Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Bank Websites Are Insecure

Posted by CmdrTaco on from the not-just-banks dept.

Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy. The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."

10 of 269 comments (clear)

  1. Fortunately, in the US... by Dystopian+Rebel · · Score: 4, Insightful

    Banks are protected from their mistakes by the US Federal Reserve.

    --
    Rich And Stupid is not so bad as Working For Rich And Stupid.
  2. Bank logins by AvitarX · · Score: 5, Insightful

    If this report makes it any harder to login to my account I am going to have to find the publishers, and beat them.

    My current bank forced me to select 6 questions, many of which there were no choices I knew the answer to, but that someone stealing my identity could find.

    When one of these comes up that I can't answer I call the customer service, and am verified by my mothers maiden name. Defeating the purpose of all the questions anyway.

    Also, my user-name is not a password, don't make me change it to one.

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    1. Re:Bank logins by Tanktalus · · Score: 3, Insightful

      Minor nit: sure, my bank has my email address. I do NOT want them emailing me. Under ANY circumstances. If it's important, send me normal snail mail.

      If I have to start weeding out "legitimate" email from my bank vs "phishing" that appears to be from the same bank by actually opening the mail to look at it ... well, I'll probably just ignore the legitimate stuff, to be honest.

  3. Absurd. by SatanicPuppy · · Score: 3, Insightful

    The least secure system is the human system; that is almost always the weak point. All it takes is patience, and the right teller.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  4. Re:The Solution... by techiemikey · · Score: 3, Insightful

    yes, but at least then you either A) have been held up/robbed in person and know you are being robbed, or B) have a person on record as the person who handled your account. Seems better to me.

  5. Re:The Solution... by MBGMorden · · Score: 4, Insightful

    That's assuming that the online account isn't accessing a database with all the information in it. You might say "preposterous!!?!?!", but this whole report is about banks doing stupid things as far as security goes.

    Afterall, it's not like when you sign up for online banking they go to the back, pull your stuff from a manila folder and say "Another one of these fellas wants to look at his stuff on the interwebs. Lets put it in the computer.".

    --
    "People who think they know everything are very annoying to those of us who do."-Mark Twain
  6. Are text scans sufficient to mark a site insecure? by Dekortage · · Score: 3, Insightful

    From the research paper:

    We used wget to recursively download the financial institution websites during November and December of 2006. We chose to download the sites so that we had uninterrupted access and had a consistent, static view of each website. The websites may have fixed the design flaws mentioned in this paper after our initial download. Once we downloaded each website, we uses scripts to recursively traverse and analyze the HTML pages for certain patterns and identify the security design flaws.
    ...
    4.3 Contact Information/Security Advice on Insecure Pages: We searched each web page for the string "contact", "information", or "FAQ". If those strings where found, we checked whether the page was protected with SSL. If not, then we considered it to contain the design flaw.

    By this logic, even this page would cause Chase's site to fail. Also:

    We searched each web page for the string "login". If the string was found, we searched the same page for the strings "username" or "user id" or "password". If the string "login" and "username" or "user id" or "password" were found on the same page, we then verified whether the page was displayed using the http protocol. If this was the case, we assumed this site contained the design flaw.

    But my bank (which is not Chase) uses the phrase "sign in" instead of "login". Does this mean it is more secure?

    --
    $nice = $webHosting + $domainNames + $sslCerts
  7. Re:The Big Problem by somersault · · Score: 5, Insightful

    In that case I don't see how it was the bank's fault in any way.. using an internet café for banking (in Nigeria of all places, famous for 419 scams..) doesn't strike me as the best idea in the world. Even if the keyboards are glued in so that people can't attach keyloggers and whatnot, someone could have setup a mini camera, or perhaps the owner of the café has installed monitoring software that allows him to record everything.. she'd be better off with a WiFi enabled PDA or something at least?

    --
    which is totally what she said
  8. Re:Surprise by CastrTroy · · Score: 3, Insightful

    If the login form isn't on and SSL page, how does the user ensure that the page is being posted to the correct location? Do they have to view the source to figure out where it is being posted to? For all you know, that unsecured login page had some javascript inserted that takes the information you enter, and sends it to a different page. Or even simpler, just has the form action replaced with something else completely different. Without looking at the page source, and verifying every line, you have no idea where the form is going to submit to or what's going to happen once you enter your credentials.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  9. Re:The Big Problem by dgatwood · · Score: 4, Insightful

    They could have made it several orders of magnitude harder by adding two-factor authentication with a SecurID or CryptoCard style of physical token. At that point, the only way to commit real identity theft (as opposed to simply being able to see the partial account numbers (your bank does only list part of the account numbers, right?) shown on the screen) would be to inject a man-in-the-middle proxy that was configured for your particular bank with detection and interception of the logout click and returning a bogus "you have logged out" page, then transferring control over the session immediately to a human operator to work with it further. While such sophisticated attacks are possible, they are much less trivial, and thus much less likely.

    I find it utterly hilarious that my webmail at work is orders of magnitude more secure than online banking. Instead of fixing the problem of authentication, the banks would rather come up with more and more absurd "solutions" like making your passwords impossible to remember (and incompatible with passwords from other online banking sites due to different rules) so you have to write them down, then setting up lists of security questions for the inevitable forgotten password. I mean jeez, a CryptoCard token is what, $70 in quantities? They probably spend close to that for each user every year just because of the extra customer support overhead of their draconian password schemes....

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.