A report published by researchers at the University of Michigan finds that a vast majority of online banking sites are open to some form of exploitation and subsequent data or asset theft.
According to the report issued by Wolverine researcher Atul Prakash, a professor in U.M.’s Department of Electrical Engineering and Computer Science, and two doctoral students, Laura Falk and Kevin Borders, of the over 200 banking and financial services sites that the experts tested for potential weaknesses, roughly 75 percent of the URLs had at least one feature that could be attacked by cyber-criminals.
The researchers will present their findings later this week at the Symposium on Usable Privacy and Security July 23 to July 25 at Carnegie Mellon University.
And the site flaws involved are not simple bugs that could be easily patched, the researchers contended. In fact, most of the vulnerabilities actually “stem from the flow and layout of these Web sites,” according to the study, which was officially dubbed “Analyzing Web Sites for User-Visible Security Design Flaws.”
The problems identified in the project include the placing of authentication controls and contact information on insecure pages, as well as issues related to failing to keep users on the same domains that they initially visit.
In a summary posted on the U.M. Web site, Prakash said some of the involved banks may have taken steps to address the reported problems since the data was first gathered in 2006, but he believes that many of the issues still exist.
“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” Prakash said in the summary. “Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.”
The big-picture takeaway from the report is that these types of layout and design flaws are every bit as potent as code-borne vulnerabilities introduced during application development, as the issues “leave cracks in security that hackers could exploit to gain access to private information and accounts,” the researchers wrote.
The researchers cited a recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file with the agency each quarter, which listed some 536 cases of computer intrusion, with an average loss per incident of $30,000.
Based on those figures, the total amount of related losses reached nearly $16 million during the second quarter of 2007 alone. The FDIC report also noted that computer intrusions continue to increase exponentially. For instance, the incidents jumped by 150 percent between Q1 and Q2 2007. In some 80 percent of the involved cases, the source of the intrusion was not discovered, but occurred during online banking activities, the FDIC reported.
Among the types of flaws that Prakash and his team went looking for, and found in great abundance, were financial sites that:
— Place secure log-in controls on insecure pages: Some 47 percent of the involved banks fell victim to this particular mistake, which could allow an attacker to reroute data entered into the fields to steal credentials, or conduct man-in-the-middle attacks.
— Put contact information and security advice on insecure pages: With 55 percent of the sites researched guilty of this problem, it represented the most common flaw. An attacker could change an address or phone number and set up his own call center to gather private data from customers who need help, the report points out.
— Redirect users to other sites: Around 30 percent of the sites studied fell prey to this issue, which makes it harder for users to distinguish between legitimate URLs and malicious redirections.
— Allow inadequate user IDs and passwords: Some 28 percent of the sites tested had authentication systems considered by the researchers to be too easy to hack, primarily due to having no password stringency standards at all, or very limited rules. Password crackers delight!
— Harbor insecure e-mail functions: Roughly 31 percent of the sites researched by the experts had issues related to this problem, which includes the option of e-mailing passwords or statements to users without sufficient security controls.
And people look at me like I’m crazy when I tell them that I NEVER use online banking applications. EVER!
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.