The University of MichiganNews Services
The University Record Online
search
Updated 3:00 PM August 7, 2008
 

front

accolades

briefs

view events

submit events

UM employment


obituaries
police beat
regents round-up
research reporter
letters


archives

Advertise with Record

contact us
meet the staff
contact us
contact us

 
Widespread security flaws revealed in online banks

More than 75 percent of the bank Web sites surveyed in a study had at least one design flaw that could make customers vulnerable to cyber thieves after their money or even their identity.

Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, and doctoral students Laura Falk and Kevin Borders examined the Web sites of 214 financial institutions in 2006, including those of some local financial institutions. They were to present the findings July 25 at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University.

These design flaws aren't bugs that can be fixed with a patch. They stem from the flow and the layout of these Web sites, the study finds. The flaws include placing log-in boxes and contact information on insecure Web pages as well as failing to keep users on the site they initially visited. Some banks may have taken steps to resolve these problems since this data was gathered, Prakash says, but overall he still sees much need for improvement.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash says. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

The flaws leave cracks in security that hackers could exploit to gain access to private information and accounts. The FDIC says computer intrusion, while relatively rare compared with financial crimes like mortgage fraud and check fraud, is a growing problem for banks and their customers.

A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to a nearly $16-million loss in the second quarter of 2007. Computer intrusions increased by 150 percent between the first quarter of 2007 and the second. In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking, the report states.

The design flaws Prakash and his team looked for are:

• Placing secure login boxes on insecure pages: Forty-seven percent of banks were guilty of this. To solve this problem, banks should use the standard "secure socket layer" (SSL) protocol on pages that ask for sensitive information, Prakash says. (SSL-protected pages begin with https rather than http.) Most banks use SSL technology for some of their pages, but only a minority secure all their pages this way.

• Putting contact information and security advice on insecure pages: At 55 percent, this was the flaw with the most offenders. This problem could be solved by securing these pages with the standard SSL protocol.

• Having a breach in the chain of trust: When the bank redirects customers to a site outside the bank's domain for certain transactions without warning, it has failed to maintain a context for good security decisions, Prakash says. He found this problem in 30 percent of the banks surveyed. The solution, Prakash says, is to warn users they'll be moving off the bank's site to a trusted new site.

• Allowing inadequate user IDs and passwords: Researchers looked for sites that use social security numbers or e-mail addresses as user IDs. While this information is easy for customers to remember, it's also easy to guess or find out. Researchers looked for sites that didn't state a policy on passwords or that allowed weak passwords. Twenty-eight percent of sites surveyed had one of these flaws.

• E-mailing security-sensitive information insecurely: The e-mail data path is generally not secure, Prakash says, yet 31 percent of bank Web sites had this flaw. A notification isn't a problem, but e-mailing a password, a link or a statement, isn't a good idea, Prakash says.

Prakash initiated this study after noticing flaws on his own financial institutions' Web sites. The paper is "Analyzing Web sites for user-visible security design flaws."

More Stories