TECH.BLORGE.com
VISTA.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

July 24, 2008 |

75% of bank websites have major security flaws

By John Lister





75% of bank websites have major security flaws Most financial group’s websites have security flaws so significant they can’t be fixed with a software patch according to a University of Michigan study.

The researchers behind the study will present the full results at a security conference tomorrow. They looked at 214 sites and found that more than 75% had major problems. According to Atul Prakash (pictured), the professor heading the study, these were issues that could affect even security-conscious customers:

“Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.”

The study looked for five common problems:

The most common, affecting 55%, was putting bank contact details on insecure pages. This could theoretically allow hackers to attack the site and replace the info with bogus details and then gather security information from customers who called with problems. Prakash argues that, even though the correct details are available elsewhere, many customers would assume the info on a bank site must be correct.

Just under half of sites had log-in boxes on insecure pages (those which begin http:// rather than https://). This means it’s possible for hackers to create spoof copies of the pages and gather the info; done wirelessly they could even do this without the original page address visibly changing.

31% of sites appeared to be willing to e-mail information such as passwords or bank statements, even though e-mails are less secure than properly-protected websites.

Three in ten sites failed to warn customers when a link would take them outside of the bank’s site. This means customers aren’t always fully informed about how much trust to place in each page they visit.

The least common of the problems, affecting 28% of the sites, was allowing ‘weak’ log-in details. These include details which are too easy to guess, such as using an e-mail address or social security number for a log-in name.

It’s worth bearing in mind the actual research was carried out in 2006, so it’s possible the industry has improved its security efforts somewhat in the meantime.

Related:

  • Hackers out to expose security flaw cover-ups
  • Internet hasn’t been this insecure in over 10 years, or so they say
  • Windows Vista and Internet Explorer security flaw exposed
  • German security researchers find a faster way to break WEP
  • TV presenter Clarkson discovers data security a big deal after all




    • Sign up for the BLORGE daily email newsletter

    Entry was posted on Thursday, July 24th, 2008 at 1:34 pm under Security.

    Read more entries by John Lister.
    StumbleUpon Toolbar Stumble It!

    Leave a Reply:

    Copyright © 2008 Engaging and compelling blogs that entertain and inform