Slashdot Mirror

← Back to Stories (view on slashdot.org)

65 Percent of Major US Banks Have Failed Web Security Testing, Says Report (ibsintelligence.com)

Posted by BeauHD on from the look-the-other-way dept.

According to IBS Intelligence, websites run by some of the largest banks in the U.S. have scored the poorest in a new security and privacy analysis audit. "The non-profit Online Trust Alliance (OTA) anonymously audited more than 1,000 websites, ranking their security and privacy practices," reports IBS Intelligence. "None of the sites investigated knew about the test." From the report: In the firm's Online Trust Audit & Honor Roll for 2017 many U.S. banks were among the worst for security and privacy. The industry had both the most failing grades and the least "Honor Roll" recipients. For firms to receive the Honor Roll award, they must achieve an overall score of 80% or higher across three categories: consumer protection, security and privacy. A failure in any of the three squashes its chance entirely. Look away now if you're a U.S. banking customer, as only 27% of the 100 largest banks in the country made the grade. The figure represents a 28% drop from 2016. According to the OTA, the sector had been showing signs of improvement. Yet, due to "increased breaches, low privacy scores and low levels of email authentication," things have slipped. Large banks were found to have moderately good website security (17% of failures) but dropped the ball when it came to their email security (45%) and privacy (34%).

2 of 25 comments (clear)

  1. only 65%? by turkeydance · · Score: 2, Interesting

    IBS Intelligence has some explaining to do/

  2. Good security is expensive b/c customers are dumb by Anonymous Coward · · Score: 4, Interesting

    I've worked on several websites that handle PII, including sites for major banks and government agencies. Implementing proper security for your average consumer is expensive. Not to implement but to support. Users will constantly forget their passwords, lose access to 2FA, lock themselves out and generally "better idiot" your idiot proof system. You have to have a call center to support this and that costs money. If you don't, people will b*tch about your terrible customer support, when the company/agency is really trying their best to protect them. So a lot of companies just say f**k it and dumb it down.
     
    And for some reason this seems to be unique to the US. My wife is from Asia and most banks there (as well as in Europe it seems?) require 2FA systems like challenge response and customers have zero problems with it. My wife's bank provides her with a card has challenge-response codes that she has to use when she logs in. She's not technically inclined at all, has zero problems using it and understands that if she loses it she can't login until she gets a new one and that it's her fault and not the banks. I know that if I even suggested that on most of the projects I've worked on in the US, they'd think I was joking or crazy.