Online Banking Sites Compromised by Design Flaws

More than 75 percent of bank webites in a recent survey have at least one design flaw that could make customers vulnerable to cyber thieves.

This according to a new University of Michigan study of online banking.

These design flaws stem from the flow and the layout of the websites, according to the study. Led by Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science at the University of Michigan, doctoral students Laura Falk and Kevin Borders examined the websites of 214 financial institutions in 2006. They will present "Analyzing Web sites for user-visible security design flaws" findings at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University on July 25.

The design flaws they found aren't bugs that can be fixed with a patch. They stem from the flow and the layout of these sites, according to the study.

Flaws include placing log-in boxes and contact information on insecure web pages, as well as failing to keep users on the site they first came to visit. Prakash notes some banks may already have resolved these problems since the survey's data was collected, but overall sees there still is much need for improvement. These flaws leave cracks in security that hackers could exploit to gain access to private information and accounts. The design flaws that the team looked for included:

Placing secure login boxes on insecure pages;
Putting contact information and security advice on insecure pages;
Having a breach in the chain of trust;
Allowing inadequate user IDs and passwords;
e-mailing security-sensitive information insecurely.

Prakash said he began the study after he saw flaws on his own financial institutions' websites. To read more about the vulnerabilities the study examined:

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.