Web banking security flaws 'widespread'

Three-quarters of banking sites may have at least one design flaw

Research by the University of Michigan has found that 75 per cent of online banking sites have at least one design flaw that leaves customers exposed to cyber-crime.

The study, conducted by Professor Atul Prakash from the Department of Electrical Engineering and Computer Science, and doctoral students Laura Falk and Kevin Borders, examined the websites of 214 financial institutions in 2006.

The report found that the design flaws causing the problems were not bugs that can be fixed with a patch.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," said Professor Prakash.

"Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Design flaws uncovered in the study included:

• Placing secure login boxes on insecure pages
• Putting contact information and security advice on insecure pages
• Having a breach in the chain of trust, with customers redirected to another site
• Allowing inadequate user IDs and passwords
• Emailing security-sensitive information insecurely

Professor Prakash acknowledged that some banks may have taken steps to resolve these problems since the data was gathered, but that overall there is still a lot of need for improvement.

He claimed that the flaws leave cracks in security that hackers could exploit to gain access to private information and accounts.

Geoff Sweeney, chief technology officer at Tier-3, said that the study confirms the case for behavioural analysis as a part of business IT security software.

"E-banking offers companies a high degree of convenience, but the risks for businesses are far greater than for consumers, as business balances held in bank accounts can easily run into four or five figures," he said.

"Some banks are reported to have reworked their sites as a result of the team notifying them of their problems, but I suspect that many will take time to change their portals."