Slashdot Mirror
Most Bank Websites Are Insecure
Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy.
The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."
At least your username isn't your Social Security Number. I'm looking at you, Regions Bank.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
and was filed from a Caribbean island.
simon
The physical bank location isn't 100% secure either.
Nerd rage is the funniest rage.
I had to call my ISP the other day (Virgin Media, because they're thieving, lying cheats), and had to go through the usual name, address and phone number. Then they asked me for my security password. I gave the wrong answer and the lady on the other end of the phone said the following:
"It's usually your mother's maiden name"
What the fuck?! Are you kidding me?! That's secure isn't it, giving me hints!
"What's your house number?"
"Erm, 11"
"Ooh, 1 out, try again"
"Er... 10?"
"Other way, dear"
"12?"
"OK, great. What can I do for you today Mr. Smith?"
Summation 2
Send me your login information for your bank and I'll test the security for your - let you know if your money is safe.
...bill collectors with wrong phone numbers.
I had one call my phone asking for someone I had never heard of. I was bored and I played along. They asked for my SSN, I told them I forgot and asked them if they could tell me what it was...they did!
So I had this random lady's name and SSN. I also told them I had a new address and gave them the white house address.
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
Wasn't that a great car? Mine got great mileage. Finicky carb but at least it was easy to rebuild.
Last year, a bank auditor (outside paid third party working with some fed auditor) in all seriousness told me that unless the words "please do not hack our web site" were on the home page, it was not illegal to break into it.
They had the VP convinced that this had to be done. They were about to put "please to not hack our web site" on the home page.
That's completely idiotic, and it came from folks that were supposed to "know".
After explaining this was stupid, and using Google to show that no other bank does it, they told the auditor to get his supervisor. And suddenly the stupid request went away.
True story. That's the worst example I have, but deal with these guys a while and you stop being surprised by their ignorance.
The problem with the questions is based on a watered-down version of bank security measures.
There were guidelines issued that said banks and other financial institutions should use two-factor authentication. The banks, however, fought back because such changes (keyfobs, scratch tickets, etc) cost money, and the guidelines were watered down to what they are now - "sorta-wannabe-two-factor".
In reality, it's another password.
http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx
Heck, some banks are really idiotic, too...
http://thedailywtf.com/Articles/Banking-So-Advanced.aspx
I'm used to seeing l33t on /. occasionally, so I tried to read your pet name and car make and my brain exploded.
but have you considered the following argument: shut up.