Three-quarters of US bank sites insecure, says university

Banks need to start using SSL on all pages on their websites, researchers from the University of Michigan have argued

Seventy-five percent of American banking websites are not secure, researchers from the University of Michigan have claimed.

The researchers studied 214 banking websites in the US, and came to the conclusion that three-quarters of them had design flaws that could compromise customer security.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," stated Atul Prakash, a professor in the university's Department of Electrical Engineering and Computer Science. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

One of the design flaws, which researchers found on 47 percent of sites, was placing secure login boxes on insecure pages.

Prakesh stated that a hacker could perform a man-in-the-middle attack and reroute data entered in the boxes, or create a spoof copy of the page, to harvest information. If the customer were using a wireless connection, it's possible to conduct this without changing the bank URL for the user, so even a vigilant customer could fall victim, said Prakesh.

To solve this problem, banks should use the secure socket layer (SSL) protocol on all pages that ask for sensitive information, said the researcher.

One common design flaw was putting contact information and security advice on insecure pages. Fifty-five percent of the banks studied did this. Here the danger lies in an attacker changing an address or phone number and setting up their own call centre to gather private data from customers. Again this issue could be addressed by securing these pages with the standard SSL protocol, said Prakesh.

Another design flaw that banks fell into was emailing security-sensitive information insecurely. While the email chain is not secure, thirty-one percent of bank websites offered to email passwords or statements. Emailing a password, a link or a statement, isn't a good idea, Prakash said.

These design issues could potentially be exacerbated by Kaminsky's DNS flaw, Prakesh wrote in a blog post on Thursday.

"Vulnerabilities such as this [DNS flaw] could theoretically allow even remote attackers to misdirect customers to spoofed pages of their banks, especially if banks do not rely on SSL for all their content," wrote Prakesh. "I would urge all banks to switch entirely to SSL for all the content as soon as possible."

Prakesh conducted the study in 2006 with two researchers, doctoral students Laura Falk and Kevin Borders. A spokesperson for the university said that the study was being presented on 25 July, 2008 after going through a peer-review process. The spokesperson said that Prakesh had been doing spot checks on the banking websites since the study, and that "nothing much had changed" in the websites in two years.