75% of Surveyed Bank Web Sites Vulnerable to Cyber Thieves

2008-07-30

LiveScience reveals that a startling 75 percent of banking Web sites surveyed by a research team could make customers vulnerable to cyber thieves.

The team of researchers consisted of a University of Michigan computer scientist, Atul Prakash, along with two of his graduate students Laura Falk and Kevin Borders. The article writes, "Prakash, who received no special funding for this research, initiated the study after noticing flaws on his own financial institutions' Web sites."

The group "examined the Web sites of 214 financial institutions in 2006 and found design flaws that, unlike bugs, cannot be fixed with a patch."

Atul Prakash said, "To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

The study showed that 47 percent of banks were guilty of placing secure login boxes on insecure pages. 55 percent put contact information and security advice on insecure pages, and 30 percent of the banks sites redirected customers to sites outside the bank's domain for certain transactions without notifying the customer of the new site. The study also stated that 28 percent of the sites allowed "inadequate user IDs and passwords", and that 31 percent of the bank Web sites e-mailed security sensitive information insecurely.

While Prakash states that some of the banking institutions may have taken action to make their sites more secure since the study, he still feels that there is room for improvement.

The LiveScience article states computer intrusion is rising and cites a survey conducted by Pew Internet in 2008 showing 40 percent of Americans using the Internet for banking, with a study by Forrester Research stating that in 2011, the number will jump to 76 percent of online households banking online. The article also states that a recent FDIC Technology Incident Report showed banks filing 536 cases of computer intrusion quarterly, with an average loss per incident of 30,000 dollars. "In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking, the report states."

You can read the entire study here and the FAQs released after the study, here.

You can read the entire LiveScience article here and you can read more about the professor who initiated the study, Atul Pakash, here.