Warning: Online Banking Is Less Secure Than You Think

By Dawn Handschuh, Personal Finance Writer   

online banking security

Fully 76% of bank websites studied contain one or more design flaws that made them vulnerable to hackers, a new report released last month by University of Michigan researchers concluded.

The study targeted banks since, due to the sensitivity of user account information, web security should be a top priority there. About 43% of all Internet users ⎯ 63 million Americans ⎯ bank online.1

Researchers looked solely at security design flaws that made it easier for users to make decisions resulting in unsafe practices on the websites of 214 U.S. financial institutions. These design flaws included:

  • Redirecting users to pages outside the bank's domains without notifying users. Users thus had no way of knowing whether the new page was safe and were ultimately forced to decide if they could trust the new site. 30% of surveyed sites contained this flaw.
  • Log-in forms appearing on insecure pages. Such forms open a window of opportunity for identity thieves to modify the insecure page and redirect log-in credentials to another location. 47% of surveyed sites contained this flaw.
  • Posting security FAQs and contact information on insecure pages, again allowing hackers to redirect users elsewhere. Example: An insecure FAQ page contains a phone number users can call to reset passwords. Hackers could modify the page with a bogus customer service number and collect personal information such as Social Security numbers (SSNs) and birthdays from customers when they call. 55% of sites contained this flaw.
  • Inadequate policies for user IDs and passwords, e.g., permitting the use of SSNs or email addresses as user names. 28% of sites contained this flaw.
  • Emailing sensitive information. If the email is simply a notice that a statement is available, it doesn't pose a problem, but if it contains a link to the statement, then sending this notice via insecure email exposes the recipient to a phishing attack. 31% of sites contained this flaw.

It was common to see websites with multiple design flaws, researchers said. They noted that the weaknesses on some websites had been addressed since the study was conducted in November/December 2006 but that more improvements were needed.

Footnote
1 "Online Banking 2006: Surfing to the Bank," Pew Internet & American Life Project, June 14, 2006