04:15 PM
Connect Directly

Banks' Web Sites Expose Users to Identity Theft

Three in four bank Web sites put online customers at risk for ID theft, study says.

The majority (76 percent) of bank Web sites have security flaws that expose customers' accounts to hackers, according to a recently released University of Michigan study. While the study identifies the flaws as "serious," Dr. Atul Prakash, a professor in the university's school of computer science and engineering and lead author of the study, says the problems arise from "basic things" for example, failing to secure the customer log-in page or forwarding customers to a page they can't readily confirm as secure.
As a result of these types of design flaws, according to Prakash, bank customers can be hijacked while they are in transit between secure and nonsecure pages. A fraudster might come between the bank and its customers in cyberspace, he explains, and redirect them to the hacker's page, where they unwittingly may reveal sensitive information, such as account numbers and log-in details.

The analysis of 214 financial institutions' Web sites predominantly representing large banks began in 2006. But while he was on the phone with BS&T at the end of July, Prakash did a quick test of some of the top 10 U.S. banks' sites and found they still exhibited the flaws unearthed in the study. Prakash notes that the top U.K. banks' sites are just as vulnerable.

He points out, however, that if a bank has other security measures in place, such as procedures to authenticate the user's computer, a few of the flaws may not be sufficient to expose customers to identity theft. But if the bank's site exhibits all five of the identified security flaws (see chart, below), then, Houston, we have a problem. (Just 10 percent of the sites studied exhibited all five flaws, while 68 percent had two or more.)

"Banks are missing the woods for the trees," Prakash says. They may have lots of sophisticated security and yet overlook basics, such as securing the page where the customer logs in. "It's very strange," he comments.

To Jim Van Dyke, president and founder of Javelin Strategy & Research, the existence of these basic flaws is "crazy." But Van Dyke, whose Pleasanton, Calif.-based firm conducts an annual identity fraud survey within financial services, emphasized that as of press time he had not read the University of Michigan study.

His Javelin colleague, senior analyst Tom Wills, has read the study. He says it brings up "genuine issues" for which banks should vet their Web sites. But, he adds, "It's really, really important to look at an online banking system as a system, and the University of Michigan study really focused on just a few aspects."

According to Prakash, he and his team studied a random sample of bank sites presented by a search engine, a method likely to elicit large banks' sites. This might mean that the industry's problems are actually greater than the University of Michigan found since smaller banks are likely to have less sophisticated security than large ones, he suggests. On the other hand, some banks have improved their sites since first studied, especially when they were contacted by the researchers regarding oversights, Prakash adds.

Initially, the academics used their own algorithms to automatically identify security flaws, he explains. Then they manually checked those results, which, Prakash concedes, resulted in some discrepancies. Other aspects, such as password polices, couldn't be fully checked without being a bank customer, he adds.

Asked if he plans to become a security software vendor to the financial industry, Prakash says no. "We want to be constructive," he comments, noting that he is considering publishing the researchers' algorithms on a Web site to enable banks to self-diagnose their security flaws.

Online Security
View a live simulation of attacks on bank sites that exploit the vulnerabilities identified by the University of Michigan at Dr. Prakash's Web page.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.