University Of Michigan Study Finds Widespread Flaws In Online Banking Sites
Monday, July 28, 2008
Thanks to my coworker, Bill Gonzalez, for alerting me about this item. A University of Michigan news release reported on July 23, 2008:
"More than 75 percent of the bank Web sites surveyed in a University of Michigan study had at least one design flaw that could make customers vulnerable to cyber thieves after their money or even their identity. Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science and doctoral students Laura Falk and Kevin Borders examined the Web sites of 214 financial institutions in 2006."
They study authors presented their findings on July 25 at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University. How serious are the findings?
"These design flaws aren't bugs that can be fixed with a patch. They stem from the flow and the layout of these Web sites, according to the study. The flaws include placing log-in boxes and contact information on insecure web pages as well as failing to keep users on the site they initially visited."
The news release added:
"A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to a nearly $16-million loss in the second quarter of 2007. Computer intrusions increased by 150 percent between the first quarter of 2007 and the second. In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking..."
The news release and the study report itemized the specific flaws the researchers looked for. One of the really stupid flaws no bank or web site should include, but the researchers found:
"Allowing inadequate user IDs and passwords... sites that use social security numbers or e-mail addresses as user ids. While this information is easy for customers to remember, it's also easy to guess or find out. Researchers also looked for sites that didn't state a policy on passwords or that allowed weak passwords. Twenty-eight percent of sites surveyed had one of these flaws."
Those interested can download the "Analyzing Web Sites For User-Visible Security Design Flaws" study in PDF format. If you want to learn how to create stronger passwords to better protect your sensitive financial data, read this post.
You can follow this conversation by subscribing to the comment feed for this post.