Saturday, July 26, 2008

U Michigan: 75% of Bank Sites Flawed

Yesterday, data presented by Carnegie-Mellon University demonstrated some of the issues that stand in the way of creating the safe Internet experience that online banking consumers are seeking.

The data, based on a University of Michigan study conducted by Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science (and the author of over fifty papers in the field), and two of his doctoral students, Laura Falk and Kevin Borders, examined 241 sites in 2006, including the sites of major financial institutions.

Prakash apparently initiated the study after noticing that his own interactions with financial insitutions on the web were less than secure.

The results are worthy of study. As re-reported on Friday, Prakash and his team found that three quarters of consumer banking sites suffered from some form of fundamental design flaw impacting security.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said.

Some of the flaws uncovered by Prakash and his team included:

Placing "secure" login boxes on insecure pages

47% of banks were found to be guilty of this particularly transgression. Doing this is rather problematic in that it exposes user names and passwords to hackers using man-in-the-middle attacks, or siphoning data off wireless networks.

Hosting of support/help/security advice on insecure pages

55% of banks presented their support pages within a non-secure environment, allowing hackers to easily intercept support request or even set up their own spoofed web pages and call centers using DNS redirects.

Non-Domain Redirects

Prakash found that 30% of banks surveyed sent their customers to other sites in order to facilitate transactions. Unless these other sites utilize some form of identity federation or shared trust, this practice is *not good*.

SSNs and Non-Secure User IDs

Prakash and his team faulted sites utilizing social security numbers and email addresses as login credentials s user ids for exposing this information to hackers via man-in-the-middle attacks. I agree with this "outing" of this practice.

Weak Passwords

Given the ease of validation methods, allowing weak passwords to exist isn't a great idea, and doesn't safe anyone any money in the long run. According to Pradah, 28% of the sites surveyed allowed weak passwords.

Insecure Messaging

31% of the web sites of financial insitutions surveyed by Prakash were found to be emailing statements and/or passwords to customers.

None of these design problems are issues if consumers do their banking using Authentium SafeCentral, but all should be examined/fixed anyway. The cost of fixing each of these issues is minor; the benefits are potentially significant.

The fact that we are able to protect against the exploitation of these weakenesses should not be used as a reason not to fix them. Consumers will on occassion need to use a non-secure browser. Banks should perhaps examine this list for indications their own sites could be improved.

No comments: