Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most Bank Websites Are Insecure

Posted by CmdrTaco on from the not-just-banks dept.

Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy. The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."

14 of 269 comments (clear)

  1. Surprise - really... by Anonymous Coward · · Score: 5, Informative

    It is actually a surprise, earlier the banks would just cover the damages caused. But with the current global economy it is actually a bit surprising that the banks are letting this happen.
    But then again they might not - the study is from 06 and those were diffent times for banks.

    1. Re:Surprise - really... by Lobster+Quadrille · · Score: 5, Interesting

      A while back I emailed my bank about several critical holes on their website. Their response: because the actual banking takes place through a third-party, the access logs that are publicly available on the site, the ability to manipulate the content of the website through javascript, the ability to alter login forms, and the ability to hijack the CMS' admin sessions are non-issues.

      I have a new bank now.

      --
      "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
  2. Bank logins by AvitarX · · Score: 5, Insightful

    If this report makes it any harder to login to my account I am going to have to find the publishers, and beat them.

    My current bank forced me to select 6 questions, many of which there were no choices I knew the answer to, but that someone stealing my identity could find.

    When one of these comes up that I can't answer I call the customer service, and am verified by my mothers maiden name. Defeating the purpose of all the questions anyway.

    Also, my user-name is not a password, don't make me change it to one.

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    1. Re:Bank logins by bondsbw · · Score: 5, Funny

      At least your username isn't your Social Security Number. I'm looking at you, Regions Bank.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  3. Surprise by MyLongNickName · · Score: 5, Interesting

    Having worked in the banking industry for nearly a decade, I was a bit skeptical. Many times we will have some security firm come in and look at our public facing web site, and come back with a list of 25-30 items that are 'security issues'. Most of them are complete crap, and maybe 1 or 2 are legitimate concerns. Management gets in a tizzy and insists that all items must be addressed, even when many items make no sense or are even counterproductive to implement.

    I skimmed the underlying study (the article itself was worthless except for the link), and some of the concerns are very valid. For example, I have NO idea why a bank wouldn't insist on using SSL for any banking transaction.

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    1. Re:Surprise by TheMooose · · Score: 5, Interesting

      I worked as a web developer for scores of Credit Unions all over the US. In the last 4 years the NCUA (like the fed for CUs) became freakishly paranoid, and like most "governing" bodies, took no time to understand buzz-words. They started implementing draconian requirements that forced the CUs, large and small, to spend great deals of money on website security. That money would have gone into members' accounts at year end. While working for the CUs, I found that the most damaging attacks were often nothing the NCUA could have dreamed of. They worried about open ports and front page extensions while the Chinese and Russian hackers focused on SQL injection and Cross-site scripting (XSS). In one case I was involved with, the attackers were able to compromise a content management system via SQL injection and dynamically change the links to home banking for dozens of CUs. My advice is for these banks and credit unions would be to have their websites and underlying systems audited, if not code reviewed, by a well seasoned team of professionals and to not rely on the scanning services unless they just want a warm fuzzy feeling.

  4. location, location, location by SimonGhent · · Score: 5, Funny

    It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders

    and was filed from a Caribbean island.

    --
    simon
  5. Re:The Solution... by maxume · · Score: 5, Funny

    The physical bank location isn't 100% secure either.

    --
    Nerd rage is the funniest rage.
  6. Kudos goes to my bank then by Rogerborg · · Score: 5, Interesting

    Since if I enter my username (composed from my real name) and an incorrect password three times, it locks me out.

    I say "my" username, but if I enter any username - easily deductible by composing any two first and last names - and an incorrect password three times... that account gets locked out.

    I'm sure that nobody with malice aforethought, a dictionary of names, and a frisky Perl script will ever feel the urge to increase every customers' security by having them locked out.

    --
    If you were blocking sigs, you wouldn't have to read this.
  7. Security questions by Rik+Sweeney · · Score: 5, Funny

    I had to call my ISP the other day (Virgin Media, because they're thieving, lying cheats), and had to go through the usual name, address and phone number. Then they asked me for my security password. I gave the wrong answer and the lady on the other end of the phone said the following:

    "It's usually your mother's maiden name"

    What the fuck?! Are you kidding me?! That's secure isn't it, giving me hints!

    "What's your house number?"
    "Erm, 11"
    "Ooh, 1 out, try again"
    "Er... 10?"
    "Other way, dear"
    "12?"
    "OK, great. What can I do for you today Mr. Smith?"

    --
    Summation 2
  8. Profit... by Anonymous Coward · · Score: 5, Interesting

    Banks are protected from their mistakes by the US Federal Reserve.

    Profits always get privatized, banker's mistakes often get nationalized. The private citizen always gets stuck with bailing the banks out but gets little or no benefit from profits since these shipped of to tax havens like Lichtenstein. Which makes it all the more gratifying when something like this happens.

  9. Re:Fortunately, in the US... by mea37 · · Score: 5, Informative

    1) I believe that would be the lesser of their account balance or $100,000
    2) It looks like GP said the institution is protected, not the customer

  10. that reminds me of... by postermmxvicom · · Score: 5, Funny

    ...bill collectors with wrong phone numbers.

    I had one call my phone asking for someone I had never heard of. I was bored and I played along. They asked for my SSN, I told them I forgot and asked them if they could tell me what it was...they did!

    So I had this random lady's name and SSN. I also told them I had a new address and gave them the white house address.

    --
    One last thing: Sometimes I wonder; "Is that someone's signature? Or do they type that at the end of each post?"
  11. Re:The Big Problem by somersault · · Score: 5, Insightful

    In that case I don't see how it was the bank's fault in any way.. using an internet café for banking (in Nigeria of all places, famous for 419 scams..) doesn't strike me as the best idea in the world. Even if the keyboards are glued in so that people can't attach keyloggers and whatnot, someone could have setup a mini camera, or perhaps the owner of the café has installed monitoring software that allows him to record everything.. she'd be better off with a WiFi enabled PDA or something at least?

    --
    which is totally what she said