Security Errors Plague Online Banking

Author:  Brittany Raffa
Date:  August 2008

A University of Michigan study demonstrates the dangers involved with online banking. The study concluded that more than 75 percent of the 214 bank website investigated in 2006 had at least one design flaw that increases susceptibility of clients to cyber theft. Carnegie Mellon University will host a presentation of the findings on July 25.

Professor Atul Prakash from University of Michigan's department of Electrical Engineering and Computer Science and graduate students Laura Falk and Kevin Borders conducted the study. Prakash began inquiring into the security of online banking websites after spotting flaws on his own banks' websites.

The errors they found were not mere bugs that could be routinely corrected. Rather, the study claims that flaws were due to the web sites' layouts. Prakash commented, "To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

The finding illuminates the problem of hackers and the how they gain access to online accounts. The FDIC (Federal Deposit Insurance Corporation) states that the problem of computer hacking continues to multiply for banks. A FDIC Technology Incident Report lists 536 cases of computer intrusion with an average loss per case of $30,000. This was a total loss of $16 million in the second quarter of 2007. A dramatic increase of 150 percent in computer intrusions occurred from the first quarter of 2007 and the second. 80 percent of the intrusions occurred during online banking.

Below is the list of design flaws that Prakash and his students used while examining each bank web site:

1)Putting secure login boxes on insecure pages: 47 percent of banks were responsible for this. It allows the hacker to reroute data typed in the boxes or to create a fake copy of the page to gather information. Banks should instead use the standard "secure-socket layer" (SSL) protocol on pages that require private information.

2)Placing contact information and security advice on insecure pages: This was the most common flaw, with 55 percent of banks doing it. The hacker can create his or her own call center to gather private information from customers who need help by simply changing an address or phone number. The problem is solved by using the standard SSL protocol on these pages.

3)Having a breach in the chain of trust: Found on 30 percent of bank sites. When customers are redirected to a site outside the bank's domain, the appearance of the site usually changes and the customer cannot be certain whether to trust the new site. Prakash says the solution is to have the bank notify customers that they will be moving off the bank's site to a secure new one, or for the bank to include all of the pages on one server.

4)Allowing inadequate user IDs and passwords: 28 percent of sites had this flaw. Sites that allowed inadequate IDs and passwords include those on which social security numbers and e-mail addresses are used. It is simple for a hacker to guess or discover them. Sites that had no policy on passwords were also considered to have been inadequate.

5)E-mailing security-sensitive information insecurely: 31 percent of bank sites had this error. The transfer of data, such as passwords and statements, via e-mail is insecure.

Prakash said that some of the banks in the study have since begun to address the above problems. Nonetheless, he stated that there still remains much to be done.

Written by Brittany Raffa

Reviewed by Falishia Sloan

Published by Pooja Ghatalia.