14 DAY TRIAL // According to a recent study entitled "Analyzing Web sites for user-visible security design flaws" conducted by professor Atul Prakash from the University of Michigan, a staggering 75% of all US bank sites do not provide complete security measures to their customers. These sites represent a security issue because they have design flaws that allow passwords to be tampered with or exposed to attackers.
Lara Falk and Kevin Borders, doctoral students at the previously mentioned university also participated in the development of the study which was presented last week at the Symposium on Usable Privacy and Security held at Carnegie Mellon University.
A total of 214 financial institutions took part in the study which was conducted two years ago, back in 2006. The results showed that three quarters of all banks surveyed presented at least one security flaw. While some organizations may have taken steps to correct these security issues, professor Prakash believes there is still a long way to go until all online banking applications are completely safe from attackers.
Atul Prakash, Professor at the Department of Electrical Engineering and Computer Science within the University of Michigan, comments: "To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."
One of the findings of the study is that 47% of all banks resort to placing secure login boxes on insecure pages. This means that an attacker could reroute the data that you insert in said login boxes, or even set up a spoofed version of the web page in an attempt to get hold of your security credentials. It has also come to light that 30% of the financial institutions redirect customers to other non-bank domains when performing certain transactions, but do so without issuing a proper warning. The user suddenly finds himself on a new site, one with a different look and URL, and does not know whether the site is safe or not.
Avivah Litan, banking security analyst with Gartner Inc., comments: "Conventional wisdom is that the clients - or PCs - are inherently insecure devices. What this study shows is that the servers - or the bank and other consumer-facing Web sites - are also inherently insecure."