The University of Michigan has published the results of a study indicating that the majority of online banking sites have security flaws.

These design flaws aren’t bugs that can be fixed with a patch. They stem from the flow and the layout of these websites

The data, which we must premise as coming from the examinations of 214 banking websites in 2006, indicates that 75% of banking sites had at least one design flaw that makes customers vulnerable to cyber thieves for fraud or identity theft.

Flaws included:

• Insecure login system
  • Nearly 50% of sites having “secure” login systems in insecure web pages with no SSL protocol use
• Putting contact information on an insecure page
  • 55% had insecure contact pages, allowing hackers to redirect people to call a phony call center
• Redirection to outside pages without warning
• Using Social Insurance Numbers as user IDs
  • Also, if a username can be created by the user, there should be a policy on weak passwords
• Emailing secure information
  • Emailing passwords as plain text (31% of banks failed this)

One would hope that some of these flaws have been corrected since the data was collected in 2006. That said, the security landscape is ever evolving and as many new threats pop up as those that are fixed.

“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.” - Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science

Check out the full study here [PDF].

Via christopher null ; Tags: banking, web security, security, it security, design flaws, banking security