Slashdot Mirror
Most Bank Websites Are Insecure
Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy.
The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."
Banks are protected from their mistakes by the US Federal Reserve.
Rich And Stupid is not so bad as Working For Rich And Stupid.
If this report makes it any harder to login to my account I am going to have to find the publishers, and beat them.
My current bank forced me to select 6 questions, many of which there were no choices I knew the answer to, but that someone stealing my identity could find.
When one of these comes up that I can't answer I call the customer service, and am verified by my mothers maiden name. Defeating the purpose of all the questions anyway.
Also, my user-name is not a password, don't make me change it to one.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
I am neither a Web designer or programmer nor am I a cracker. In many respects I'm just a typical computer geek who knows enough to stay out of trouble. I am wondering why these banks don't hire competent employees (or contractors) though. Some of the problems mentioned in the PDF seem very obvious to me:
Break in the chain of trust: Some websites forward users to new pages that have different domains without notifying the user from a secure page. In this situation, the user has no way of knowing whether the new page is trustworthy.
Inadequate policies for user ids and passwords
(i.e. email addresses for IDs and short crackable passwords)
E-Mailing security sensitive information insecurely
(I always found it BIZARRE that banks and its employees aren't trained to use PGP and the like for even large moneyed account holders and more sensitive information)
- logons etc on insecure pages
The least secure system is the human system; that is almost always the weak point. All it takes is patience, and the right teller.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Some mods clearly have no sense of humour.
yes, but at least then you either A) have been held up/robbed in person and know you are being robbed, or B) have a person on record as the person who handled your account. Seems better to me.
I don't know of any way to deal with this problem. NOT having an account lockout means someone can brute-force a password. Having an account lockout means someone can DOS the account.
You could probably minimize the problem by doing the lockout by IP address or something, but ultimately you can't solve this problem in it's entirety. Account lockouts are a trade-off.
If you know of a solution, please post it.
Yes, if I'm going to lose some money, I at least want to have been in physical danger to boot. </sarcasm>
This debate was tiresome before it started. Short of providing statistics on the risk of loss in each scenario (no, I don't have them), nobody has anything interesting to say on the topic.
That's assuming that the online account isn't accessing a database with all the information in it. You might say "preposterous!!?!?!", but this whole report is about banks doing stupid things as far as security goes.
Afterall, it's not like when you sign up for online banking they go to the back, pull your stuff from a manila folder and say "Another one of these fellas wants to look at his stuff on the interwebs. Lets put it in the computer.".
"People who think they know everything are very annoying to those of us who do."-Mark Twain
I'd rather have my money stolen by someone remotely and get my money recovered by the feds from the security of my own home in a few minutes than be held at gunpoint.
Also, maybe it's just because I rely on computers for my livelihood and have used them all my life, but I trust a program and algorithm to get it right quickly over a teller any day of the week. And even if it gets it wrong, it's traceable and fixable.
Gah, I'm just pretty far opposite to your viewpoint I guess. Might be a generation thing.
From the research paper:
By this logic, even this page would cause Chase's site to fail. Also:
But my bank (which is not Chase) uses the phrase "sign in" instead of "login". Does this mean it is more secure?
$nice = $webHosting + $domainNames + $sslCerts
In that case I don't see how it was the bank's fault in any way.. using an internet café for banking (in Nigeria of all places, famous for 419 scams..) doesn't strike me as the best idea in the world. Even if the keyboards are glued in so that people can't attach keyloggers and whatnot, someone could have setup a mini camera, or perhaps the owner of the café has installed monitoring software that allows him to record everything.. she'd be better off with a WiFi enabled PDA or something at least?
which is totally what she said
Couldn't the phishing site just take your login ID from you, post it to the banks website, possibly through a proxy botnet machine so it wouldn't look like a whole bunch of requests were coming from a single machine, and download the site key image and show you the proper one? I don't think any phishing scams haven't gotten this sophisticated yet, because it's easy enough to just do it the old fashioned way. But if things get hard enough, and all bank websites start using tricks like this, then I could see phishing getting much more sophisticated. If someone is stupid enough to type their credentials, even just their login ID, to a site that is posing as their bank, then there's really nothing that the bank can do to stop them. The phishing site basically just has to proxy all the relevant information back to the user, it make it look exactly like the banks page.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
If the login form isn't on and SSL page, how does the user ensure that the page is being posted to the correct location? Do they have to view the source to figure out where it is being posted to? For all you know, that unsecured login page had some javascript inserted that takes the information you enter, and sends it to a different page. Or even simpler, just has the form action replaced with something else completely different. Without looking at the page source, and verifying every line, you have no idea where the form is going to submit to or what's going to happen once you enter your credentials.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I have to agree, those both kind of jumped out at me, logging into a bank account at #1 a public workstation and #2 in Nigeria...
While I am sure there a lot of things that the bank can do to improve the system, I truly don't believe that they could have prevented the loss in her situation.
While I don't agree with tin-foil paranoia, a healthy fear and common sense are important to protect yourself, especially in unfamiliar environments.
I feel like I'm posting the obvious here but I'll post it anyways lol.
Provided you even have a choice. When I opened my bank account, I was given a pamphlet on online banking. Few days later my default username and password came in the mail.
open source modern art: laser taggi
No, the bank could have opted for transaction based authentication with a little security device not connected to the computer. I've got one from VASCO from my bank. There is no way that they could raid my account after using an internet cafe.
The current one uses the chip of my bank card together with a semi-random number generated by a clock(the device has a battery and after a few years the battery - and therefore the device will run out). Other banks use the mobile phone (SMS) for confirmation. Less secure, but probably secure enough.
It's just that US banks suck, or that there clients are basically too lazy (if one bank just uses a password it is easier to use than one that uses these kind of two way transaction based authentication).
Actually, the federal government has forced all US banks to use 2 factor authentication. They were all in a tizzy a year back to get it done by the deadline.
2-factor authentication has a lot of definitions though. We need to keep critiquing the system and pushing improvements.
Not true; it also tells you that you are talking to the real bank website and not some imposter. And since you trust your bank, you can trust their SSL login page not to give away your login details. Without SSL you don't know what website you are looking at (e.g. look at all the recent articles on DNS cache poisoning).
There's a simple solution used by all the UK banks (that I've used). Put all your advertising goodness on the bank homepage and add a "Login here" button which takes you to the SSL login page. Simple and secure.
"They worried about open ports and front page extensions "
good, they should be.
"Chinese and Russian hackers focused on SQL injection and Cross-site scripting (XSS)."
If SQL injection is possible, immediatly fire the developer.
Sorry, no excuse.
"to have their websites and underlying systems audited, if not code reviewed, by a well seasoned team of professionals "
excellent advice.
The Kruger Dunning explains most post on
They could have made it several orders of magnitude harder by adding two-factor authentication with a SecurID or CryptoCard style of physical token. At that point, the only way to commit real identity theft (as opposed to simply being able to see the partial account numbers (your bank does only list part of the account numbers, right?) shown on the screen) would be to inject a man-in-the-middle proxy that was configured for your particular bank with detection and interception of the logout click and returning a bogus "you have logged out" page, then transferring control over the session immediately to a human operator to work with it further. While such sophisticated attacks are possible, they are much less trivial, and thus much less likely.
I find it utterly hilarious that my webmail at work is orders of magnitude more secure than online banking. Instead of fixing the problem of authentication, the banks would rather come up with more and more absurd "solutions" like making your passwords impossible to remember (and incompatible with passwords from other online banking sites due to different rules) so you have to write them down, then setting up lists of security questions for the inevitable forgotten password. I mean jeez, a CryptoCard token is what, $70 in quantities? They probably spend close to that for each user every year just because of the extra customer support overhead of their draconian password schemes....
Check out my sci-fi/humor trilogy at PatriotsBooks.
I've been thinking a lot lately about ID management as a solution to these kinds of problems. Financials are only one thing that's moved onto the web—it seems health is next. As we put more and more of ourselves into The InterPipes, I think there's going to come a point when we need to actively create and manage an online identity.
The real key to good ID mgmt is not simply collecting all of your information in one place, being able to create different personas and share those based on who you're talking to a la OpenID. There's also going to have to be the concept of a "secure" persona (or perhaps a secure area of your identity profile that can contain multiple personas). Outside this secure area, your identity can be protected in the normal way—a password linked to an email account. The secure personas, however, should be linked to a security certificate and kept using strong encryption.
The problem with this approach is that in order to be strong, the security certificate must issue you some kind of hard-to-guess information that you keep under lock and key. Lose that, and you've lost those areas of your identity—your financial accounts, health records, etc.—at least until you can prove your identity to the trustworthy third party that issued it.
All of these ideas have already been developed and are in practice in different contexts. The missing link right now is a service that collects many different levels of reliable, secure techniques and makes them feasible to manage. ID mgmt is that missing link right now.
but have you considered the following argument: shut up.