Slashdot Mirror

← Back to Stories (view on slashdot.org)

65 Percent of Major US Banks Have Failed Web Security Testing, Says Report (ibsintelligence.com)

Posted by BeauHD on from the look-the-other-way dept.

According to IBS Intelligence, websites run by some of the largest banks in the U.S. have scored the poorest in a new security and privacy analysis audit. "The non-profit Online Trust Alliance (OTA) anonymously audited more than 1,000 websites, ranking their security and privacy practices," reports IBS Intelligence. "None of the sites investigated knew about the test." From the report: In the firm's Online Trust Audit & Honor Roll for 2017 many U.S. banks were among the worst for security and privacy. The industry had both the most failing grades and the least "Honor Roll" recipients. For firms to receive the Honor Roll award, they must achieve an overall score of 80% or higher across three categories: consumer protection, security and privacy. A failure in any of the three squashes its chance entirely. Look away now if you're a U.S. banking customer, as only 27% of the 100 largest banks in the country made the grade. The figure represents a 28% drop from 2016. According to the OTA, the sector had been showing signs of improvement. Yet, due to "increased breaches, low privacy scores and low levels of email authentication," things have slipped. Large banks were found to have moderately good website security (17% of failures) but dropped the ball when it came to their email security (45%) and privacy (34%).

25 comments

  1. only 65%? by turkeydance · · Score: 2, Interesting

    IBS Intelligence has some explaining to do/

    1. Re:only 65%? by freeze128 · · Score: 1

      I know, right? I would rather have the raw numbers instead of percentages, but it seems that the report is intent on masking the raw data.

    2. Re: only 65%? by dougdonovan · · Score: 1

      trump just got into office. give him time and he will meet with bank officers.

  2. Good security is expensive b/c customers are dumb by Anonymous Coward · · Score: 4, Interesting

    I've worked on several websites that handle PII, including sites for major banks and government agencies. Implementing proper security for your average consumer is expensive. Not to implement but to support. Users will constantly forget their passwords, lose access to 2FA, lock themselves out and generally "better idiot" your idiot proof system. You have to have a call center to support this and that costs money. If you don't, people will b*tch about your terrible customer support, when the company/agency is really trying their best to protect them. So a lot of companies just say f**k it and dumb it down.
     
    And for some reason this seems to be unique to the US. My wife is from Asia and most banks there (as well as in Europe it seems?) require 2FA systems like challenge response and customers have zero problems with it. My wife's bank provides her with a card has challenge-response codes that she has to use when she logs in. She's not technically inclined at all, has zero problems using it and understands that if she loses it she can't login until she gets a new one and that it's her fault and not the banks. I know that if I even suggested that on most of the projects I've worked on in the US, they'd think I was joking or crazy.

  3. Re:Good security is expensive b/c customers are du by Bert64 · · Score: 1, Insightful

    The difference is that the US was generally the first to implement a lot of things like online banking etc, and those initial systems used fairly simplistic security with just usernames and passwords so people have gotten used to them and don't want to change anything.
    In other countries, the online banking implementations have often had 2fa from the start so that's all the users have ever known.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  4. Re:Good security is expensive, period. by Tony+Isaac · · Score: 1

    Physical security is relatively inexpensive because people are always watching. If somebody starts sneaking around my neighborhood kicking in doors, it won't be long before neighbors call the police.

    Now, imagine that these hoodlums had an invisibility cloak. The story would be much different. Our "safe" neighborhoods would be under much greater threat, because the bad guys would know they have little chance of being caught.

    The Internet is a lot like this scenario. Thieves and black-hat hackers can sneak around with very little chance of being detected, let alone getting caught or arrested. Until we find a way to make people's activities on the Internet more visible, good security is going to continue to be expensive.

  5. Re:Good security is expensive, period. by 93+Escort+Wagon · · Score: 1

    Now, imagine that these hoodlums had an invisibility cloak.

    Or a Marauder's Map.

    --
    #DeleteChrome
  6. What does that even mean? by Anonymous Coward · · Score: 1

    "Failed web security testing." In what sense? Does it mean someone hack in and steal all my money? Does it mean they implement a slightly weaker version of some cryptographic protocol that nobody can break?

    I'm sorry but "failed web security" is an arbitrary meaningless statement. It doesn't convey anything about what the risk to customers is.

    1. Re:What does that even mean? by Hentes · · Score: 1

      The link is on the front page, I'm pretty sure it took less time to find than for you to type all that drivel.

  7. Total Scam by ytene · · Score: 2

    First and most obvious point... there is no legal distinction between "an anonymous scan" and a "hack". If the Online Trust Alliance scanned the cyber defenses of any other institution without knowledge or permission, then they broke the law.

    Secondly, as I'm regularly told by a friend of mine who works for a Wall Street bank, there has recently been a pattern of "shake down" attempts on major institutions for which on-line security is a matter of reputational importance. What happens is that a company or organisation produces a "report" which shows the company in a poor light, then provides the company or organisation with a high level summary of said report, showing some pretty critical/damning language. The company or organisation is invited to purchase a full copy of the report, ahead of publication, so that they have time to "fix the vulnerabilities" identified.

    The thing is, there is every chance that the OTA actually means well and/or has done useful work.

    But the bottom line is that if the OTA acted without the knowledge *and* permission of those they "scanned", then they broke the Computer Fraud and Abuse Act.

    1. Re:Total Scam by Anonymous Coward · · Score: 0

      Just using any bank site, security issues tend to be pretty obvious. 2FA is pretty rare. Password resets are pretty easy. Just using an account normally you can tell those things and others.

    2. Re:Total Scam by Wraithlyn · · Score: 1

      there is no legal distinction between "an anonymous scan" and a "hack"

      Can you provide a source for this? Or an example of someone being prosecuted (and convicted of a crime) solely for port scanning with no malicious intent?

      From what I can see, it's something of a grey area and intent matters.

      This page says "no United States federal laws explicitly criminalize port scanning".

      --
      "Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson
    3. Re:Total Scam by ytene · · Score: 1

      Can I provide a source? Well, sort of. I am not a lawyer. If you are contemplating accessing a computer system [for example performing a port scan] without prior permission, then I would encourage you to discuss your plans with a lawyer if it is reasonable to assume the owner of the computer might take issue with your actions.

      If you read the provisions of the [UK] Computer Misuse Act (1990), see here:

      http://www.legislation.gov.uk/...

      or the [US] Computer Fraud and Abuse Act, here:-

      https://en.wikipedia.org/wiki/...

      you will note that both laws contain provisions which discuss whether or not your access to that computer system is authorised. The moment that your access is "not authorised" you become vulnerable to all the other provisions of those laws. Whilst these two laws are necessarily different, both of them include clear provision to show that unauthorised access to a computer system brings the actor in scope of the law.

      Although I can't find it for you now, I do recall one particular case [and I might be going back 20 years or so] where a hacker was charged with "theft of electricity", because the prosecution in a case were unable to show that the individual had performed harm. Faced with the potential situation in which the accused would be released because the prosecution could not show harm, they evidenced from the transfer log that the individual had received a significant block of data, which had required electricity to transmit to the waiting computer. The Crown argued that because the access was not authorised, the owner of the resource had not given permission for the accused to receive this electrical output. The case then become one which hinged over theft. I appreciate that this is a bit of a journey from where we started, but I wanted to illustrate the ease with which a prosecutor can find *something* that was done that can be construed as a crime, then work from there.

      It's a saddening example to quote, but look at what happened to Aaron Swartz: he downloaded public documents from a public university, but the DA wanted to throw the book at him - and did so. In Aaron's case, Federal prosecutors charged him with 11 violations of the Computer Fraud and Abuse Act... for accessing public materials...

  8. Re:Good security is expensive b/c customers are du by Anonymous Coward · · Score: 0

    wtf? no the US has always been well behind the curve in things like online banking, credit card pins and chips etc etc and no the banking in other countries did not have 2fa from the start, this was something they saw the light for years ago and introduced to old online banking systems that have existed for a long time. As someone with accounts in several countries I can honestly tell the US was the LAST to provide me with basic online facilities.

  9. Banks are businesses by ckatko · · Score: 0

    And businesses all have no perception of, or value in, security.

    News at 11.

    Everyone who has ever contracted IT completely unsurprised.

    1. Re: Banks are businesses by Anonymous Coward · · Score: 0

      Guess it depends on which businesses you are talking about? Security was always high on the list as was DR for companies I worked for including GTE wireless and a bank. YMMV

  10. Which were worst? by Hognoxious · · Score: 2

    Which were worst? Ummm, I'd just like to make sure my money's safe, that's all.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  11. 2FA by DrYak · · Score: 1

    My wife is from Asia and most banks there (as well as in Europe it seems?) require 2FA systems like challenge response and customers have zero problems with it. My wife's bank provides her with a card has challenge-response codes that she has to use when she logs in.

    European here.

    Most banks have moved beyond pre-printed cards for more security.
    Now users are issued a PKI card (a physical one with a dedicated pocket-calculator-like terminal. Or one with electronics directly on the card. Or a virtual one in smartphone app).

    To log, and to confirm security points, the user is asked to sign some pieces of data.
    (Either typing it on the terminal or on the built-in electronic.
    Or even using some optical exchange with the screen (barcodes, qr-codes) and confirming it on the device/app display).

    i.e.: the transmission could be completely MitM-ed and you still get secure transaction thank to the 2FA.
    (e.g.: the signature that your terminal or app generate are for the account number you intend to send money to.
    Even if an MitM attacker change acount number behind the scene (you ask to send money to acount AbC, but attacker re-forges the request to the bank to send money to their own account XyZ instead), the security token you send (or the security message you get on the screen) won't match the forged account number, but the original one.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  12. Security isn't why they failed. by Anonymous Coward · · Score: 0

    Their main failing was in their intentional sharing of data. It's the privacy policy and consumer protections that disqualified them, not web security. The things the banks wanted to guard were sufficiently guarded. The things they wanted to sell were not.

  13. invalid certificates by jerry-VA · · Score: 0

    They turned off our online banking access "because someone in Greensboro VA is trying to guess your password". Can't be too careful.
    We go to the bank, they reestablish access , we change password, go home.
    Can't log on, the SSL certificate for log-on page is invalid. Try two browsers on three operating systems, send browser "bad-certificate" messages to bank, please fix, can't log on.
    BANK: 1. We fixed it in my office, you can log on at home. 2. If not, it's your problem, go to our help page. 3. That error text you sent "is martian to me."
    No training in security, and this is the VP Branch Mgr.
    Sent the letter to corporate headquarters, please fix your security certificates. Meanwhile,
    bought $200 in stamps (extras for the pretty ones), have lots of envelopes, to hell with relying on an institution of this caliber for online bill-paying.

    --
    Many are destined 2reason wrongly; others, not 2reason at all; and others, to persecute those who do reason. Voltaire
  14. Re:Good security is expensive b/c customers are du by fluffernutter · · Score: 1

    The difference is that the US was generally the greediest.

    FIFY

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  15. Re:Good security is expensive b/c customers are du by hyades1 · · Score: 2

    It is widely accepted that the first cash machine was put into use by Barclays Bank in its Enfield Town branch in North London, United Kingdom, on 27 June 1967. The first US ATM came a year later, in 1968, followed by Canada in 1969. If you want to talk about "bank from home" on-line, then the UK and US were pretty much the same time, give or take a few months either way.

    In any case, your contention that US on-line bank security sucks because it was a first adopter doesn't bear scrutiny.

    By the way, it's funny how much Americans sound like Checkov from the original Star Trek. You know, the whole "Dis vas inwented first in Russia" thing, except substitute America.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  16. Re:Good security is expensive b/c customers are du by hyades1 · · Score: 1

    Wish I could give you a point, my friend. Your comment is spot on.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  17. The other 35% ... by CaptainDork · · Score: 1

    ... infected the testing algorithms and caused Photobucket to cut linking services unless members pay a $400 ransome.

    --
    It little behooves the best of us to comment on the rest of us.
  18. Rediculous by jgross.biz · · Score: 1

    Don't get me started on passwords and security questions... I'm a senior software developer (not for a bank) and I can tell you there is absolutely no reason why a user must be limited to 12 characters! Also I don't need to tell you why "What highschool did you go to?" Or "when did you graduate high school?" are horrible security questions. When I see shit like this at a BANK I'm just appalled.