Most Banking Websites Contain Design Flaws

A study by the University of Michigan shows that over 75% of banking Websites contain design faults that could put bank customers at risk of identity theft, phishing or financial loss.

According to Atul Prakash, Professor of Computer Science and Electrical Engineering, these faults or security flaws could not be solved quickly with an ordinary upgrade or patch, as reported by TGDaily on July 23, 2008.

Prakash along with his doctoral students - Kevin Borders and Laura Falk - studied 214 financial organizations sites and discovered that the biggest problem was posting of security or contact information on poorly secured pages. According to Prakash, this could aid in phishing attacks via the posting of rogue numbers linking to scammers.

Moreover, these design faults arise from the layout and flow of the Websites. They include embedding of contact information and login boxes on weakly secured Web pages and also failing to retain users on those sites, which they first visited.

According to the study, 55% of the Websites surveyed suffered from this problem, while 47% embedded login boxes onto poorly secured pages. As a result, an attacker could redirect data entered into the boxes, or create a hoax duplicate of the webpage to intercept information. Prakash is, therefore, suggesting that banks should utilize SSL protocol to make their Website login pages secured.

As per the study, when any of the bank reroutes customers to a different site outside of the bank site for carrying out certain transactions devoid of any warning, it means lack of a suitable circumstance for appropriate security decisions. Mr. Prakash discovered this problem in 30% of the financial institutions (banks) he surveyed. Very often, the appearance of the Website changes along with the URL and it becomes difficult for the end-user to determine whether to rely on the new Website or not.

Further, according to Mr. Prakash, the path of the e-mail traffic is usually not secured. He added that 31% of the banking sites had this security problem. These banks proposed to e-mail statements or passwords, as reported by economictimes on July 24, 2008.

Related article: Most malware Use File Packing To Escape Detection

» SPAMfighter News - 8/2/2008