More than 75 percent of bank websites have at least one design flaw that could lead to the theft of customer information, according to a recent University of Michigan study.
A research team led by Atul Prakash, a professor in the department of electrical engineering and computer science, examined the sites of 214 financial institutions. Among the design flaws discovered:
- Sites forwarded users to new pages that had different domains without notifying the user from a secure page.
- There were login options on insecure pages.
- Contact information and security advice were shown on insecure pages.
- Policies for user IDs and passwords were inadequate.
Design flaws such as these mean that customers may struggle to make the best security-related decision when entering confidential data, Laura Falk, who is pursuing a doctorate and is one of the researchers, told SCMagazineUS.com on Monday.
“The flaws are ones that even an expert user would find difficult to [detect],” Falk said. “For example, whether to enter login credentials on a page that is insecure. A careful user might recognize that this is not a good decision. However, if he wants to use the infrastructure, he is forced to do so.”
Gartner analyst Avivah Litan said that although most companies are good at protecting the login page, this study shows that security concerns appear to wane on other pages.
“These websites are good for spreading infection because it appears you aren't protecting customer service,” she told SCMagazineUS.com.
And that, she explained, leaves the site open for trojan attacks and the opportunity for data theft.
Litan added that she was surprised bank websites had so many design flaws.
“I wouldn't have been surprised to hear these results with a small business, but banks usually have more resources dedicated to web security," she said.
To fix the problem, Falk recommended using SSL throughout the entire website and to avoid using links to third-party sites.
“It is our hope that this research will provide helpful information to banks and their security administrators to better secure their sites and provide a less frustrating experience for the user,” she said.