Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Bank Websites Are Insecure

Posted by CmdrTaco on from the not-just-banks dept.

Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy. The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."

5 of 269 comments (clear)

  1. Surprise - really... by Anonymous Coward · · Score: 5, Informative

    It is actually a surprise, earlier the banks would just cover the damages caused. But with the current global economy it is actually a bit surprising that the banks are letting this happen.
    But then again they might not - the study is from 06 and those were diffent times for banks.

  2. Re:Fortunately, in the US... by bondsbw · · Score: 4, Informative

    Banks are protected from their mistakes by the US Federal Reserve.

    Consumers (or lenders, technically) are covered up to the greater of their account balance or $100,000, but identity theft is far from protected.

    --
    All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  3. Re:Fortunately, in the US... by mea37 · · Score: 5, Informative

    1) I believe that would be the lesser of their account balance or $100,000
    2) It looks like GP said the institution is protected, not the customer

  4. Re:Kudos goes to my bank then by Jesus_666 · · Score: 4, Informative

    Which is one reason why smartcard-based systems rock. If homebanking access to the account is only possible via the smartcard nobody can perform such an attack on your account without having access to the card. If the attacker does get hold of your card you're still protected by a password and you can go to the bank and have your homebanking card locked (note: The homebanking card should always be separate from any ther cards your bank issues).

    And it's not like it's that difficult to do; PC/SC and CTAPI are well understood and implemented in all major OSes. Germany has a well-established smartcard standard for homebanking (HBCI aka FinTS) and there are clients for every major OS, even Linux (via a Gnucash plugin). It's certainly doable.

    --
    USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
  5. The Big Problem by WED+Fan · · Score: 4, Informative

    The big problem here is that while our funds are secured by Federal Insurance, our identities are not. And the potential for damage from ID theft are greater than the potential for loss of the little electronic digits that represent our money.

    It can take years and lots of money to recover from ID theft. I am currently dealing with my sister-in-law's ID theft. She is a world traveler and spends 10 months out of the year in Africa, India, and the UK. We have signature authority on most of her stateside accounts. The problem is, she loves Internet Cafes and does her banking online.

    She opened a new account in NYC before her last trip. She was in Nigeria for less than a week and we started to get alarming indications that something was wrong. Sure enough, some got her on what was her first visit to an cafe, her new account and her old WAMU account had to be shut down before it was raided. We are now getting credit warning letters in her name and we are hoping she doesn't get stopped in some country because someone used her name for a crime. Imagine the passport issues.

    The problem might not be the bank's entirely, but there are measures they can take.

    --
    Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.