Print this article | E-mail this article | Comment on this article

Study says bank Web sites leave clients vulnerable to theft

By Michael Hatamoto, BetaNews

July 24, 2008, 1:08 PM

When you hop on the Internet to check your online bank statement or pay some bills, do you ever wonder how secure your bank's computer network is? A new study claims most bank Web sites are vulnerable to identity theft.

A study done by Atul Prakash, a professor at the University of Michigan who teaches in the department of electrical engineering and computer science, found that more than 75 percent of 214 financial institutions checked in 2006 had at least one design flaw that could open up online bank users to potential identity theft.

Each discovered flaw simply isn't a bug or security hole that can be easily repaired with a patch. For example, Prakash and his research team found that 47 percent of the banks placed secure login boxes on insecure pages, 55 percent of those tested put contact information and other sensitive data on insecure pages, and many banks still use Social Security numbers or e-mail addresses as user IDs or passwords for logins.

Also discovered during the study, 30 percent of the banks had a "break in the chain of trust," which means they would redirect clients to other Web sites where a different security certificate was required.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said in a press statement. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Prakash's findings will be presented during a meeting of privacy experts tomorrow at Carnegie Mellon University.

Although the FDIC says check fraud and mortgage fraud are still more serious problems than computer intrusion among US financial institutions, the issue is getting worse. According to an FDIC Technology Incident Report of 536 filed cases of confirmed computer intrusion, the average loss per case was $30,000. Furthermore, the number of computer intrusions reportedly grew by 150 percent between the first quarter of 2007 and the second quarter.

Add a Comment (6 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By batteryfast

posted Nov 9, 2008 - 11:01 PM

Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Prakash's findings will be presented during a meeting of privacy experts tomorrow at Carnegie Mellon University.

Although the FDIC says check fraud and mortgage fraud are still more serious problems than computer intrusion among US financial institutions, the issue is getting worse. According to an FDIC Technology Incident Report of 536 filed cases of confirmed computer intrusion, the acer squ-207 battery,acer aspire 1700 battery,acer squ-302 battery average loss per case was $30,000. Furthermore, the number of computer intrusions reportedly grew by 150 percent between the first quarter of 2007 and the second quarter.

Score: 0

By mishucu

edited Jul 24, 2008 - 2:55 PM

This is awesome information to know. If i ever go back to '06 I'll know what banks not to use online. Is there a more recent study? My banks website design and security features (and i mean noticeable) changed like 4 or 5 times over the past year. So from '06 were probably like 8 or so generations down the road. I guess what i'm having a hard time understanding is the head line, shouldn't it be more like "Study says bank Web sites used to leave clients vulnerable to theft (we don't know about today)"

Score: 0

By TwinsDad

posted Jul 24, 2008 - 2:41 PM

The study was conducted in 2006. In today's technology "years" that like 15 years ago, isn't it? Come on two years is enough to make me question the validity of this data today.

Score: 0

By Paul Skinner

posted Jul 24, 2008 - 1:28 PM

"47 percent of the banks placed secure login boxes on insecure pages"

It is the form method that needs to be secure, though it can't hurt to have both secure.

Score: 0

By yohimbe9

posted Jul 24, 2008 - 2:26 PM

Reading through the study their point is more that user's don't know if hitting the submit will take them to a secure page. They go on to say that there's no guarantee that an SSL page will POST to an SSL page, either, but its just assumed. They make it sound like you do something to a page to make it "SSL enabled" and therefore it must be legit.

"In principle, even if an SSL-protected page provides a login window, there is no guarantee that the logic for the login window's Submit button is properly implemented to send the information securely. However, from a customer's perspective, there is an implied understanding with a financial institution that an SSL-protected page provided by that institution has trustworthy contents, including handling of contents submitted to that page."

Score: 0

By Paul Skinner

posted Jul 24, 2008 - 2:53 PM

Exactly. Couldn't put it better myself.

Score: 0

Nov 18 - 9:35 PM ET Windows finally breaks into the Top 10 among supercomputers

Nov 18 - 9:16 PM ET Four out of five adults agree on TCP/IP

Nov 18 - 5:57 PM ET Microsoft to replace Live OneCare with 'no-cost' anti-malware

Nov 18 - 5:36 PM ET IRS hires its first-ever CTO; who will be Obama's?

Nov 18 - 4:54 PM ET Federal court halts sale of a commercial keylogger

Nov 18 - 4:50 PM ET Amazon's CloudFront to make content distribution more affordable

Nov 18 - 4:45 PM ET Spansion seeks to bar imports of devices with Samsung flash memory

Nov 18 - 3:49 PM ET Users of iTunes video can't play back their own content

Nov 18 - 3:34 PM ET AT&T to offer LG's next Windows-based 'iPhone killer'

Nov 18 - 3:22 PM ET HP announces new guidance, and it's not dire