The study looked at 214 financial institution websites and focused on both design flaws and improper security practices. None of these flaws represent catastrophic security issues, but many could allow for easier access to your password and user name should a malicious hacker come calling.
The flaws studied included the following:
Insecure Login System
Nearly half of the banks examined had "secure" login systems on insecure web pages which did not use the SSL protocol. Failure to use SSL, the study says, allows for the possibility of an attack that would allow for the interception of login details if a user was accessing the site wirelessly, called a "man in the middle" attack. The study notes that most banks secure the internal portions of their site, but many leave the login page unsecured.
Putting Contact Info on an Insecure Page
The biggest flaw of the bunch (55 percent failing the test): A similar attack to the above could simply let a hacker change the phone number listed on the contact info page, redirecting customers to a phony call center ready to snap up their user name and password.
Redirecting Outside the Bank Without Warning
When users are directed to third party services (like, say, bill payment sites), the bank doesn't warn them of the change. A user may not know if what he's seeing is trustworthy or not.
Using Social Security Numbers or Email Addresses as User IDs
These are simple things to guess or find out, especially email addresses. Banks should allow users to create a custom user name, as well as have a policy on weak passwords, but 28 percent of banks tested did not.
Emailing Secure Information Insecurely
Things like password resets and financial statements should be sent securely: Passwords, for example, should never be sent as plain text, yet 31 percent of banks failed this test.
The full study (10 pages, PDF link) can be reviewed here. Specific sites failing the various tests were not revealed. Also note that the study was performed back in 2006 (the results are only being published now), so things may have improved since the original analysis.
No comments:
Post a Comment