Slashdot Mirror
Most Bank Websites Are Insecure
Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy.
The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."
It is actually a surprise, earlier the banks would just cover the damages caused. But with the current global economy it is actually a bit surprising that the banks are letting this happen.
But then again they might not - the study is from 06 and those were diffent times for banks.
Banks are protected from their mistakes by the US Federal Reserve.
Rich And Stupid is not so bad as Working For Rich And Stupid.
If this report makes it any harder to login to my account I am going to have to find the publishers, and beat them.
My current bank forced me to select 6 questions, many of which there were no choices I knew the answer to, but that someone stealing my identity could find.
When one of these comes up that I can't answer I call the customer service, and am verified by my mothers maiden name. Defeating the purpose of all the questions anyway.
Also, my user-name is not a password, don't make me change it to one.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Having worked in the banking industry for nearly a decade, I was a bit skeptical. Many times we will have some security firm come in and look at our public facing web site, and come back with a list of 25-30 items that are 'security issues'. Most of them are complete crap, and maybe 1 or 2 are legitimate concerns. Management gets in a tizzy and insists that all items must be addressed, even when many items make no sense or are even counterproductive to implement.
I skimmed the underlying study (the article itself was worthless except for the link), and some of the concerns are very valid. For example, I have NO idea why a bank wouldn't insist on using SSL for any banking transaction.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
and was filed from a Caribbean island.
simon
The physical bank location isn't 100% secure either.
Nerd rage is the funniest rage.
Since if I enter my username (composed from my real name) and an incorrect password three times, it locks me out.
I say "my" username, but if I enter any username - easily deductible by composing any two first and last names - and an incorrect password three times... that account gets locked out.
I'm sure that nobody with malice aforethought, a dictionary of names, and a frisky Perl script will ever feel the urge to increase every customers' security by having them locked out.
If you were blocking sigs, you wouldn't have to read this.
The least secure system is the human system; that is almost always the weak point. All it takes is patience, and the right teller.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I had to call my ISP the other day (Virgin Media, because they're thieving, lying cheats), and had to go through the usual name, address and phone number. Then they asked me for my security password. I gave the wrong answer and the lady on the other end of the phone said the following:
"It's usually your mother's maiden name"
What the fuck?! Are you kidding me?! That's secure isn't it, giving me hints!
"What's your house number?"
"Erm, 11"
"Ooh, 1 out, try again"
"Er... 10?"
"Other way, dear"
"12?"
"OK, great. What can I do for you today Mr. Smith?"
Summation 2
yes, but at least then you either A) have been held up/robbed in person and know you are being robbed, or B) have a person on record as the person who handled your account. Seems better to me.
Banks are protected from their mistakes by the US Federal Reserve.
Profits always get privatized, banker's mistakes often get nationalized. The private citizen always gets stuck with bailing the banks out but gets little or no benefit from profits since these shipped of to tax havens like Lichtenstein. Which makes it all the more gratifying when something like this happens.
Send me your login information for your bank and I'll test the security for your - let you know if your money is safe.
That's assuming that the online account isn't accessing a database with all the information in it. You might say "preposterous!!?!?!", but this whole report is about banks doing stupid things as far as security goes.
Afterall, it's not like when you sign up for online banking they go to the back, pull your stuff from a manila folder and say "Another one of these fellas wants to look at his stuff on the interwebs. Lets put it in the computer.".
"People who think they know everything are very annoying to those of us who do."-Mark Twain
I have my personal bank account at Scotiabank in Canada, and I have a MasterCard credit card with another company.
On my bank's website, all I need to have is my banking card number and a password, and that's about it for the security features. If I were an average user, I could easily be fooled by a forged website reproducing my bank website and asking me for personal information. Fortunately, THERE'S A WARNING ON THE FRONT PAGE, right beside the month's special promotion and the [Contact Us] link, telling me that the bank never sends an EMail with an enclosed link to their online banking website...
On the other hand, on my credit card company website, they first asked me for a security picture and a security passphrase, and they told me at first that, whatever the page I'm on on their website, once I'm logged in, I should see both the picture and the security passphrase. Also, when I login, I have to use a username and a password, so someone who knows my credit card number could not know what username I have on the website, and they ask me for my home phone number or my city of residence or my mother's maiden name... And the only thing I could do on this website is to view my credit card statement, WITHOUT my credit card number nor any information that could lead to identity theft...
So I think my bank is WAY behind the market on the security technologies side, since someone could transfer all my money to another bank account and they only ask for two very simple informations in order to be able to do that...
I've always thought that little bit (the "sitekey") was a worthless, useless showmanship.
Since they don't show you the picture until you put in your username, what's to prevent a man in the middle from taking your username, sending it to the REAL site, getting the REAL picture, and then showing it to you?
The big problem here is that while our funds are secured by Federal Insurance, our identities are not. And the potential for damage from ID theft are greater than the potential for loss of the little electronic digits that represent our money.
It can take years and lots of money to recover from ID theft. I am currently dealing with my sister-in-law's ID theft. She is a world traveler and spends 10 months out of the year in Africa, India, and the UK. We have signature authority on most of her stateside accounts. The problem is, she loves Internet Cafes and does her banking online.
She opened a new account in NYC before her last trip. She was in Nigeria for less than a week and we started to get alarming indications that something was wrong. Sure enough, some got her on what was her first visit to an cafe, her new account and her old WAMU account had to be shut down before it was raided. We are now getting credit warning letters in her name and we are hoping she doesn't get stopped in some country because someone used her name for a crime. Imagine the passport issues.
The problem might not be the bank's entirely, but there are measures they can take.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
...bill collectors with wrong phone numbers.
I had one call my phone asking for someone I had never heard of. I was bored and I played along. They asked for my SSN, I told them I forgot and asked them if they could tell me what it was...they did!
So I had this random lady's name and SSN. I also told them I had a new address and gave them the white house address.
One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
From the research paper:
By this logic, even this page would cause Chase's site to fail. Also:
But my bank (which is not Chase) uses the phrase "sign in" instead of "login". Does this mean it is more secure?
$nice = $webHosting + $domainNames + $sslCerts
Even if the banking site is secure, your average user is taking a huge risk doing banking on any PC hooked up to the internet. They just don't understand what is running on their PC. They have no good way to identify that there is malware running, or identify what the malware is doing.
Even if the site is perfect, it cannot protect you from the malware that infect many PCs.
Your viewpoint isn't so much as a generation thing as a naivety thing.
Who cares if the transaction between yourself and your bank is "100% secure" and the encryption can't be broken without 1 million years of brute force attacking - if someone has installed a keylogger on your computer and now has your username, password and whatever other stuff the bank requires you to have to log in?
Then there's the fact that these systems likely aren't 100% secure - the algorithms may work perfectly, but if the design of the system (which was created by one or more flawed humans) is faulty, then you have problems. You shouldn't be so worried about your teller making a mistake counting out your money so much as you should be worried that the teller has just slipped out $150 when you asked for $100, and pocketed the $50.
which is totally what she said
You're not thinking outside your (rather small) box. The answer is to make the account harder to guess. Let users choose their own account name, and you won't be able to guess that "SamJones" is a valid account. You could try "SammyTheMan", but at least the range of possible logins has just increased by an order of magnitude. Maybe, for those users who really have no creativity and try to insist on using FirstnameLastname, the bank could require that your login be FirstnameLastnameBirthmonthBirthday. "SamJones0413" is two-and-a-half orders of magnitude harder to guess than "SamJones".
If you did want to solve the problem of account lockout, you could try this: the first time an incorrect password happens, lock the account for 0.1 seconds. For every subsequent attempt, increase the lockout time by 10. After 3 bad guesses, you'd have to wait almost 2 minutes. After four guesses: 16 minutes. Five guesses: 2+3/4 hours. Six guesses: a day and 3 hours. Seven guesses: a week and a half. Eight guesses: 3+1/2 months. So, on the one hand, if the account does get DOS'd, it's merely "relatively" DOS'd to some extent; on the other hand, if Evil Hacker really wanted to DOS the account to a great extent, then it would be inconvenient for Evil Hacker, who might actually wait 2 minutes for the fourth guess but probably won't wait 16 minutes to enter the fifth guess. The Innocent End User, checking her account at the end of the day, might not even know that it had been semi-DOS'd.
Lots of creative ways you can solve these problems. I came up with this in the time it took me to type this post. I'm sure others have more ideas.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Is that this study is 2 years old. If you are going to present a security review it has to be relevant, and can only be relevant if it is fairly recent. I have first hand knowledge of how many iterations a website can go through (let alone a bank's website) in that amount of time.
"My immediate reaction is "WTF? What kind of moron doesn't make things 64-bit safe to begin with?" Linus
Provided you even have a choice. When I opened my bank account, I was given a pamphlet on online banking. Few days later my default username and password came in the mail.
open source modern art: laser taggi
Given how many banks employ Wish It Was Two-Factor authentication, I'm not surprised at all.
The concept of two-factor authentication is stupidly simple: Something you have, and something you know.
Somehow, banks (and credit card companies) seem to be confusing this with "two things you know" -- which actually isn't one bit more secure than "one thing you know".
The reality is, all the technology to do this right exists. It is trivial to do. But banks don't want to pay for it. (Which, in itself, is a WTF -- I'll gladly pay some extra for an RSA key auth scheme for my bank, so if the concern is that most users wouldn't notice or care, that gives you an excuse to get more money out of the ones who do. But instead, you just leave everyone somewhat less secure and more irritated than with PayPal.)
Don't thank God, thank a doctor!
I've been thinking a lot lately about ID management as a solution to these kinds of problems. Financials are only one thing that's moved onto the web—it seems health is next. As we put more and more of ourselves into The InterPipes, I think there's going to come a point when we need to actively create and manage an online identity.
The real key to good ID mgmt is not simply collecting all of your information in one place, being able to create different personas and share those based on who you're talking to a la OpenID. There's also going to have to be the concept of a "secure" persona (or perhaps a secure area of your identity profile that can contain multiple personas). Outside this secure area, your identity can be protected in the normal way—a password linked to an email account. The secure personas, however, should be linked to a security certificate and kept using strong encryption.
The problem with this approach is that in order to be strong, the security certificate must issue you some kind of hard-to-guess information that you keep under lock and key. Lose that, and you've lost those areas of your identity—your financial accounts, health records, etc.—at least until you can prove your identity to the trustworthy third party that issued it.
All of these ideas have already been developed and are in practice in different contexts. The missing link right now is a service that collects many different levels of reliable, secure techniques and makes them feasible to manage. ID mgmt is that missing link right now.
but have you considered the following argument: shut up.