Slashdot Mirror
Most Bank Websites Are Insecure
Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy.
The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."
It is actually a surprise, earlier the banks would just cover the damages caused. But with the current global economy it is actually a bit surprising that the banks are letting this happen.
But then again they might not - the study is from 06 and those were diffent times for banks.
Banks are protected from their mistakes by the US Federal Reserve.
Consumers (or lenders, technically) are covered up to the greater of their account balance or $100,000, but identity theft is far from protected.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
1) I believe that would be the lesser of their account balance or $100,000
2) It looks like GP said the institution is protected, not the customer
2) It looks like GP said the institution is protected, not the customer
I believe the GP was referring to the bail of some banks by the US Gov' due to their imminent collapse caused by bad investment into the housing market/mortgages.
"The past was erased, the erasure was forgotten, the lie became truth." ~1984 George Orwell
Which is one reason why smartcard-based systems rock. If homebanking access to the account is only possible via the smartcard nobody can perform such an attack on your account without having access to the card. If the attacker does get hold of your card you're still protected by a password and you can go to the bank and have your homebanking card locked (note: The homebanking card should always be separate from any ther cards your bank issues).
And it's not like it's that difficult to do; PC/SC and CTAPI are well understood and implemented in all major OSes. Germany has a well-established smartcard standard for homebanking (HBCI aka FinTS) and there are clients for every major OS, even Linux (via a Gnucash plugin). It's certainly doable.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
I've always thought that little bit (the "sitekey") was a worthless, useless showmanship.
Since they don't show you the picture until you put in your username, what's to prevent a man in the middle from taking your username, sending it to the REAL site, getting the REAL picture, and then showing it to you?
The big problem here is that while our funds are secured by Federal Insurance, our identities are not. And the potential for damage from ID theft are greater than the potential for loss of the little electronic digits that represent our money.
It can take years and lots of money to recover from ID theft. I am currently dealing with my sister-in-law's ID theft. She is a world traveler and spends 10 months out of the year in Africa, India, and the UK. We have signature authority on most of her stateside accounts. The problem is, she loves Internet Cafes and does her banking online.
She opened a new account in NYC before her last trip. She was in Nigeria for less than a week and we started to get alarming indications that something was wrong. Sure enough, some got her on what was her first visit to an cafe, her new account and her old WAMU account had to be shut down before it was raided. We are now getting credit warning letters in her name and we are hoping she doesn't get stopped in some country because someone used her name for a crime. Imagine the passport issues.
The problem might not be the bank's entirely, but there are measures they can take.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
(i.e. email addresses for IDs and short crackable passwords)
There's a line a bank must tread between obvious security and usability. There's one bank I use that forced me to take THEIR login ID but let me set my own password. It's the only bank I have to save my login ID in an accessible location so I can go and look it up, because I can't damn well remember what stupid number they gave to me at the end of some sort of concatenated user name based on my real name.
There extra security in having hard to guess logins and passwords, but you're also making it difficult to the point of uselessness to make people remember endless amount of logins and passwords where they're just going to start writing them down on stick-it-notes at their work desk. In that sense, allowing them to make easily remembered logins can be MORE security by avoiding having your customers take their own extreme measures to remember their credentials.
What I'm seeing happening recently is that banks are having you pick a specific picture associated with your account and have you just enter your login ID. They then direct you to a "second" login page that will show your "site key" (the image you selected) along with some text you might have filled in yourself (describing the picture). This, I assume, is to defeat phishing sites. A phishing site shouldn't be able to know your "site key" picture and text, which is to alert the user that they're not on the right website.
Though, I personally have no pity to people who fall for phishing sites. Knowing how to read and check an address bar is part of being able to use the Internet properly. Otherwise, it would be like allowing people to drive without a license. Sure, some people can do it successfully but they're more likely to make a mistake that is easily avoidable, just because they didn't know better.
- logons etc on insecure pages
This is often a misunderstanding. One that I had at a point as well. Your login form has to submit to a SSL page, not reside on an SSL page to be secure. This is why several banks have login's on non-SSL pages, because their main informational site doesn't need the extra overhead of SSL to transmit their advertisement stuff.
However, should your login fail and they send you back to a non-SSL page with your information filled in, then I would be concerned. Though, I've not seen a bank do that yet. General rule of thumb is that if you're paranoid about it, submit the login form, without/wrong credentials and you'll get a login/SSL page.
"The past was erased, the erasure was forgotten, the lie became truth." ~1984 George Orwell
Actually there's a pretty good solution to this, and it is already in place in several places on the internet. If you get the password wrong 3 times than you must wait X seconds before attempting again and enter a captcha. This way you aren't completely locked out, but it would take years to brute force your account. (Unless you use the password 4444 like my boss *headdesk*)
This may be somewhat true, but the FDIC is an *insurance* company, and if a lot of banks had to start hitting it up due to identity theft, its premiums (in the form of government deficit) would go up. And that tanks the economy, which tanks banks, etc ...
So, no, banks do not get off scot-free for this kind of thing because of some magical safety net. TINSTAAFL.
My current bank forced me to select 6 questions, many of which there were no choices I knew the answer to, but that someone stealing my identity could find.
Just put in a strong password as the answer to each of the questions. It's about the best you can do.
Hell, BB&T not only doesn't use 2 factor authentication, they also don't enforce strong passwords, nor do they prevent browser caching of passwords. The login field was recently "moved" in order to "prevent some types of known security attacks" but the login fields are still ON the MAIN PAGE...
There is no contest in life for which the unprepared have the advantage.
If the page isn't SSL, then you can change the contents as they pass over the wire, so it doesn't require that the banks webserver is hacked. If the page is in SSL, then you can be assured that it wasn't changed between the server on you. If the server is somehow hacked, then there's nothing you can do. If you're going to assume the bank's web server is hacked, you shouldn't be doing online banking.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.