Most Bank Websites Are Insecure

Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy. The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."

Surprise

[MyLongNickName]

Having worked in the banking industry for nearly a decade, I was a bit skeptical. Many times we will have some security firm come in and look at our public facing web site, and come back with a list of 25-30 items that are 'security issues'. Most of them are complete crap, and maybe 1 or 2 are legitimate concerns. Management gets in a tizzy and insists that all items must be addressed, even when many items make no sense or are even counterproductive to implement.

I skimmed the underlying study (the article itself was worthless except for the link), and some of the concerns are very valid. For example, I have NO idea why a bank wouldn't insist on using SSL for any banking transaction.

Re:Surprise

[TheMooose]

I worked as a web developer for scores of Credit Unions all over the US. In the last 4 years the NCUA (like the fed for CUs) became freakishly paranoid, and like most "governing" bodies, took no time to understand buzz-words. They started implementing draconian requirements that forced the CUs, large and small, to spend great deals of money on website security. That money would have gone into members' accounts at year end. While working for the CUs, I found that the most damaging attacks were often nothing the NCUA could have dreamed of. They worried about open ports and front page extensions while the Chinese and Russian hackers focused on SQL injection and Cross-site scripting (XSS). In one case I was involved with, the attackers were able to compromise a content management system via SQL injection and dynamically change the links to home banking for dozens of CUs. My advice is for these banks and credit unions would be to have their websites and underlying systems audited, if not code reviewed, by a well seasoned team of professionals and to not rely on the scanning services unless they just want a warm fuzzy feeling.

Kudos goes to my bank then

[Rogerborg]

Since if I enter my username (composed from my real name) and an incorrect password three times, it locks me out.

I say "my" username, but if I enter any username - easily deductible by composing any two first and last names - and an incorrect password three times... that account gets locked out.

I'm sure that nobody with malice aforethought, a dictionary of names, and a frisky Perl script will ever feel the urge to increase every customers' security by having them locked out.

Profit...

Banks are protected from their mistakes by the US Federal Reserve.

Profits always get privatized, banker's mistakes often get nationalized. The private citizen always gets stuck with bailing the banks out but gets little or no benefit from profits since these shipped of to tax havens like Lichtenstein. Which makes it all the more gratifying when something like this happens.

Re:Surprise - really...

[Lobster+Quadrille]

A while back I emailed my bank about several critical holes on their website. Their response: because the actual banking takes place through a third-party, the access logs that are publicly available on the site, the ability to manipulate the content of the website through javascript, the ability to alter login forms, and the ability to hijack the CMS' admin sessions are non-issues.

I have a new bank now.