75% of online banking sites found vulnerable to security design flaws

75% of online banking sites found vulnerable to security design flaws

Summary: In a paper entitled "Analyzing Web sites for user-visible security design flaws" to be published at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University July 25, Atul Prakash and two of his doctoral students examined 214 financial institutions in 2006, finding that over 75% of all the sites have at least one security design flaw :"These design flaws aren't bugs that can be fixed with a patch.

SHARE:
TOPICS: Security
12

In a paper entitled "Analyzing Web sites for user-visible security design flaws" to be published at the Symposium onAtul Prakash Usable Privacy and Security meeting at Carnegie Mellon University July 25, Atul Prakash and two of his doctoral students examined 214 financial institutions in 2006, finding that over 75% of all the sites have at least one security design flaw :

"These design flaws aren't bugs that can be fixed with a patch. They stem from the flow and the layout of these Web sites, according to the study. The flaws include placing log-in boxes and contact information on insecure web pages as well as failing to keep users on the site they initially visited. Prakash said some banks may have taken steps to resolve these problems since this data was gathered, but overall he still sees much need for improvement.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

What are the security design flaws they found, and how easy are they to exploit on a large scale compared to web application vulnerabilities within the banking sites, or even indirect attacks against the banks by attacking the weakest link in the process, the malware infected customer in this case?

They seem to have found what they were looking for in general, flaws like the following :

  • Placing secure login boxes on insecure pages
  • Putting contact information and security advice on insecure pages
  • Having a breach in the chain of trust: When the bank redirects customers to a site outside the bank's domain for certain transactions without warning
  • Allowing inadequate user IDs and passwords: Researchers looked for sites that use social security numbers or e-mail addresses as user ids
  • E-mailing security-sensitive information insecurely

Perhaps two of the key findings are the lack of SSL sessions at thought to be "secure login boxes" found at 47% of banks, and even more disturbing the fact that certain banks would use a customer's social security number as a user ID. It would be interesting to see who's who in all of these insecure practices once the research gets published online later this week.

In every day's reality through, when cyber criminals aren't capable of exploiting web application vulnerabilities within the Ebanking sites that would assist them in their phishing attempts, what they would do in order to cause the speculated losses of billions of dollars, is attack the customer whose once malware infected computer is no longer to be trusted for any type of transactions, no matter of the type of security measure used.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Just 75%?

    I would think it is much more likely to be 100% is vulnerable to SOME issue, 90% is vulnerable to a High-risk issue.

    -Nate
    nmcfeters
    • I would agree with that where I live.

      All you have to do is look at the job listings for the major banks, at least where I live. They offer 55K - 65K for senior developers and administrators, 40K - 55K for juniors, and maybe 80K for IT managers. I'm guessing that vice presidents and lawyers perform architecture and user interface design for two reasons. Number 1 -- banks are run old fashioned, strictly top down; top people give the orders, and bottom people do them without question. Number 2 -- lawyers have more than their share of input because banks are primarily scared of getting sued; lawyers know what web sites need for them to cover their posteriors. Unfortunately, I don't think they can get sued for design flaws as long as the proper disclosures exist on the sites, and you usually have to accept some terms upon logging to most sites.
      Taz_z
  • RE: 75???0of online banking sites found vulnerable to security design flaws

    They fail to say which banks are at risk so that I as a consumer can make sure that my bank is aware of these vulnerabilities.
    ranchgirl2
    • All

      All banks are at risk. You should use the internet under that assumption.

      -Nate
      nmcfeters
  • RE: 75???0of online banking sites found vulnerable to security design flaws

    Your *article* is flawed... putting a secure login box on an insecure page is fine. Saying it's not is like saying that because you get a piece of paper, write your secret information on it, and put it in the safe, it's insecure because the blank paper wasn't in the safe before you wrote on it. As long as the process submits to SSL it's perfectly kosher. Just confuses users who've been told to look for the little padlock.
    Narual
    • online banking sites found vulnerable to security design flaws

      Having insecure page login is NOT repeat NOT ok!!!!!!! The ONE thing phishers can't do, or go to the trouble and expense of doing is getting a security cert. Hence they can simply copy the bank's login page and redirect the phish to it. By the time the phish realizes the following page is NOT insecure... It's too late!
      12.
      12AX7
      • Ridiculous.

        That's silly. Having SSL on your login page doesn't stop phishers from making a fake one. They do it all the time, and users still fall for it. Don't confuse actual security with user stupidity.

        From a technical perspective, a non-SSL login page that submits to an SSL is every bit as secure as an SSL login page that submits to an SSL.
        Narual
  • FIRST FLAG!!

    First flag :allow a external analyst firm to test the security.
    magallanes
  • RE: 75?0of online banking sites found vulnerable to security design flaws

    this is bullshit.
    touchs
  • RE: 75?0of online banking sites found vulnerable to security design flaws

    Boy is that true! I have been fighting with my bank (one of
    the largest in the country) over their archaic password rules
    (like only using alphanumerics - no symbols)! I could go on
    with their breaking security rules when it comes to soliciting
    customers over the phone to renew loans and asking for
    personal ID information. What is with these "trusted"
    institutions?
    jpd43201
  • 75% of bank web sites ....

    All I have to add is:

    [b]Publish the list!!!!!![/b]

    And security conscious users can take it from there.
    fatman65535
  • Man in the Middle

    Your *understanding* is flawed.

    If the login page is not secured, it can be replaced by a Man in
    the Middle. The insecure login form can be replaced with one
    that posts to a fishing site, and the user would only know if he
    inspects the source of the page and checks the form action.

    A secure login form is always what the bank serves you.

    People like you are why security is so broken. Partial knowledge
    is a dangerous thing.
    ZDNET_guest666