Design flaws impair security at banking sites
It isn't just ugly that hurts
IDG News Service - Banking Web sites suffer from design flaws that undermine their security, exclusive of software vulnerabilities, according to a University of Michigan study to be released Friday.
Of 214 sites surveyed in 2006, more than 75% had at least one design flaw that could lead to a security problem, the university said. The flow and layout of the sites can make those sites riskier, and the problems can't be fixed with a patch unlike a software vulnerability.
A few of the study's findings were released on Tuesday by the university. The full findings will be presented at the Symposium on Usable Privacy and Security meeting Friday at Carnegie Mellon University in Pittsburgh.
The study was undertaken by Atul Prakash, a professor in the department of electrical engineering and computer science, and two doctoral students, Laura Falk and Kevin Borders. Prakash began investigating after he noticed problems with his own bank's Web site, the university said.
Although the research was done in 2006, many of the problems still affect financial sites. One of the core troubles is an underutilization of SSL (Secure Sockets Layer) encryption technology on Web pages.
The study found that 47% of banks didn't use SSL on log-in pages, which could open the door for a hacker to reroute data to their own PC. Not using SSL also makes it easier for a man-in-the-middle attack, where the victim's data passes through an attacker's PC before it's routed to the bank's server.
Another pervasive problem affecting 55% of institutions is placing contact information and security advice on insecure pages. A hacker could conceivably break into the Web site and change the customer service phone number to direct banking customers to a fictitious call center. Again, SSL is the remedy.
The researchers found 30% of sites would redirect users to other Web sites, which can skew how a person is supposed to evaluate risk, the study said.
Since a bank site is trusted, users will not likely consider the redirected site a security risk even if it may be. Banks should put all their Web pages on the same server, but some have outsourced security features that are hosted on other domains.
Weak user IDs and passwords continue to be troublesome, with 28% of banks either lacking password guidelines or allowing weak ones. Institutions will also e-mail passwords or statements, which is also risky, the study said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Privacy White Papers | Webcasts