Aug 7
More and more people today are taking their banking online. Some 42% of internet users do their banking online. Considering that this number is growing every year, banks and credit unions are looking at their online banking security and making sure that they are able to provide safe interactions with their customers. For those that don’t do their banking online claimed that their main reason for not doing so is the lack of online banking security. One of the reasons why they feel insecure about banking online is because of misinformation and not knowing the correct information on internet security.

A study from the University of Michigan by Atul Prakash looks at design flaws that many banking sites have today that fail to protect users who don’t know the basics about internet security. It looks at design flaws rather than actual application vulnerabilities. Design flaws are different from application vulnerabilities because they are based on decisions that were made when designing the website. Many of these decisions that the designers of banking sites have made promote insecure user behavior and because many users are uneducated about basic internet security, these flaws can be taken advantage of.

Some of the flaws of online banking security that were noted were things such as being able to access the site by using insecure HTTP, being redirected to an untrusted site, low security password thresholds, and emailing confidential data to users. These are all flaws that have been found that if a user is unaware of the risks that these designs pose, can lead to confidential data being leaked.

As far as user password information goes, many of the sites involved in the study don’t require password restrictions for users. Having low quality passwords invite themselves to being disclosed by brute-force attacks. But it is also noted that with the introduction of phishing sites and keyloggers, having a strong password doesn’t protect against those and many banks find it to be just an inconvenience for their users to force strong passwords. It is also claimed that by enforcing a ‘three-strikes’ lockout policy when incorrectly typing in a password makes brute-force attacks on low quality passwords unrealistic. But the study finds that even enforcing a lockout policy is not enough if low quality passwords are allowed. Parallel dictionary attacks can be used if a list of usernames are available where a string of authentication requests are run across all the usernames using common passwords.

The study also mentions websites that break the chain of trust. Often times bank websites will redirect to other websites without notice. Regardless of whether these sites are secured by using SSL, many times the certificates used are not affiliated with the bank at all and there is no way for the user to tell if they are still on the banks website or not. This makes it hard for even a knowledgable user to know if they are on a phishing site or not.

As mentioned, other sites present secure login options under insecure webpages. While their site may offer secure logins via SSL and HTTPS, that same webpage may be available insecurely under an HTTP version. While redirection to a secure page may occur, if the user had already entered in credential information under the insecure page, their credentials are at risk of being compromised.

For more information on this online banking security study, you can visit the following page: Analyzing Websites for User-Visible Security Design Flaws
Posted in Compliance, Encryption, Internet |

6 Responses

  1. Online-Banking » Abbey National Bank Electronic Banking Important Notice About Your ... Says:
    August 10th, 2008 at 9:14 am

    [...] Online Banking Security Not So SecureConsidering that this number is growing every year, banks and credit unions are looking at their online banking security and making sure that they are able to provide safe interactions with their customers. For those that don’t do their … [...]

  2. Online Banking Security Not So Secure Says:
    August 14th, 2008 at 6:04 pm

    [...] Aaron Guhl is an IT professional that specializes in security. He frequently writes on his blog regarding security issues to help IT professionals get a better understanding of security in their networks. Visit his website at: Online Banking Security [...]

  3. Online-Banking » Online Banking Security Not So Secure Says:
    August 15th, 2008 at 7:13 am

    [...] Online Banking Security Not So SecureConsidering that this number is growing every year, banks and credit unions are looking at their online banking security and making sure that they are able to provide safe interactions with their customers. For those that don’t do their … [...]

  4. Online-Banking » Pioneer Services Offers Simple Online Banking Tips for Retirees Says:
    August 16th, 2008 at 5:54 pm

    [...] Online Banking Security Not So SecureConsidering that this number is growing every year, banks and credit unions are looking at their online banking security and making sure that they are able to provide safe interactions with their customers. For those that don’t do their … [...]

  5. RYErnest Says:
    December 1st, 2008 at 3:39 am

    Nice post u have here :D Added to my RSS reader

  6. Online Banking Security Not So Secure | Parallel Computing Says:
    January 5th, 2010 at 3:50 pm

    [...] Aaron Guhl is an IT professional that specializes in security. He frequently writes on his blog regarding security issues to help IT professionals get a better understanding of security in their networks. Visit his website at: Online Banking Security [...]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.