Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Blogs
    • Security Watch

    Banks’ Sites Remain Woefully Vulnerable

    By
    Matthew Hines
    -
    July 23, 2008
    Share
    Facebook
    Twitter
    Linkedin

      A report published by researchers at the University of Michigan finds that a vast majority of online banking sites are open to some form of exploitation and subsequent data or asset theft.

      According to the report issued by Wolverine researcher Atul Prakash, a professor in U.M.’s Department of Electrical Engineering and Computer Science, and two doctoral students, Laura Falk and Kevin Borders, of the over 200 banking and financial services sites that the experts tested for potential weaknesses, roughly 75 percent of the URLs had at least one feature that could be attacked by cyber-criminals.

      The researchers will present their findings later this week at the Symposium on Usable Privacy and Security July 23 to July 25 at Carnegie Mellon University.

      And the site flaws involved are not simple bugs that could be easily patched, the researchers contended. In fact, most of the vulnerabilities actually “stem from the flow and layout of these Web sites,” according to the study, which was officially dubbed “Analyzing Web Sites for User-Visible Security Design Flaws.”

      The problems identified in the project include the placing of authentication controls and contact information on insecure pages, as well as issues related to failing to keep users on the same domains that they initially visit.

      In a summary posted on the U.M. Web site, Prakash said some of the involved banks may have taken steps to address the reported problems since the data was first gathered in 2006, but he believes that many of the issues still exist.

      “To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” Prakash said in the summary. “Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.”

      The big-picture takeaway from the report is that these types of layout and design flaws are every bit as potent as code-borne vulnerabilities introduced during application development, as the issues “leave cracks in security that hackers could exploit to gain access to private information and accounts,” the researchers wrote.

      The researchers cited a recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file with the agency each quarter, which listed some 536 cases of computer intrusion, with an average loss per incident of $30,000.

      Based on those figures, the total amount of related losses reached nearly $16 million during the second quarter of 2007 alone. The FDIC report also noted that computer intrusions continue to increase exponentially. For instance, the incidents jumped by 150 percent between Q1 and Q2 2007. In some 80 percent of the involved cases, the source of the intrusion was not discovered, but occurred during online banking activities, the FDIC reported.

      Among the types of flaws that Prakash and his team went looking for, and found in great abundance, were financial sites that:

      — Place secure log-in controls on insecure pages: Some 47 percent of the involved banks fell victim to this particular mistake, which could allow an attacker to reroute data entered into the fields to steal credentials, or conduct man-in-the-middle attacks.

      — Put contact information and security advice on insecure pages: With 55 percent of the sites researched guilty of this problem, it represented the most common flaw. An attacker could change an address or phone number and set up his own call center to gather private data from customers who need help, the report points out.

      — Redirect users to other sites: Around 30 percent of the sites studied fell prey to this issue, which makes it harder for users to distinguish between legitimate URLs and malicious redirections.

      — Allow inadequate user IDs and passwords: Some 28 percent of the sites tested had authentication systems considered by the researchers to be too easy to hack, primarily due to having no password stringency standards at all, or very limited rules. Password crackers delight!

      — Harbor insecure e-mail functions: Roughly 31 percent of the sites researched by the experts had issues related to this problem, which includes the option of e-mailing passwords or statements to users without sufficient security controls.

      And people look at me like I’m crazy when I tell them that I NEVER use online banking applications. EVER!

      Users beware.

      Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

      Matthew Hines
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×