August 20, 2008

The majority (76 percent) of bank Web sites have security flaws that expose customers' accounts to hackers, according to a recently released University of Michigan study. While the study identifies the flaws as "serious," Dr. Atul Prakash, a professor in the university's school of computer science and engineering and lead author of the study, says the problems arise from "basic things" for example, failing to secure the customer log-in page or forwarding customers to a page they can't readily confirm as secure.
As a result of these types of design flaws, according to Prakash, bank customers can be hijacked while they are in transit between secure and nonsecure pages. A fraudster might come between the bank and its customers in cyberspace, he explains, and redirect them to the hacker's page, where they unwittingly may reveal sensitive information, such as account numbers and log-in details.

The analysis of 214 financial institutions' Web sites predominantly representing large banks began in 2006. But while he was on the phone with BS&T at the end of July, Prakash did a quick test of some of the top 10 U.S. banks' sites and found they still exhibited the flaws unearthed in the study. Prakash notes that the top U.K. banks' sites are just as vulnerable.

He points out, however, that if a bank has other security measures in place, such as procedures to authenticate the user's computer, a few of the flaws may not be sufficient to expose customers to identity theft. But if the bank's site exhibits all five of the identified security flaws (see chart, below), then, Houston, we have a problem. (Just 10 percent of the sites studied exhibited all five flaws, while 68 percent had two or more.)

"Banks are missing the woods for the trees," Prakash says. They may have lots of sophisticated security and yet overlook basics, such as securing the page where the customer logs in. "It's very strange," he comments.

To Jim Van Dyke, president and founder of Javelin Strategy & Research, the existence of these basic flaws is "crazy." But Van Dyke, whose Pleasanton, Calif.-based firm conducts an annual identity fraud survey within financial services, emphasized that as of press time he had not read the University of Michigan study.

His Javelin colleague, senior analyst Tom Wills, has read the study. He says it brings up "genuine issues" for which banks should vet their Web sites. But, he adds, "It's really, really important to look at an online banking system as a system, and the University of Michigan study really focused on just a few aspects."

According to Prakash, he and his team studied a random sample of bank sites presented by a search engine, a method likely to elicit large banks' sites. This might mean that the industry's problems are actually greater than the University of Michigan found since smaller banks are likely to have less sophisticated security than large ones, he suggests. On the other hand, some banks have improved their sites since first studied, especially when they were contacted by the researchers regarding oversights, Prakash adds.

Initially, the academics used their own algorithms to automatically identify security flaws, he explains. Then they manually checked those results, which, Prakash concedes, resulted in some discrepancies. Other aspects, such as password polices, couldn't be fully checked without being a bank customer, he adds.

Asked if he plans to become a security software vendor to the financial industry, Prakash says no. "We want to be constructive," he comments, noting that he is considering publishing the researchers' algorithms on a Web site to enable banks to self-diagnose their security flaws.

Online Security
View a live simulation of attacks on bank sites that exploit the vulnerabilities identified by the University of Michigan at Dr. Prakash's Web page.

ABOUT THE AUTHOR