In a paper entitled "Analyzing Web sites for user-visible security design flaws" to be published at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University July 25, Atul Prakash and two of his doctoral students examined 214 financial institutions in 2006, finding that over 75% of all the sites have at least one security design flaw :
"These design flaws aren't bugs that can be fixed with a patch. They stem from the flow and the layout of these Web sites, according to the study. The flaws include placing log-in boxes and contact information on insecure web pages as well as failing to keep users on the site they initially visited. Prakash said some banks may have taken steps to resolve these problems since this data was gathered, but overall he still sees much need for improvement.
"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."
What are the security design flaws they found, and how easy are they to exploit on a large scale compared to web application vulnerabilities within the banking sites, or even indirect attacks against the banks by attacking the weakest link in the process, the malware infected customer in this case?
They seem to have found what they were looking for in general, flaws like the following :
- Placing secure login boxes on insecure pages
- Putting contact information and security advice on insecure pages
- Having a breach in the chain of trust: When the bank redirects customers to a site outside the bank's domain for certain transactions without warning
- Allowing inadequate user IDs and passwords: Researchers looked for sites that use social security numbers or e-mail addresses as user ids
- E-mailing security-sensitive information insecurely
Perhaps two of the key findings are the lack of SSL sessions at thought to be "secure login boxes" found at 47% of banks, and even more disturbing the fact that certain banks would use a customer's social security number as a user ID. It would be interesting to see who's who in all of these insecure practices once the research gets published online later this week.
In every day's reality through, when cyber criminals aren't capable of exploiting web application vulnerabilities within the Ebanking sites that would assist them in their phishing attempts, what they would do in order to cause the speculated losses of billions of dollars, is attack the customer whose once malware infected computer is no longer to be trusted for any type of transactions, no matter of the type of security measure used.