ID :
13714
Thu, 07/24/2008 - 19:47
Auther :
Shortlink :
http://m.oananews.org//node/13714
The shortlink copeid
Design flaws in bank websites making users vulnerable: study
Dharam Shourie New York, Jul 24 (PTI) A majority of websites floated by banks have design-related flaws that could make customers vulnerable to cyber-theft, endangering their money or eventheir identities, a study has found.
Led by an Indian American professor at University of Michigan, a study that surveyed web sites of 214 financial institutions in 2006 found that more than 75 percent of them had at least one design flaw that made customers vulnerable tocyber thieves.
These design flaws were not bugs that could be fixed with a patch, the authors said, but they stemmed from the flow andlayout of Web sites.
The flaws include placing log-in boxes and contact information on insecure web pages as well as failing to keepusers on the site they initially visited.
Atul Prakash, Professor at the Department of Electrical Engineering and Computer Science, who led the research along with doctoral students Laura Falk and Kevin Borders, said some banks may have taken steps to resolve the problems since datawas gathered, but there is still much room for improvement.
The findings will be presented for the first time at a Symposium on Usable Privacy and Security meeting at CarnegieMellon University Friday.
"To our surprise, design flaws that could compromise security were widespread and included some of the largestbanks in the country," Prakash said.
"Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking." The flaws leave cracks in security that hackers couldexploit to gain access to private information and accounts.
The Federal Deposit Insurance Corporation (F.D.I.C.) says computer intrusion, while relatively rare compared to financial crimes like mortgage fraud and check fraud, is agrowing problem for banks and their customers.
A recent F.D.I.C. Technology Incident Report, compiled from suspicious activity reports filed by banks, listed 536 cases of computer intrusion, with an average loss per incident of USD 30,000. That added up to nearly USD 16-million loss inthe second quarter of 2007.
Computer intrusions increased by 150 percent between the first quarter of 2007 and the second. In 80 percent of the cases, the source of the intrusion was unknown but it occurredduring online banking, the report stated.
The design flaws Prakash and his team looked for include placing secure login boxes on insecure pages, which allow hackers to reroute data entered in boxes or create a spoof copy of the page to harvest information. A full 47 percent ofbanks were guilty of this.
Another flaw was putting contact information and security advice on insecure pages, which an attacker could manipulate by changing an address or phone number and setting up his own call center to gather private data from customers who needhelp, Prakash said.
Besides, breach in the chain of trust occurs when a bank redirects customers to a site outside the bank's domain for certain transactions without warning, Prakash added. He foundthis problem in 30 percent of the banks surveyed.
Allowing inadequate user IDs and passwords, which are easy to guess or find out also amounts to a security flaw, thestudy found.
Led by an Indian American professor at University of Michigan, a study that surveyed web sites of 214 financial institutions in 2006 found that more than 75 percent of them had at least one design flaw that made customers vulnerable tocyber thieves.
These design flaws were not bugs that could be fixed with a patch, the authors said, but they stemmed from the flow andlayout of Web sites.
The flaws include placing log-in boxes and contact information on insecure web pages as well as failing to keepusers on the site they initially visited.
Atul Prakash, Professor at the Department of Electrical Engineering and Computer Science, who led the research along with doctoral students Laura Falk and Kevin Borders, said some banks may have taken steps to resolve the problems since datawas gathered, but there is still much room for improvement.
The findings will be presented for the first time at a Symposium on Usable Privacy and Security meeting at CarnegieMellon University Friday.
"To our surprise, design flaws that could compromise security were widespread and included some of the largestbanks in the country," Prakash said.
"Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking." The flaws leave cracks in security that hackers couldexploit to gain access to private information and accounts.
The Federal Deposit Insurance Corporation (F.D.I.C.) says computer intrusion, while relatively rare compared to financial crimes like mortgage fraud and check fraud, is agrowing problem for banks and their customers.
A recent F.D.I.C. Technology Incident Report, compiled from suspicious activity reports filed by banks, listed 536 cases of computer intrusion, with an average loss per incident of USD 30,000. That added up to nearly USD 16-million loss inthe second quarter of 2007.
Computer intrusions increased by 150 percent between the first quarter of 2007 and the second. In 80 percent of the cases, the source of the intrusion was unknown but it occurredduring online banking, the report stated.
The design flaws Prakash and his team looked for include placing secure login boxes on insecure pages, which allow hackers to reroute data entered in boxes or create a spoof copy of the page to harvest information. A full 47 percent ofbanks were guilty of this.
Another flaw was putting contact information and security advice on insecure pages, which an attacker could manipulate by changing an address or phone number and setting up his own call center to gather private data from customers who needhelp, Prakash said.
Besides, breach in the chain of trust occurs when a bank redirects customers to a site outside the bank's domain for certain transactions without warning, Prakash added. He foundthis problem in 30 percent of the banks surveyed.
Allowing inadequate user IDs and passwords, which are easy to guess or find out also amounts to a security flaw, thestudy found.
