Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Financial Site Security Research Weak On Methodology and Timeliness



 By: Larry Seltzer
2008-07-27
Article Rating:starstarstarstarstar / 1


There are 3 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The tests used in a paper reported on last week were questionable back in 2006 when the data was collected. Today they are merely interesting, but not all that illustrative of reality.

A study by researchers at the University of Michigan finds that more than 75% of bank web sites had at least one design flaw that could allow attackers to compromise users accounts or their identities. Unfortunately, the data was collected in November and December of 2006. The research was presented in a paper last week at the Symposium On Usable Privacy and Security at Carnegie Mellon.

Some of the problems they report on, such as login forms on non-https pages, have been addressed by many banks since then. I wrote about that specific problem at the time (that blog is no longer online), noting that many large banks had their home pages, and login forms on them, on insecure web pages for performance purposes. Now this is comparatively rare, although chase.com still does it; in fact, even if you specify https for your Chase URL, you are redirected back to the http page. But many banks, such as Bank of America, which used to use insecure pages, now not only use https pages, but have added Extended Validation SSL certificates so that you get the added feedback of the green address bar. Things have changed a lot since 2006.

The research also complains about bank sites where the Contact Us and Security Information pages are on non-https pages. This is more common now than the login problem, but how serious is it really? The notion is that attackers could put in a fake phone number and set up their own fake call center, but it's not clear how they would get the user to visit that page; they could just set up a phishing site on any other domain and put up whatever pages they wish. It's not the same as with a login page, where an attacker could conceivably sniff unencrypted sensitive data off the network.

Resource Library:

Another problem in the list was where the bank redirects users to a different domain for some portion of a transaction, which occurred on 30% of banks. This is indeed a bad idea, but I suspect it has diminished over time, especially as banks have adopted EV-SSL certificates, which can only be credible if they are present for the entire transaction. The researchers provide one example both in the text of their paper and in screen shots, of TCF Bank, which has this problem. I can confirm that their description of it is largely still accurate. This bank's use of SSL is clearly inadequate.

28% of bank sites allowed users to specify inadequate usernames and passwords. They specifically looked for banks that allowed social security numbers or e-mail addresses as usernames, as well as those that allowed weak passwords or had no policy on passwords. Weak passwords are certainly a problem, although they provide no numbers on how many banks allowed them. Using a social security number as a username sounds like a very bad idea indeed, but I can't imagine why an e-mail address would be a bad username. If it's just that the userid can be guessed, so what? It's the password strength that matters. And even when weak passwords are allowed, as the researchers themselves point out, the problem can be mitigated by locking out the account after some number of failed logins. They did not look for this capability in their research.

Finally, the research talks about sensitive information e-mailed to users, specifically e-mailing passwords and bank statements. E-mailing actual passwords is certainly a serious problem, but statements are not so clearly a problem. As the paper itself says, a bank might offer to e-mail the actual statement, a notification that a statement was available on the web site, or a link to that statement online. The researchers don't know which these banks offered, and some are not a problem at all, but the offer of any of them is a bad sign for the research. The methodology for this item is the weakest of the 5 and the least defensible in the paper.

The researchers chose these flaws because they were able to develop automated tests for them. There are, perhaps, more important issues for banks to be working on, but the researchers did not test them because they could not automate those tests.

I also have a problem with the way the research tends to combine two problems into a single result number. In many cases I would argue one of the problems is a serious one and the other is not, but they don't break down the results based on the individual problems, so it's hard to know how much concern one should have for that problem.

There is useful information in this study and most, if not all of the vulnerabilities are worthy of concern. But at this point in time you can't take their results numbers seriously. Such research needs to be more timely.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack

 



  Reader Comments: Financial Site Security Research Weak On Methodology and Timeliness
>>> Post your comment now!
Chase Login
Thanks AR, that's helpful.
Posted At: 07-29-08
By: Larry Seltzer
Chase.com using non-SSL site for login and password
There is a way around the problem with chase using non SSL site for login. use the URL https://chaseonline.chase.com. that will take you directly...
Posted At: 07-29-08
By: Anonymous
Financial Site Security
Hi, I'm Larry Seltzer. Do you have confidence in the financial web sites you use?
Posted At: 07-27-08
By: Larry Seltzer
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


xr80VӮc*dK.kʶ<<ձ $)RCRtsb_bq3 %ٮjrwA$D"H@goOD]ݴ1p͹M5>59|@D Ɠ5Y1=/[S}L}F7\3Ѣeb پIGs!%2{8K;;$?+B]2HMG# $+C7ܩx8ս/DeO‡*F<w7w2`q|!k`Tl m׸ڮb'UƞͰ [ az.91rzн[@M*6 L=iTVE;&3ýtf?;9z u v=r@J53ҧ =K;O=k\w=jP?B1 ~nr  + NַRߙ0QT&*rp4M2A 1q,{/B oVs+ZVH+(.##-byOa`%pfQUri[򳹥}o__]wzmo_wڧ>ߙekfy3?b Jw3B~ V7ke{#kj{ _ܹGtHM Wh:w Noz O|muHz>5401\]Z-$5VM&Ժt|9!9Io 'ȿ;Be}#7R(y30si2)>ML9X@/@ש#W4j5{0-Mn #dLi&ϭzh-Aho*KLru&@Sk~$M ]5ņ])!exFSۤ%/PJB-)\Dh+ԌW7$ٛ"G;ž+\R@1Al8{Ø*^뻹(4l.k\֛esJVt];3Eя0-*<7Nv.~hzm+>cq4Y`A-. 8ǹ:zSt*Zl:7V)Q**5U9-b(7ZdL,5,ϘR7HA^gtA`::)~ѧ#|>5և$!|Бdmxq=Z.3+ЍEXn`Nt&ha㻣^h>[W <{ C 0ԟsZ LP#wC۠h&r=kIׇ.[?? ; G`p]&; xk =`DVt#` V< 2/?>an@ }S(r`@=XS9nвc@Xl~teٜi8xs >`|=-0Xհݹ2|dң%}?p*JNCjVzqzoCp6+ s&rG|媞5 jx0?3\LdFfkM7*+)ܳP>Д +< +1!Y/tzS\ &99IAw ew貟Fi_f{+YW{#Uv/:At ]օVPKo@xC dX{K}kaԕ %/DA n:bXG6X}iМ^fdTR4&tv:{j,j&M;|TM.R?>2ei[F6oՒh#Mb1vn g%A qsGIݔ6 [IF|x |ꝸ3 kQDz3ODtZB_`֚ofrI)jL$P/#[յ ;rm۽Ϧ sq, bj\X<~ɯ©5j1|*j0&B$V(l^x}uxN`'\sW["LJ}#Nݡe-m*I-b]Pr)SLZ06AaeL䱯^t@FM@X G\d0!P\Q-W0.#_L_LU1(TOnʻhCz-X]>L,7,@УCkz]W9,#߬'hh<]HjP6C+jrTT+ qvX%ZA~~Ļ8 iF @rFg}qs`~62Ms67`3|x+ߙ[aeƘ]H`7\ +RUw5 Ř)2)N<:arUTՑn vOGA.Ca&:`BTnЬ 0ԴgKiM twPJ v|~KZhE[dEκԲ'**5P6>*0GnG=W֌H+ c5}u:*ZWӪXY :څHi3 9 ~gH5ysV9y]%fZ+a1,*=:Y6AYdgEU)XW<N~7-="JL7Ϧ<sƃ~w"y@*FZuG "BN7x^oxP@<ৣjZ) ƗɘBÜb+>A֌M:+l]?`̧vѯJU05u 2 \zďuv>[@d􁯌C-s# dK3sK]7a Z_l6a%|N:@"WAұg.s_wf=]~oLg4>ʀkG2gdQhVz\ 4ex.N3 a6}b;_&*|)2SG)EXqkX #=O f+(U|dy5&QrMuE l&ŏh(UrvݏC>QjQIպi2RBE-) BoED\v[-& veN6qa?ͥg7gkX?"B5) 0u%hzGSYqza\/Cn/$h ^1Mat53yp0͎s-$NM6fĺ}a}`MٸU V|eZU ՂVE'u0|aߋ uRԣ{{k7}ófA"7S[UtsUIfT.jZb[)Uʹ>"i!`X>bxEOp?l]Z.+BvQ ^`| @-a'd1s<6ɷonjC?: +~7?l)ɡXXD>DQkF\{e"nkB6/ȟ-1{O=J _BQ`nо(&wmOI@ NEw%]7V4}ڽK͋C;o F$ wsѼй_>w)#r޹lK^+Q\M# R?!hSHv:<fShmǛ&aV5!xidL Z_ƥ{j_sfꅰjZ ^k5W&'27e8ZFp6[Qy~¯nU2k~  I+U:=<   c@JA=VohuzW/i{mE-bT1 _RJMQ=#ijV{L$)*9Q{_a(עo1Mr!}J_cN߯Ͳi<"]{pУXJqkV3a~wbSPӃ_ۜr;0y!D(o lE馺7db&u"N M5W"Jv-{t#1ðaTwd* e~=m2결tC%<2OтN)tJȓ3I8 z>RB'T5˓$/IYO)Eqjhd꒐~~(h&'ءXҡ۳]5/'8{Hp.+Psa綱<sF[ٿuoue's C7+'i{޽s¾"CWq :+`*9$XhHn e_~EVe.tٓ^t*<>rg ,F}d3DoӼ4hAhl3O7nC]`l_s15?_gpKw /w}>+-R!EkEwWd/.)%E u OKt1ڮ/=اHkYXxlS֛12~O O=pԶىǎ&X r4hg azc{ƹ39adOB%F[euw+[S'gSc;/HF#%gOSϱ6mG @|Ր;as*|b \<e Wo[1΢$g IVNLRG?sk2c-D󑭏R ZJX/t8[3zc ᡗ07^"R(w5?:y sKb.Z=m ^"r w L\W&r<~uRl1sdrN Hb 5`n.ufWԗ:׽x$BŰ9,HXEIx/ΤdDS2ea"Fv|o@TʒR`Mf`X BQԓZtHL"#z 964ԚR`* >,R ny؝k5IU%-^Ψns ~;q^t 4r=鬃wIM# 5PeG:Giu<vʡʜkEG/nWWWW~Uj/W˻WYVVޣԅUonmaU]*XN7``#1<O)ୟoamjm$Q{UO%gVd! J7:,qKe&M(}!fم#. Sc3lU\Hc-< e;Բ|0Brԣ(Iq-g+P٢$: aA%KjA<6ߒՊ_502ias,wEH49(ڼc+| ˑOjJ'r+w.$Ku_mo56S)>Y1>]Q:K;&cHЮ@BSB<)`?ce|zӏ..qvwsY7 hoƲkkHa.Toֱ p}urrX^^ xu҃Vk4r]L'ş-w m=(Ρ)l3wrk")^WB/|͕{[dp=w{1{|ޘ/D%f yASksX36.{{m+hG P|F0-_s(R=| {E[_[ˮ=:uRVY,{CˬeObp,gD˺ٌ z( ʬk$I3Ʊ'}_8cET2̭,>dn6jp@dшp<I|`u1App E ~3V7.K{~i[ qWju`2Lm/Nړ䭞iİO:ث^4bd@/j s}L{@ aL:XTlCҸl`"tq"o,*kʁV=P,bBY+ Zk`csܴ5̈ xc; \7z^CnMK;7^'6]4_q=!o7;G'ՉH˚ mݹ]W<5&1d~юMUbtm-R^@yj }FsgyG?bu{ι\`{XT_WlfmmIU+ ַg%.04%n'#9ݱLn2rތ/HkW"Yc6ފj`)}Tbt4dVObD )m3Fw1u]|_!Ƅw)<1W<00t+P̲jNT]OpY=XCE3 L _\}­BA*o[ɺexx#퀯J"$r[-e)!ut Mx3 )<]Сr@JoIg4، Pm̼ϴ@GBSx&}Gd.$qUn5D; roEVIz# ,Ő?ZEDW# ,j,F윓M﷯{a/'nB}m!y;򦺸:ّv BVaR 9asH ](Lqwn0~wڰסu/ OScP9Ĝ#MIQo|)5\faH9p=SA-I0Șh MQ VHxDɹcMNVBE< ,iM YC) Q?\pbZŘ!' 19l$k 1u z9 +&(?-p E {GLƙ;fQ7t_$R } (bU T- !Lz)%nmn$|s ^t6,,2E<ezX<> 2鐚xtdj,ywF7`C'[E9Y|ob{LgA~R\b@Ԑ0(V$Ѕ:y,@#!9ωk1ka]?X/#}|AaP8Z  +z+U'I]U@)9CȮ KDU8®|.O_Y,f/c/[iBR. ?$-GF쌆d2`fڟ#4ο5iv>N;WNϻ7x Zѷptԝsm}9^}9\;\³;|jkyl2/*˙͓Q9l^28SΘksY+rK xU< /%Lqx&-O|?@)v}Y Q:ׇ|eczj]{=-Z[[Ae_L%֌fy'ύ@ЦoJc>sN{0t𞫫i@Lw<-cENj9.~QJxdB$h{U26#{":ޱQU#|,y|e8Ntw<1 }^f1.? vt{rUtKn \y%>| #r75inŭhg?>/ydֺ+_F+p'k͠~%k"N^d6yc)bi3Q*K_5ýEYR780׀zC`d%Q< /s9MX>&\ʠaCoj/XbKZ;c`\';=2gjy }by0\9Khw^_y-تGШscw`zO~2RV@LЫȅ>K&Dr&ߢ)tO U/AD[eTq1Qk`V{er-#6O,5U,%OB;\$ǖ~}I_\#u{^x/ C4|ˉKܻ-,0GW1i!LH7704t^W'' U?ȎZz`L,iv3Fdu#aq1ldf~y.`W8ͺ O>tl8=;t؆"dnܙ%O_g'4WB&Um&~݇Є2\RX9VF \1S&ҵ=8~屛Ikv U1^{#E3dư4q9P%)^xjA߭ed#əW B| ,*- O*_צn뭻.+0ͬ/RLfoU&1b9?vqo!Z^y|Xoeֳx;6Yұ ߞR TDO"Ntx9m$KY[zQڗE@1agG;fWҎ_[;@B&!#R.ܐOF{_Saniy>ಁe":}`S s"gT ԑC؝vSC@_v܅eNUhJl;:d2- 3& Mbz:SAW (9|x@NlM-2:DWݞ햏 Xo} 8lO.d6C|eKoz 9@/7A{J B ϱɮx*3@FWD0;"i}.KE%&(Xp\'AΙj3;> `2\XGx kf)+o[wt%(odVw@8l6ږ?Y vBc/ʕbA,\n2?>Şi#2|@ =(ۉnfTt %K@44{W 78ǩk[Vmx~{ݾŀg kO.XU\M)X7lB+`jk7 uywDL\7xaW_0,XBL 52lt* X>!ˣŬ"D0Ȯ'Z:tsh{h۟sTHهl*~&$l{+нT~xFK-^8Q> χ"@LNENE<<Sf}')E|S