Slashdot Mirror
Most Bank Websites Are Insecure
Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy.
The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."
Banks are protected from their mistakes by the US Federal Reserve.
Rich And Stupid is not so bad as Working For Rich And Stupid.
If this report makes it any harder to login to my account I am going to have to find the publishers, and beat them.
My current bank forced me to select 6 questions, many of which there were no choices I knew the answer to, but that someone stealing my identity could find.
When one of these comes up that I can't answer I call the customer service, and am verified by my mothers maiden name. Defeating the purpose of all the questions anyway.
Also, my user-name is not a password, don't make me change it to one.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
That's assuming that the online account isn't accessing a database with all the information in it. You might say "preposterous!!?!?!", but this whole report is about banks doing stupid things as far as security goes.
Afterall, it's not like when you sign up for online banking they go to the back, pull your stuff from a manila folder and say "Another one of these fellas wants to look at his stuff on the interwebs. Lets put it in the computer.".
"People who think they know everything are very annoying to those of us who do."-Mark Twain
In that case I don't see how it was the bank's fault in any way.. using an internet café for banking (in Nigeria of all places, famous for 419 scams..) doesn't strike me as the best idea in the world. Even if the keyboards are glued in so that people can't attach keyloggers and whatnot, someone could have setup a mini camera, or perhaps the owner of the café has installed monitoring software that allows him to record everything.. she'd be better off with a WiFi enabled PDA or something at least?
which is totally what she said
They could have made it several orders of magnitude harder by adding two-factor authentication with a SecurID or CryptoCard style of physical token. At that point, the only way to commit real identity theft (as opposed to simply being able to see the partial account numbers (your bank does only list part of the account numbers, right?) shown on the screen) would be to inject a man-in-the-middle proxy that was configured for your particular bank with detection and interception of the logout click and returning a bogus "you have logged out" page, then transferring control over the session immediately to a human operator to work with it further. While such sophisticated attacks are possible, they are much less trivial, and thus much less likely.
I find it utterly hilarious that my webmail at work is orders of magnitude more secure than online banking. Instead of fixing the problem of authentication, the banks would rather come up with more and more absurd "solutions" like making your passwords impossible to remember (and incompatible with passwords from other online banking sites due to different rules) so you have to write them down, then setting up lists of security questions for the inevitable forgotten password. I mean jeez, a CryptoCard token is what, $70 in quantities? They probably spend close to that for each user every year just because of the extra customer support overhead of their draconian password schemes....
Check out my sci-fi/humor trilogy at PatriotsBooks.