them I had a new address and gave them the white house address.
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
...they fill their parking lots with expensive cars to make up for it :P
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
From the research paper:
By this logic, even this page would cause Chase's site to fail. Also:
But my bank (which is not Chase) uses the phrase "sign in" instead of "login". Does this mean it is more secure?
$nice = $webHosting + $domainNames + $sslCerts
Like 2006 matters now!!
Say pieces on a board, make each piece a pair with another piece.
like...
|55|33|66|
|44|66|55|
|33|44|22|
|22|11|11|
a piece can only be figured out to move one way...
pick any piece, try to move it somewhere...
have the chosen piece move to another piece, it moves there and makes the other piece have to move too.
when a piece is moved to another piece, it becomes a pair with the piece it moves to.
any piece that is moved has to have it's pair move at the same time.
any piece to move to another piece is a piece that moved at the same time as it's pair, and moved to another piece that
moved at the same time as it's pair too. A piece that moves to another piece becomes a pair with it, and the other of the pair
has moved to become a pair with another piece.
try anyway, works in one way where a piece can move back to the piece to move first.
A common type of problem, I forget what it's called.
A piece always goes where a piece leaves, the first piece has the last piece go where it left.
You can't move a piece that moves where the piece came from.
There is no such thing as a free space, a piece always moves to another piece.
A pair never moves to a pair.
A piece works out to move where another piece can get back to where a piece moves from.
The last move has to be known for the first move to be made, because the first move can't be understood until
the last move is. That's because the first move is where a piece moves to and it works around to the last move, and the
last move is where a piece can work getting to from the first move.
so try this...
draw starting at each piece a line that shows the piece it moves to, and each piece to move for how a piece moves back
where it starts.
see this as a machine diagram.
move a piece then figure the machine diagram again, it's the same machine though...
see how every other piece moves another way now?
what happened for how the machine moved?
Even if the banking site is secure, your average user is taking a huge risk doing banking on any PC hooked up to the internet. They just don't understand what is running on their PC. They have no good way to identify that there is malware running, or identify what the malware is doing.
Even if the site is perfect, it cannot protect you from the malware that infect many PCs.
HA!
The only thing SOX requires is that you file paperwork saying, yes, you did these things. Every year an auditor will come through but he won't even look at the system, must less the code, he makes sure your paperwork is in order.
Now, my bank is your average run of the mill security. No complaints, but I'm sure they have some mistakes. However, I have two comments. First of all, a lot of laptops are utilizing fingerprint scanners nowadays. I'd like to see that integrated into web applications somehow.
Secondly, and probably a more significant comment is that the mitigation of security threats is not a guarantee. It is a PROBABILITY. All security features - firewalls, IDS, certificates, authentications, etc are based off of mitigating threats - not eliminating them. Additionally, the general rule is that as time goes on, security improves and criminals get more sophisticated and smarter. It is an ongoing battle and the probability will never be 0%. Honestly, I feel rather safe and so should you. Unless your bank has some whacko rules (which browsing over the comments I can clearly see) and/or some serious security issues, then you are at a low enough risk.
I will bend like a reed in the wind.
It's been mentioned a few times already but this study was conducted in 2006 and in internet years that's a long time ago. This study is irrelevant.
You're not thinking outside your (rather small) box. The answer is to make the account harder to guess. Let users choose their own account name, and you won't be able to guess that "SamJones" is a valid account. You could try "SammyTheMan", but at least the range of possible logins has just increased by an order of magnitude. Maybe, for those users who really have no creativity and try to insist on using FirstnameLastname, the bank could require that your login be FirstnameLastnameBirthmonthBirthday. "SamJones0413" is two-and-a-half orders of magnitude harder to guess than "SamJones".
If you did want to solve the problem of account lockout, you could try this: the first time an incorrect password happens, lock the account for 0.1 seconds. For every subsequent attempt, increase the lockout time by 10. After 3 bad guesses, you'd have to wait almost 2 minutes. After four guesses: 16 minutes. Five guesses: 2+3/4 hours. Six guesses: a day and 3 hours. Seven guesses: a week and a half. Eight guesses: 3+1/2 months. So, on the one hand, if the account does get DOS'd, it's merely "relatively" DOS'd to some extent; on the other hand, if Evil Hacker really wanted to DOS the account to a great extent, then it would be inconvenient for Evil Hacker, who might actually wait 2 minutes for the fourth guess but probably won't wait 16 minutes to enter the fifth guess. The Innocent End User, checking her account at the end of the day, might not even know that it had been semi-DOS'd.
Lots of creative ways you can solve these problems. I came up with this in the time it took me to type this post. I'm sure others have more ideas.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
We tracked down who it was that stole your identity. Guess what, they have the same name you do.
now we need to go OSS in diesel cars
Is that this study is 2 years old. If you are going to present a security review it has to be relevant, and can only be relevant if it is fairly recent. I have first hand knowledge of how many iterations a website can go through (let alone a bank's website) in that amount of time.
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
Umm, my bank here in Slovakia has a foolproof and unhackable login system.
By default they challenge you with a grid card code you must enter after a successful login, but you can also set the system so you use a SMS verification code instead.
It works like this:
1. You login successfully via username/password
2. You are prompted for the SMS code which is a 5 character code sent to your mobile phone
3. Code arrives via SMS and you enter it
4. We all profit!!!
Study that!
Exactly and kudos for RTFA for us. Based on this research, the bane of all Slashnerds web existence (100% Flash) would be the best way to set up a banking site, right?
Please don't use "umm" or "err" or "erm".
Umm, my bank here in Slovakia has a foolproof and unhackable login system. By default they challenge you with a grid card code you must enter after a successful login, but you can also set the system so you use a SMS verification code instead. It works like this : 1. You login successfully via username/password 2. You are prompted for the SMS code which is a 5 character code sent to your mobile phone 3. Code arrives via SMS and you enter it 4. We all profit!!! Study that!
Given how many banks employ Wish It Was Two-Factor authentication, I'm not surprised at all.
The concept of two-factor authentication is stupidly simple: Something you have, and something you know.
Somehow, banks (and credit card companies) seem to be confusing this with "two things you know" -- which actually isn't one bit more secure than "one thing you know".
The reality is, all the technology to do this right exists. It is trivial to do. But banks don't want to pay for it. (Which, in itself, is a WTF -- I'll gladly pay some extra for an RSA key auth scheme for my bank, so if the concern is that most users wouldn't notice or care, that gives you an excuse to get more money out of the ones who do. But instead, you just leave everyone somewhat less secure and more irritated than with PayPal.)
Don't thank God, thank a doctor!
The study examined 214 bank Web sites
I didn't know there were that many banks in the world...
I have never experienced a more horrible web site than the online banking site of Bank of America. That SiteKey thing - what a crock. People in India support that crap and NO ONE can figure out why it hardly works for me. They're all scratching their heads over it.
I wrote this issue regarding my commercial bank's online website just a couple days ago. It's shocking and frustrating how they deal with "security" at all levels. -david
# Hack the planet, it's important.
Yes, online banking can entail risks and, yes, banks should do all they can to make their sites and procedures secure (while understandably needing to keep the whole process from becoming too cumbersome and unwieldy to the point of making it difficult for many customers, especially the elderly). But what are the actual stats on how widespread the problem is? What percentage of banking customers have actually suffered financial loss due to someone hacking into their account? 1%? 2%? Not even that many? My guess is that it is in reality pretty low -- if it were significantly high, no one would trust doing any financial transaction online. Sure, when there has been a major breach, or some poor soul gets nailed big-time and we read his tale of woe in an article or on a blog somewhere, it gives one pause, but of all the people I know, family and friends, who have online access to their accounts, I know of no one who has had an account breach.
Second, I'd like to see those figures published by institution so that the security-conscious could do some comparison shopping. There may be such a source of information out there, but I have not found it.
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
It is a point of failure, but you can't say it's the least secure.
I didn't Bank security for a while, and we got a complete account list in minutes.
It would be a lot harder to get a teller to give you a list of all customers and their account numbers.
There is no 'least' secure, just different levels of risk.
The farther down you make the risk, the higher the cost. Cost just doesn't have to be money, it can include intangibles.
The Kruger Dunning explains most post on
Thats not bad. Some however overdo it. For example, my bank's web site (TD) will ask you a security question if you do not login from the same computer as usual.
Now thats sweet. Except that the questions are things like mother's maiden name (not so bad), favorite food, name of the last school you went to, city of birth, whatever. And it is case sensitive. Whoops?
So for my favorite food let say... (these aren't real): is it Chicken, chicken, roasted chicken, Roasted chicken, what exactly?
That makes users want to take shortcuts, and thats a bad habit to make your users take.
online transaction as we know it will die.
Too many, too easy to crack. Even well implemented security won't stand up to thousands of people attacking it.
To completly secure a system, it would be to inconvenient to use.
I can put my car in a water tight shipping container, drop it to the bottom of the ocean, and there is a very low probability anyone will steal it. OTOH getting to it would be a bitch.
If it was a container with something valuable enough, the the probability that someone will take it rises.
The Kruger Dunning explains most post on
This is not a surprise to me. I knew a lot of bad programmers at the university I attended. In fact, one of said programmers now works for a major financial services firm.
Again, not a surprise.
Most of the web banking systems are done by three or four main vendors (actually, since CheckFree bought Corillian, two or three) who customize the back-end interfaces of their standard systems and then re-skin them for the individual banks. As such, I'm only surprised that the percentage isn't higher.
That is all.
I've been thinking a lot lately about ID management as a solution to these kinds of problems. Financials are only one thing that's moved onto the web—it seems health is next. As we put more and more of ourselves into The InterPipes, I think there's going to come a point when we need to actively create and manage an online identity.
The real key to good ID mgmt is not simply collecting all of your information in one place, being able to create different personas and share those based on who you're talking to a la OpenID. There's also going to have to be the concept of a "secure" persona (or perhaps a secure area of your identity profile that can contain multiple personas). Outside this secure area, your identity can be protected in the normal way—a password linked to an email account. The secure personas, however, should be linked to a security certificate and kept using strong encryption.
The problem with this approach is that in order to be strong, the security certificate must issue you some kind of hard-to-guess information that you keep under lock and key. Lose that, and you've lost those areas of your identity—your financial accounts, health records, etc.—at least until you can prove your identity to the trustworthy third party that issued it.
All of these ideas have already been developed and are in practice in different contexts. The missing link right now is a service that collects many different levels of reliable, secure techniques and makes them feasible to manage. ID mgmt is that missing link right now.
but have you considered the following argument: shut up.
It's hard to believe that companies the size of Chase (www.chase.com) have decided to leave their web site open to this well-known security design issue. Every time I want to log into my online account, I have to input some bogus credentials on the main page in order to be presented with an SSL-protected login page. This is the year 2008 right??? Shame on Chase and other negligent financial institutions with lax security.
Scottrade has no user-defined login. Customers must use their account number as a login. TDAmeritrade forbids passwords containing special characters. Only letters and numbers are allowed. I've repeatedly questioned both institutions and have been told their methods are to reduce support calls. From Scottrade, customers might forget their login and from TDAmeritrade, customers might forget special characters.
I keep my bank and my computer totally separate.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
I recognize that the web has taken over as the main conduit for the internet. Even though e-mail still gets from outbox to inbox via other protocols more people than ever are using http or https to check their e-mail.
This is insane.
Stop trying to cram everything into one protocol. There are so many opportunities for using other protocols and developing new ones to fit our purposes better. If you're trying to sell your customers more products do it on the website. If you're trying to let them handle their accounts and pay their bills can't there be a minimal protocol without all this extra baggage where criminals can try to hide knives, guns, etc.?
In short, as the kitchen sink gets added to the web, expect more people to drop their wedding rings, wallets, car keys, and the like, down the drain as it were.
And, to defend the idea that there should be a "SBAMP" (Simple Banking Account Management Protocol), it opens up the world of specification to be defined as a standard and implemented by various software companies. If someone doesn't fit the standard everyone will know about it and that bank will be singled out for it. Without an IP banking protocol the best we have are consumer and industry groups and so-called experts advising consumers which banks are or aren't following good practices.
-HobophobE
Nothing laughs forever.
I would not be so eager to defend Chase. They try to make an almost-two-factor security (I need my password, as well as a browser cookie. When I use a new browser, they call my phone number that they have on record to validate the new cookie). But where they apparently drop the ball is on man-in-the-middle attacks. I haven't found a secure login page, so short of checking every line of Javascript (or writing my own login form) I'm never sure where I'm submitting my password. Furthermore, the cookie they took great pains to authenticate can be accessed by "/ FALSE" (i.e., any unsecure site claiming to be chase.com).