Most Bank Websites Are Insecure

Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy. The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."

Surprise - really...

It is actually a surprise, earlier the banks would just cover the damages caused. But with the current global economy it is actually a bit surprising that the banks are letting this happen.
But then again they might not - the study is from 06 and those were diffent times for banks.

Re:Surprise - really...

[Lobster+Quadrille]

A while back I emailed my bank about several critical holes on their website. Their response: because the actual banking takes place through a third-party, the access logs that are publicly available on the site, the ability to manipulate the content of the website through javascript, the ability to alter login forms, and the ability to hijack the CMS' admin sessions are non-issues.

I have a new bank now.

Fortunately, in the US...

[Dystopian+Rebel]

Banks are protected from their mistakes by the US Federal Reserve.

Re:Fortunately, in the US...

[bondsbw]

Banks are protected from their mistakes by the US Federal Reserve.

Consumers (or lenders, technically) are covered up to the greater of their account balance or $100,000, but identity theft is far from protected.

Re:Fortunately, in the US...

[mea37]

1) I believe that would be the lesser of their account balance or $100,000
2) It looks like GP said the institution is protected, not the customer

Bank logins

[AvitarX]

If this report makes it any harder to login to my account I am going to have to find the publishers, and beat them.

My current bank forced me to select 6 questions, many of which there were no choices I knew the answer to, but that someone stealing my identity could find.

When one of these comes up that I can't answer I call the customer service, and am verified by my mothers maiden name. Defeating the purpose of all the questions anyway.

Also, my user-name is not a password, don't make me change it to one.

Re:Bank logins

[bondsbw]

At least your username isn't your Social Security Number. I'm looking at you, Regions Bank.

Re:Bank logins

[SatanicPuppy]

That makes me absolutely apeshit; do NOT force me to choose one of your crappy questions! Let me write my own question, and my own answer.

Whenever I get to write my own question, the question is always a mnemonic for a password...Secure, and easy to remember, since the question implies the answer uniquely, and you don't get any "Did I abbreviate my hometown name in the 'What was the name of your high school question?'" problems.

The thing I do if they force the question, is use a stock response for all questions of that type, which is, itself, password like. E.g my first pet was: Wc@e%rddt^y, whereas my first car was" L!kj%nb^

Re:Bank logins

[notthepainter]

whereas my first car was" L!kj%nb^

Wasn't that a great car? Mine got great mileage. Finicky carb but at least it was easy to rebuild.

Re:Bank logins

[CastrTroy]

I use random password like strings for the answers to those questions also. It's too easy for just about anybody who knows me to guess the correct answers to those questions. You don't even have to know me, you can just check out my facebook profile. My first highschool is obvious, because there is only 1 in my hometown.

Surprise

[MyLongNickName]

Having worked in the banking industry for nearly a decade, I was a bit skeptical. Many times we will have some security firm come in and look at our public facing web site, and come back with a list of 25-30 items that are 'security issues'. Most of them are complete crap, and maybe 1 or 2 are legitimate concerns. Management gets in a tizzy and insists that all items must be addressed, even when many items make no sense or are even counterproductive to implement.

I skimmed the underlying study (the article itself was worthless except for the link), and some of the concerns are very valid. For example, I have NO idea why a bank wouldn't insist on using SSL for any banking transaction.

Re:Surprise

[TheMooose]

I worked as a web developer for scores of Credit Unions all over the US. In the last 4 years the NCUA (like the fed for CUs) became freakishly paranoid, and like most "governing" bodies, took no time to understand buzz-words. They started implementing draconian requirements that forced the CUs, large and small, to spend great deals of money on website security. That money would have gone into members' accounts at year end. While working for the CUs, I found that the most damaging attacks were often nothing the NCUA could have dreamed of. They worried about open ports and front page extensions while the Chinese and Russian hackers focused on SQL injection and Cross-site scripting (XSS). In one case I was involved with, the attackers were able to compromise a content management system via SQL injection and dynamically change the links to home banking for dozens of CUs. My advice is for these banks and credit unions would be to have their websites and underlying systems audited, if not code reviewed, by a well seasoned team of professionals and to not rely on the scanning services unless they just want a warm fuzzy feeling.

location, location, location

[SimonGhent]

It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders

and was filed from a Caribbean island.

Re:The Solution...

[maxume]

The physical bank location isn't 100% secure either.

Kudos goes to my bank then

[Rogerborg]

Since if I enter my username (composed from my real name) and an incorrect password three times, it locks me out.

I say "my" username, but if I enter any username - easily deductible by composing any two first and last names - and an incorrect password three times... that account gets locked out.

I'm sure that nobody with malice aforethought, a dictionary of names, and a frisky Perl script will ever feel the urge to increase every customers' security by having them locked out.

Re:Kudos goes to my bank then

[Jesus_666]

Which is one reason why smartcard-based systems rock. If homebanking access to the account is only possible via the smartcard nobody can perform such an attack on your account without having access to the card. If the attacker does get hold of your card you're still protected by a password and you can go to the bank and have your homebanking card locked (note: The homebanking card should always be separate from any ther cards your bank issues).

And it's not like it's that difficult to do; PC/SC and CTAPI are well understood and implemented in all major OSes. Germany has a well-established smartcard standard for homebanking (HBCI aka FinTS) and there are clients for every major OS, even Linux (via a Gnucash plugin). It's certainly doable.

Security questions

[Rik+Sweeney]

I had to call my ISP the other day (Virgin Media, because they're thieving, lying cheats), and had to go through the usual name, address and phone number. Then they asked me for my security password. I gave the wrong answer and the lady on the other end of the phone said the following:

"It's usually your mother's maiden name"

What the fuck?! Are you kidding me?! That's secure isn't it, giving me hints!

"What's your house number?"
"Erm, 11"
"Ooh, 1 out, try again"
"Er... 10?"
"Other way, dear"
"12?"
"OK, great. What can I do for you today Mr. Smith?"

Re:Security questions

[houghi]

I once had to cash a check at the post office. I got about 25-30 retries before they were satisfied that the signature was actualy the same as the one they had to verify against. They even held it up against the glass, so I could copy it.

Once my school said that I falsified my dads signature and they needed confirmation, so I took it home and came back with the same signature on it. The fact that they were two real ones or two fake ones they had no idea of knowing.

People unfortunatly have most of the time no real perception about security. They see it as a hinder

Profit...

Banks are protected from their mistakes by the US Federal Reserve.

Profits always get privatized, banker's mistakes often get nationalized. The private citizen always gets stuck with bailing the banks out but gets little or no benefit from profits since these shipped of to tax havens like Lichtenstein. Which makes it all the more gratifying when something like this happens.

Re:The Solution...

[MBGMorden]

That's assuming that the online account isn't accessing a database with all the information in it. You might say "preposterous!!?!?!", but this whole report is about banks doing stupid things as far as security goes.

Afterall, it's not like when you sign up for online banking they go to the back, pull your stuff from a manila folder and say "Another one of these fellas wants to look at his stuff on the interwebs. Lets put it in the computer.".

The Big Problem

[WED+Fan]

The big problem here is that while our funds are secured by Federal Insurance, our identities are not. And the potential for damage from ID theft are greater than the potential for loss of the little electronic digits that represent our money.

It can take years and lots of money to recover from ID theft. I am currently dealing with my sister-in-law's ID theft. She is a world traveler and spends 10 months out of the year in Africa, India, and the UK. We have signature authority on most of her stateside accounts. The problem is, she loves Internet Cafes and does her banking online.

She opened a new account in NYC before her last trip. She was in Nigeria for less than a week and we started to get alarming indications that something was wrong. Sure enough, some got her on what was her first visit to an cafe, her new account and her old WAMU account had to be shut down before it was raided. We are now getting credit warning letters in her name and we are hoping she doesn't get stopped in some country because someone used her name for a crime. Imagine the passport issues.

The problem might not be the bank's entirely, but there are measures they can take.

Re:The Big Problem

[somersault]

In that case I don't see how it was the bank's fault in any way.. using an internet café for banking (in Nigeria of all places, famous for 419 scams..) doesn't strike me as the best idea in the world. Even if the keyboards are glued in so that people can't attach keyloggers and whatnot, someone could have setup a mini camera, or perhaps the owner of the café has installed monitoring software that allows him to record everything.. she'd be better off with a WiFi enabled PDA or something at least?

Re:The Big Problem

[dgatwood]

They could have made it several orders of magnitude harder by adding two-factor authentication with a SecurID or CryptoCard style of physical token. At that point, the only way to commit real identity theft (as opposed to simply being able to see the partial account numbers (your bank does only list part of the account numbers, right?) shown on the screen) would be to inject a man-in-the-middle proxy that was configured for your particular bank with detection and interception of the logout click and returning a bogus "you have logged out" page, then transferring control over the session immediately to a human operator to work with it further. While such sophisticated attacks are possible, they are much less trivial, and thus much less likely.

I find it utterly hilarious that my webmail at work is orders of magnitude more secure than online banking. Instead of fixing the problem of authentication, the banks would rather come up with more and more absurd "solutions" like making your passwords impossible to remember (and incompatible with passwords from other online banking sites due to different rules) so you have to write them down, then setting up lists of security questions for the inevitable forgotten password. I mean jeez, a CryptoCard token is what, $70 in quantities? They probably spend close to that for each user every year just because of the extra customer support overhead of their draconian password schemes....

Re:The Big Problem

[dgatwood]

What forms of 2 factor authentication would you propose for a public computer btw? Some kind of USB dongle or something? What if the cafe didn't allow those? The risk might be reduced with a 2 factor system, but I still think it's better to avoid banking on a public terminal.

Factor 1: pin number. This is something you know. Usually 4 digits, but may be arbitrary. Probability of guessing: 1/ 10^k where k is the number of digits. If digit count is variable, this makes it even more fun since 0004 and 4 are then different values.

Factor 2: CryptoCard token or similar. You push a button and it gives you the next number in a pseudorandom sequence that was pre-seeded. The computer on the other end knows the next few numbers in the sequence (the exact number probably varies depending on configuration) and if the number you enter isn't one of those, it rejects the login attempt. No number can be used twice. Probability of a successful guess: about 1 / 50,000 - 1/200,000, depending on the bank's level of paranoia about skipping numbers without a resync. :-)

Total probability: 1 / 500,000,000 - 1/2,000,000,000 depending on paranoia level for number skipping and assuming a 4 digit PIN....

Even better, I think the resync process is also basically protected against identity theft unless you have the pin number, since you can't substitute a different token and get two numbers in a sequence that would be valid for the original token, IIRC, and the resync doesn't buy you anything other than a few more tries to guess the PIN number.

that reminds me of...

[postermmxvicom]

...bill collectors with wrong phone numbers.

I had one call my phone asking for someone I had never heard of. I was bored and I played along. They asked for my SSN, I told them I forgot and asked them if they could tell me what it was...they did!

So I had this random lady's name and SSN. I also told them I had a new address and gave them the white house address.

Re:The Solution...

[somersault]

Your viewpoint isn't so much as a generation thing as a naivety thing.

Who cares if the transaction between yourself and your bank is "100% secure" and the encryption can't be broken without 1 million years of brute force attacking - if someone has installed a keylogger on your computer and now has your username, password and whatever other stuff the bank requires you to have to log in?

Then there's the fact that these systems likely aren't 100% secure - the algorithms may work perfectly, but if the design of the system (which was created by one or more flawed humans) is faulty, then you have problems. You shouldn't be so worried about your teller making a mistake counting out your money so much as you should be worried that the teller has just slipped out $150 when you asked for $100, and pocketed the $50.

How to prevent DOS'ing an account

[KWTm]

if I enter my username (composed from my real name) and an incorrect password three times, it locks me out.

I say "my" username, but if I enter any username - easily deductible by composing any two first and last names - and an incorrect password three times... that account gets locked out.

I don't know of any way to deal with this problem. NOT having an account lockout means someone can brute-force a password. Having an account lockout means someone can DOS the account.

You're not thinking outside your (rather small) box. The answer is to make the account harder to guess. Let users choose their own account name, and you won't be able to guess that "SamJones" is a valid account. You could try "SammyTheMan", but at least the range of possible logins has just increased by an order of magnitude. Maybe, for those users who really have no creativity and try to insist on using FirstnameLastname, the bank could require that your login be FirstnameLastnameBirthmonthBirthday. "SamJones0413" is two-and-a-half orders of magnitude harder to guess than "SamJones".

If you did want to solve the problem of account lockout, you could try this: the first time an incorrect password happens, lock the account for 0.1 seconds. For every subsequent attempt, increase the lockout time by 10. After 3 bad guesses, you'd have to wait almost 2 minutes. After four guesses: 16 minutes. Five guesses: 2+3/4 hours. Six guesses: a day and 3 hours. Seven guesses: a week and a half. Eight guesses: 3+1/2 months. So, on the one hand, if the account does get DOS'd, it's merely "relatively" DOS'd to some extent; on the other hand, if Evil Hacker really wanted to DOS the account to a great extent, then it would be inconvenient for Evil Hacker, who might actually wait 2 minutes for the fourth guess but probably won't wait 16 minutes to enter the fifth guess. The Innocent End User, checking her account at the end of the day, might not even know that it had been semi-DOS'd.

Lots of creative ways you can solve these problems. I came up with this in the time it took me to type this post. I'm sure others have more ideas.