65 Percent of Major US Banks Have Failed Web Security Testing, Says Report

According to IBS Intelligence, websites run by some of the largest banks in the U.S. have scored the poorest in a new security and privacy analysis audit. "The non-profit Online Trust Alliance (OTA) anonymously audited more than 1,000 websites, ranking their security and privacy practices," reports IBS Intelligence. "None of the sites investigated knew about the test." From the report: In the firm's Online Trust Audit & Honor Roll for 2017 many U.S. banks were among the worst for security and privacy. The industry had both the most failing grades and the least "Honor Roll" recipients. For firms to receive the Honor Roll award, they must achieve an overall score of 80% or higher across three categories: consumer protection, security and privacy. A failure in any of the three squashes its chance entirely. Look away now if you're a U.S. banking customer, as only 27% of the 100 largest banks in the country made the grade. The figure represents a 28% drop from 2016. According to the OTA, the sector had been showing signs of improvement. Yet, due to "increased breaches, low privacy scores and low levels of email authentication," things have slipped. Large banks were found to have moderately good website security (17% of failures) but dropped the ball when it came to their email security (45%) and privacy (34%).

only 65%?

[turkeydance]

IBS Intelligence has some explaining to do/

Good security is expensive b/c customers are dumb

I've worked on several websites that handle PII, including sites for major banks and government agencies. Implementing proper security for your average consumer is expensive. Not to implement but to support. Users will constantly forget their passwords, lose access to 2FA, lock themselves out and generally "better idiot" your idiot proof system. You have to have a call center to support this and that costs money. If you don't, people will b*tch about your terrible customer support, when the company/agency is really trying their best to protect them. So a lot of companies just say f**k it and dumb it down.
 
And for some reason this seems to be unique to the US. My wife is from Asia and most banks there (as well as in Europe it seems?) require 2FA systems like challenge response and customers have zero problems with it. My wife's bank provides her with a card has challenge-response codes that she has to use when she logs in. She's not technically inclined at all, has zero problems using it and understands that if she loses it she can't login until she gets a new one and that it's her fault and not the banks. I know that if I even suggested that on most of the projects I've worked on in the US, they'd think I was joking or crazy.

Total Scam

[ytene]

First and most obvious point... there is no legal distinction between "an anonymous scan" and a "hack". If the Online Trust Alliance scanned the cyber defenses of any other institution without knowledge or permission, then they broke the law.

Secondly, as I'm regularly told by a friend of mine who works for a Wall Street bank, there has recently been a pattern of "shake down" attempts on major institutions for which on-line security is a matter of reputational importance. What happens is that a company or organisation produces a "report" which shows the company in a poor light, then provides the company or organisation with a high level summary of said report, showing some pretty critical/damning language. The company or organisation is invited to purchase a full copy of the report, ahead of publication, so that they have time to "fix the vulnerabilities" identified.

The thing is, there is every chance that the OTA actually means well and/or has done useful work.

But the bottom line is that if the OTA acted without the knowledge *and* permission of those they "scanned", then they broke the Computer Fraud and Abuse Act.

Which were worst?

[Hognoxious]

Which were worst? Ummm, I'd just like to make sure my money's safe, that's all.

Re:Good security is expensive b/c customers are du

[hyades1]

It is widely accepted that the first cash machine was put into use by Barclays Bank in its Enfield Town branch in North London, United Kingdom, on 27 June 1967. The first US ATM came a year later, in 1968, followed by Canada in 1969. If you want to talk about "bank from home" on-line, then the UK and US were pretty much the same time, give or take a few months either way.

In any case, your contention that US on-line bank security sucks because it was a first adopter doesn't bear scrutiny.

By the way, it's funny how much Americans sound like Checkov from the original Star Trek. You know, the whole "Dis vas inwented first in Russia" thing, except substitute America.