The Hidden Dangers Of Online Banking

Next time you order the latest bestseller from Amazon.com, (AMZN) beware the unseen pitfalls of online purchasing. A recent study conducted by the University of Michigan reveals that design flaws may expose customers' identities to the Web's unseen yet ever-present danger: cyber thieves.

The study, undertaken in 2006 by Professor Atul Prakash in the department of Electrical Engineering and Computer Science, and doctoral students Laura Falk and Kevin Borders, found that 75% of 214 financial institutions' Web sites had at least one design flaw. Prakash embarked on the study without funding after noting flaws on his own banks' Web sites. He and Falk presented their research Friday, July 25 at the Symposium on Usable Privacy and Security at Carnegie Mellon University.

"We plan to go over our findings and to give recommendations to financial institutions," Prakash said Thursday. In their paper, Analyzing Web Sites for User-Visible Security Design Flaws, Prakash, Falk and Borders focus on five specific design flaws discovered during their manual inspections.

Breaking the chain of trust:
Banking sites failed to secure information when redirecting customers to third party sites outside the bank's domain for transactions. Thirty percent of the banks surveyed had an inadequate security context for informed decisions. "I would prefer if the entire site was one domain," says Prakash. "But if the site takes customers to a third party, it has to make sure that it's properly introduced."

Presenting secure login options on insecure pages:
Forty-seven percent of banks were responsible for embedding sensitive forms on insecure Web pages, which allows hackers to either reroute data or create copies of the page. During wireless transactions, hackers can garner information without the user's bank URL changing. "If banks don't make other changes, they should at minimum use SSL for protecting the entire website," says Prakash. SSL (Secure Socket Layer) protected pages begin with 'https' rather than 'http'. The majority of banks use SSL for some pages, but Prakash is adamant that they administer it to all content.

Contact information/security advice on insecure pages:
Fifty-five percent of sites did not secure “security-relevant” context. Hackers can alter information and imitate call centers. This issue can also be solved by applying SSL to content.

Inadequate policies for user IDs and passwords:
Twenty-eight percent of the sites surveyed allowed customers to use easily discoverable information like social security numbers and e-mail addresses as user IDs. This figure includes sites with either no policy about passwords or sites that allowed weak ones. The researchers cite the LaSalle Bank website and TIAA CREF, both of which default to a customer's social security number as their user ID. Sites like Fidelity stress the importance of changing a user ID to something confidential.

Insecurely e-mailing security sensitive information :
Thirty-one percent of the sites used e-mail data paths that were not reliably secure when they offered the option of e-mailing passwords and statements to customers.

To identify security flaws, the researchers recursively downloaded financial institutions' Web sites using a computer program called Wget and utilized scripts to find patterns on HTML pages. They discovered that the design flaws originated from the layout and flow of the Web sites.

These flaws may expose private information to hackers. A recent FDIC Technology Incident Report based on suspicious activity reports filed quarterly by banks, mentions 536 cases of computer intrusion. The average amount lost in each incident equaled $30,000, for a total of $16 million lost in the second quarter of 2007.