Study Finds Online Banking Insecure Due To Security Design Flaws

By Dee Chisamera
14:48, July 24th 2008

As the number of people carrying their daily business online grows, so does the risk of being exposed to less secure usage, due to design flaws in financial-related websites, a study conducted by the University of Michigan concluded after examining the websites of 214 U.S. financial institutions between November and December 2006.

According to a survey by Pew Internet, 42 percent of all Internet users bank online. Unfortunately, 76 percent of the websites analyzed were found to suffer from at least one design flaw, which appear not to be widely understood, even by experts responsible for web security, the study shows.

Out of the 214 websites surveyed, 30 percent of them were found to break the chain of trust, 47 percent of them presented a login page on an insecure page, 55 percent of them presented contact and other sensitive information on insecure pages, and 31 percent of them allowed e-mail addresses as user names. Only 24 percent of all websites were found to be completely free of any design flaws.

Based on the high occurrence of secure usability design flaws on financial websites, the authors believe that the experts in charge of these institutions do not test for them. This makes users vulnerable to social-engineering and offline attacks as a result of their information being displayed on an insecure page.

The study revealed that while most financial websites today take traditional steps to secure their websites, most of them remain inadequately protected against security usability design flaws, which can prevent users from making proper security decisions.

Atul Prakash, professor in the Department of Electrical Engineering and Computer Science and co-author of the study, pointed out that the design flaws discovered were not only widespread, but included some of the largest banks in the country. “Unfortunately, some banks sites make it hard for customers to make the right security decisions when doing online banking.”

According to a recent FDIC Technology Incident Report, computer intrusions contributed to a $16 million loss in the second quarter of 2007, also showing a 150 percent increase between the first and second quarter of the same year. In 80 percent of the cases, the intrusions occurred during online banking.