back to article Security shocker: 75% of US bank websites have flaws

The vast majority of US bank websites jeopardize the security of their online customers by including design flaws that expose passwords and are susceptible to tampering by attackers, researchers say. In a paper titled "Analyzing Web sites for user-visible security design flaws," researchers from the University of Michigan …

COMMENTS

This topic is closed for new posts.
  1. James O'Brien
    Coat

    And?

    This is a shock why? Just one of many reasons I wont use banks.

    /mines the one with the cash in the pocket

  2. Zmodem

    missed the cookie

    anyone with the basics of php can decode the cookie, banks etc should a cypher system like pagan nuke has, data is cypher then base64 and back again

  3. Steven Knox
    Boffin

    Hmmm... Let's see..

    >Placing secure login boxes on insecure pages, i.e. pages that aren't protected by secure sockets layer. That allows passwords to be intercepted through man-in-the-middle attacks.

    Check. Our entire site requires SSL. Connect to us using HTTP and we'll redirect your ass-uming browser. We've been set up that way for years.

    >Putting contact information and security notices on insecure pages. This makes it easy for scammers to change addresses and phone numbers listed on the page.

    Check. See above.

    >Not making it clear when the website is redirecting customers to a page outside the bank's domain. As a result, customers don't know whether to trust the site.

    Check. Leaving Disclaimer. Also set up that way for two years.

    >Allowing inadequate user IDs and passwords. Sites frequently allowed email addresses as user IDs and didn't require strong passwords.

    Check. We don't allow e-mail addresses and we require strong passwords.

    >Emailing sensitive information. This included passwords and statements.

    Check. We don't do either. All statements and customer-related information can only be accessed after logging in to our secure online banking site.

    The bank I work for is a small, local bank in southern Maine. We've had these security requirements for years. There's no excuse for any of these flaws, especially in a national bank.

  4. Nick Charlton

    The trouble is...

    The trouble is is that the bigger the bank, the more willing they are to cut costs in areas which they shouldn't. Like customer satisfaction/security. It happens everywhere. Unfortunately, it's not that easy to get out. Fortunately there are good banks. HSBC, is an example where having to get into mine requires remembering a 21 digit code, plus a 6 digit one. I personally find it annoying, but it saves me loosing my hard earned student riches... >_>

  5. Anonymous Coward
    Unhappy

    It's not just banks, though ...

    Every time I change a password with my ISP (both login and e-mail passwords), they e-mail it straight back to me in plain text. Dickheads.

    And how do they verify users who call tech support (which redirects to a call centre in India)? By asking for username and login password over the plain phone line, of course.

    No matter what I do, I cannot keep my passwords secret.

    Oh, and this same ISP hasn't patched their DNS servers yet, either.

  6. Eideard

    Senior Crank

    I have to agree with Steven. A significant portion of my family is involved in banking IT - also one of my cranky online peers. Everything Steven outlines is SOP and has been for a spell.

    The article y'all spun from is one I looked at a few days back and considered for any of the blogs I'm involved with - and rejected it because it's hopelessly out of date. As the author of the study noted. There really isn't a commercial sector more likely to be on top of their own security - than banking.

    Ancillary performers? Different story. But, for example, send your best hacker to try to break into someone like HSBC. I'll bet you a dollar they don't make it in. And that's 4 times more than I usually bet on anything.

  7. Steve Brooks

    security?

    "And how do they verify users who call tech support (which redirects to a call centre in India)? By asking for username and login password over the plain phone line, of course."

    Lucky you don't live in AU, The countries largest ISP (or their claimed representative) will call you on YOUR phone with what they caim is an important message, then ask for proof of who you are, date of birth, un/pw, full name, address, maiden name etc. But ask them to prove who THEY are and they respond by replying that they can't do that until they know who YOU are and refuse to provide further details.

  8. Dick Emery
    Paris Hilton

    And for the UK?

    Probably 95% ;)

    Paris because she knows all about insecurity.

  9. Pierre
    Joke

    Hey Eideard

    "send your best hacker to try to break into someone like HSBC. I'll bet you a dollar they don't make it in."

    You're -hopefully- right. That's why /they/ won't even try to hack their way in the main system. /They/ will just hack into the website (and I hold your bet, HSBC's one is probably not that hardened) and/or rely on sloppy practices such as email communication for sensitive data. /They/ are everywhere, /they/ are plenty, and /they/ are mean. Now, for the bet, are you talking USD or a real, stable currency? If it USD, I'm not playing anymore. Not worth.

  10. Anonymous Coward
    Anonymous Coward

    ssl

    "Placing secure login boxes on insecure pages, i.e. pages that aren't protected by secure sockets layer. That allows passwords to be intercepted through man-in-the-middle attacks."

    Pages are never "protected" by ssl. The transfer is what ssl "protects".

    If they can do a man in the middle attack, then you could be entering your password onto a secure page in the baddies website. No-one really checks the certificate, as long as the url bar changes colour or a padlock appears.

    If you are using a post to submit the data, post it to https://

    That transaction is encrypted. The page that's already on your computer doesn't have to be, and didn't need to be on the server. You already accepted / trusted it when you filled in the form.

    It makes sense to keep using ssl while inside the "secure" section, because of sensitive data, but to require it for a blank login form is not useful. Think about it, what are you trying to hide ? Public data or private data ? The form is already public anyway, so why hide it.

    Have a look at this for the order of things http://www.securityfocus.com/infocus/1818

    figure 2 explains things nicely.

    You are free to use ssl how you wish however, even if using it unnecessarily achieves nothing but a warm glow in your investors pockets.

    The only other way to go is to use ssl for the whole internet. Otherwise the man could get in the middle anywhere ! He probably has keylogging trojans out there anyway, so ssl could be moot.

  11. Dave

    Not using email address as ID

    I use several sites where the login ID has to be an email address. Even El Reg, although I don't think I'll lose any money if someone manages to hack that one (note that I don't promise to buy a round in a publlc forum).

  12. Mikel Kirk
    Pirate

    My bank requires IE

    And the bank uses Windows at the tellers. And in the ATMs. It would be cute if it wasn't so horrifying. At least they're liable when something goes wrong. They're a cozy local bank with only a few branches. Their logo is a .gif. I wouldn't bank there but a decade ago they would take my money on deposit when nobody else would. And the tellers are cute.

    Much worse is Citibank. With all their billions they can't figure out how to give me access to my multiple accounts through one web account. Have pity on them - please don't hack their site. That would be sad.

  13. Pierre
    Coat

    And they called me paranoid...

    Of the listed flaws, only one is really worrying: the use of email for sensitive communication. All the rest is easily dodged using the very basics of "client-side" security measures. Do not allow automated redirection (no redirection at all would be good, but these wank*rs keep on using sloppy website design.), choose strong passwords (mine are usually painfully long, make extensive use of mixed case and numbers. Plus a couple af punctuation marks for good measure, where allowed.), don't give any sensitive info over the phone unless you know you're speaking to your "personal" advisor -who you probably met a couple of time in real life. Refuse cookies when doing online banking. And of course, never EVER enter any username or password in a redirected/non-ssl/whateva page. Oh, and block scripts and all the fancy bells and whistles, at least when you're doing some online banking.

    It might sound like a hassle, but less so than security-auditing your bank's website before each connection. Final and completely foolproof measure: most banks still have local branches, you know. Instead of leaving early heading for the nearest pub, you can leave early and head to your bank. There is one compelling argument for that: some sales representatives are eager to display their (usually yummy-looking) cleavage (we all know they've been hired for their banking experience and knowledge. Right...). It's the Reg, this should be a perfectly valid reason for most readers ;-)

    For the Mighty Moderatrix and the straight female readers (yes, the whole 3 of you) as well as the gay male readers (buffer overflow while counting), I heard that most banks also keep a couple of manly-man-looking male sales reps in stock, just in case.

    So the only real problem is email communication. But even that you can stop, if you really want (The "OK, I'm off to the competion" technique usually works quite well).

  14. Jerry
    Pirate

    My bank provides free security software

    Westpac actually, a big-4 australian bank.

    They have this nice non-encrypted page where you can download free security software to install on your computer (windows natch)

    Such a helpful bank.

    Trouble is, just thinking about it, what happens if bad guys intercept the request and supply you with a seriously compromised version?

    Does this count as a new threat vector?

    Do I get a prize?

    Jerry

  15. Chris

    @Steven Knox

    "set up that way for two years"

    So, to be fair, you could have been part of that demographic in 2004. At least it's fixed now. HSBC doesn't seem to use SSL for any of it, even once you've logged in. And all the login information is typed into the boxes, making it easy for keyloggers to catch everything they need. And if you already know the account details you can instantly recover the username on page.

    It's not like its hard to setup SSL, or do a redirect if you're in on HTTP. Pretty weak really. You'd have thought the FSA or someone would enforce basic site security.

  16. Anonymous Coward
    Anonymous Coward

    Some problems are solved..

    I have been a security consultant for a long time, and my last project was working on next generation eBanking for the private client section of a large Swiss bank. It is very clear that the expectation of ANY kind of security on the client side was unrealistic, so design focused on delivering secure banking to an insecure platform.

    The challenge is fighting Man-in-the-middle as well as keeping it easy to use, and at the end of the project I came across a solution that was so good that I joined the company later.

    Rather than say much about it I would invite you to have a little read at www.axsionics.ch, or read the article at

    http://www.economist.com/finance/displaystory.cfm?story_id=11708038

    However, there is NO technology that can counter bad ideas. Sending email to customers with ANY kind of confidential detail (and in that I include links to client specific information) is a bad idea IMHO..

    /// P ///

  17. Jon
    Boffin

    @ssl

    > If they can do a man in the middle attack, then you could be entering your password onto a secure page in the baddies website. No-one really checks the certificate, as long as the url bar changes colour or a padlock appears.

    Most browsers will pop up a scary warning. Sure, totally clueless people will click through, but anyone with clue is protected. So in order to be undetectable, a MitM attack needs to leave SSL (HTTPS) traffic alone and just play with the HTTP traffic.

    > The [login] page [...] doesn't have to be [encrypted].

    Wrong. Let me explain...

    > You already accepted / trusted it when you filled in the form.

    Wahay, something you said that I can agree with. When you filled in the form you trusted it. E.g. you trusted that there wasn't a sneaky Javascript on the page that would use AJAX to send your username and password to the hacker just before you logged in.

    (I'm use the standard security-person meaning of "trusted" and "trustworthy". If I ask you to hold my wallet for a moment, you're "trusted". If you then run away with it, you were still "trusted" but you weren't "trustworthy").

    _But,_ how did you know the form was trustworthy? Did you audit the source code of the page and every included script & css file, every single time you login? No, you didn't, because most browsers "view source" doesn't show included files (and if you're requesting them a second time to audit them then you've no way to know if the server gave you the same file). And even if you could theoretically, it's not practical for everyone to do a code audit on their bank every time they log in.

    So the only practical way to know that the logon page is trustworthy is if it's sent from your bank's webserver over SSL.

    > It makes sense to keep using ssl while inside the "secure" section, because of sensitive data, but to require it for a blank login form is not useful. Think about it, what are you trying to hide ? Public data or private data ? The form is already public anyway, so why hide it.

    There are 2 advantages to SSL. You're concentrating on the encryption, which I agree is not needed for a blank login form. But SSL also provides authentication. And you need the authentication that the blank login form really came from your bank.

    > The only other way to go is to use ssl for the whole internet. Otherwise the man could get in the middle anywhere !

    Online banking is a high-value target with a track record of being attacked. It makes sense to provide more protection to it than to (say) The Register.

    > He probably has keylogging trojans out there anyway, so ssl could be moot.

    It's only moot for people who get infected with a trojan. For the rest of us, SSL provides useful security.

  18. Anonymous Coward
    Anonymous Coward

    user / password thing

    Define secure. Is it secure if I have to write my username and password down somewhere because every bloody website has a different set of 'security' requirements? Email address / weak password is fine for me, thanks. What am I going to lose? A couple of days of inconvenience as opposed to a lifetime of faffing.

  19. Anonymous Coward
    Anonymous Coward

    @ Nick Charlton

    Ah ha! so you only use 6 digits? that narrows the 6-10 digit requirement down a bit...

    Also - the first code is easily obtained by D.O.B. and account number anyway...

    not as secure as it sounds, but harder than a P.I.N. number.

  20. RW
    Linux

    Requires IE? Huh?

    Are they insane?

    Seems to me that it's time to turn the tables and set up websites that say "sorry, we do not accomodate IE, but you can download Netscape 8 *here*, Opera *here*, and Firefox *here*"

    And if just a few really big sites did this -- Google, Yahoo, Amazon -- guess what? IE would be rapidly deposited on the trash heap of history.

    Well, penguins can dream, can't they?

    That's not Tux; that's Opus in disguise.

  21. kain preacher

    @Mikel Kirk

    Try bank of america. When I log in the have a banner stating that they made sure the web sitr works in FF3

  22. John Navas
    Thumb Down

    Yawner, not a shocker

    It's hardly a secret that bank have poor security.

  23. Ian Michael Gumby
    Coat

    Just a small nit...

    I don't know if the author is an UK transplant or just ignorant.

    When I read the headline, it said US Bank then the article talks about US Banks.

    As in multiple financial institutions. There is a bank called US Bank, so you can see why there is a little bit of confusion.

    Considering that US Bank is west coast based, it is a wonder why the author didn't catch this.

    With respect to security, this is what you get when you have companies rush to get their presence on the net and higher the cheapest labor they can find. (Ever deal with a bank's procurement process on contracting resources? ;-)

  24. Rich
    Thumb Down

    The anon guy is right

    If you require users to remember a stupid pA55w0rD and user code, they will write it down on the back of their debit card, put it in a file called PASSWORDS on their desktop, or somewhere similar.

    High risk actions (like payments to a new payee) need two factor authentication.

    Realistically, the banks should be liable for all loss where they can't demonstrate fraud by the customer. Then it becomes up to them to judge what an appropriate security/usability compromise is.

  25. Mitchell Dominguez

    Security Shocker, 75% of Online Banking In The USA Is Flawed!

    As an Online Privacy & Security Specialist in the USA, I'm GLAD that a UK publication has the fortitude to say that 75% of USA online banking sites are insecure. See, in America it's who has the stronger lobbyists in Washington DC that convince the Congress & Senate what criteria for online security is to be made by law. Credit Card firms, they lost, in America the customer is only liable to pay a maximum of $50.00 if your card or identity is stolen especially online. Of course you have to go thru hours and hours of rigamarole to get new cards issued but it will happen. After all, keeping customers in a perpetual state of consumer debt fuels the American economy.

    Now banks they've got it real good over here in America, still. Bank acccount hacked-stolen-ID Theft-bank had silly/useless online security. The BURDEN OF PROOF here is all on the customer side. It's kind of like the French legal code, "You ARE Guilty Until YOU Prove You Are Innocent". Game-Set-Match, the banks have WON over here. Why initialize real online banking security when you DO NOT have to?

    6 months ago, doing an online security presentation to a small bank in Raleigh, NC (that's where Al Gore INVENTED the Internet) we were told they would NOT offer their customers our ANTI Keystroke Logger Software solution. They wanted to compete with the bigger banks for a share of the online banking business in their area. It required NO enterprise system or any expenditure on their part to maintain or support. Just offer it to their customer base and they can download a virtually fool proof anti keystroke software solution. We suggested they GIVE IT AWAY to attract a new online customer base. US Government Intelligence Agency Tech Specialists tested it and found it to be virtually fool proof. Even if the users PC was infected with keystroke logger spyware IT STILL BLOCKED EVERY ONE OF THEM.

    We were told, "No Thanks, it's up to the customer to prove that an outside source made the UN-Authorized withdrawals from their accounts." As long as the laws favor the banks in the USA in this regard, secure online banking in the USA is problematic on its best day and a nightmare on the other days.

    A brilliant scientist, Ram Pemmaraju, now an American citizen, invented this fantastic protection for all manner of online protection. It works in "Real Time When You Are Online". Unlike other anti keystroke software that STILL sends out information over the browser using Windows Messaging Systems, his creates a private-encrypted and hidden channel for this purpose. If you will, please check his phenomenal solution out at www.safeatlastonline.com. Any online transactions are now totally safe. In the meantime online banking in the USA, not for me at this time, thank you very much.

  26. Neil Hunt
    Thumb Down

    My bloody bank

    Uses a bloody four NUMBER passcode to get in to the online banking, and the most god awful keypad to enter it. The keypad is in Java, randomises the numbers, and makes you wait up to a second between mouse clicks. Nothing like a good old peak over the shoulder to get your details.

    I've complained to them several times. I've sent them the PCIDSS documents, and still it's the same bloody thing.

    They also email you your statement, and then have the nerve to charge me $2.50 if I want it posted to me.

    Fortunately I only use this account for my savings, so can avoid ever logging in to the website, and if I'm desperate, I'll call them.

    Grover

  27. Justin

    @Mitchell Dominguez

    "It's kind of like the French legal code, "You ARE Guilty Until YOU Prove You Are Innocent"."

    No offense, but that is NOT the French Legal Code. It is from the Napoleonic code, which while the basis of the French civil law system, is not THE system.

    From wikipedia http://en.wikipedia.org/wiki/Presumption_of_innocence#Differences_between_legal_systems (I know I know, wikipedia is not particularly accurate, but it was convienient to use as a source for something I alreay believe to be correct):

    "In France, article 9 of the Declaration of the Rights of Man and of the Citizen, of constitutional value, says "Everyone is supposed innocent until having been declared guilty." and the preliminary article of the code of criminal procedure says "any suspected or prosecuted person is presumed to be innocent until their guilt has been established". The jurors' oath reiterates this assertion."

  28. fajensen
    Coat

    The problem is not ...

    ...so much hacking into somebody's account! The problem is transferring the money to yourself, somewhere convenient, without getting nicked!!

  29. Dave
    Flame

    But what can you do when you have access?

    I think the thing most UK readers are forgetting, or just ignorant of, is how woeful the whole US banking system is.

    For instance the US has no equivalent to the 3 day online payment unless you own both accounts or you're a corporation. And the reason given for this? terrorism. That's right, because only terrorists would want to wire money to their mates.

    The suggestion given to me by a US bank clerk was to "get the other party to give you a cheque". Useful, but kind of misses the point of on-line banking I feel.

    Thus, once you have owned a US on-line account, your options for running with the cash are somewhat impeded...

  30. Anonymous Coward
    Anonymous Coward

    That's... unbelievable

    The headline clearly implies that 25% of bank sites are completely secure. That's ridiculous.

  31. Nathan
    Dead Vulture

    It's not only banks

    That send passwords in plain text. no-ip.org of all places, stored my password and then emailed it to me in plain text. I thought they were meant to be internet experts?

    mine's the vulture after having its passwords stolen

  32. John
    Stop

    @ Some problems are solved..

    Biometrics?! You must be kidding me.

    Let's suppose that you have a perfect biometric system (never going to happen) the best result you can hope for is a change in the threat model.

    Instead of stealing credentials for 'ID theft' they'll steal your finger, or hands, or your entire body for disposal after they've used it.

    It gets worse, becuase this opens up other criminal revenue generating opportunities, maybe your kidney would be worth something on the open market, or corneas, or blood? [ed note - not me I'm a blind alcoholic, with universal recipient blood type]

    So 'HELLO!' biometrics for pretty much anything are hopless, and once compromised unchangeable.

    Stupid is as stupid does.

  33. Harry Stottle

    I'm surprised nobody's mentioned the USAPATRIOT act

    because, with the power the Police State has given itself to crawl all over citizens bank accounts, credit card histories, library loans etc, etc, consumers should be resigned to the fact that no amount of webside security is ever going to protect them from the Organized Criminals who run their country

  34. steogede
    Boffin

    @Pierre

    >> Final and completely foolproof measure: most banks still have local branches, you know.

    >> Instead of leaving early heading for the nearest pub, you can leave early and head to

    >> your bank.

    Banks with local branches - LOL., perhaps if you live within the M25. Leave work early to get to the bank - again LOL, who on earth can leave work early enough to get to a bank before 3.30pm (except for people who work in a bank)?

  35. Chris
    Pirate

    RE: Citibank

    [quote]Much worse is Citibank. With all their billions they can't figure out how to give me access to my multiple accounts through one web account. Have pity on them - please don't hack their site. That would be sad.

    [/quote]

    AT&T is just as bad. At one time I had three accounts with them - for long distance, for wireless service, and for a "Universal Mastercard". I called all three to ask about combining accounts as I was starting to lose track of which bills were paid and which weren't, since they all arrived (sporadically) in nearly identical envelopes with AT&T printed on them. One of them (the cc) didn't even understand what I was asking. They kept saying, "Sure, we can set up another account for you."

    Of course the credit card is actually adminstered by Citibank. It has one useful feature though - virtual credit card numbers. You can generate a new, unique cc number for an online transaction that then immediately expires, making it impossible for a hacker or unscrupulous merchant to commit cc fraud with it.

    Unfortunately they only support the autofill option under IE, despite repeated entreaties on my part. They also refuse to tie it to a specific user on the local machine, so anyone who logs in to my computer, using any account, gets the sotware loaded automatically.

  36. Charlie
    Dead Vulture

    The study was conducted in 2006

    This is NEWS? Thanks a lot for the [un]timely heads-up, Reg.

  37. Michael

    @Ian Michael Gumby

    >>>When I read the headline, it said US Bank then the article talks about US Banks.

    >>>As in multiple financial institutions. There is a bank called US Bank, so you can see why there is a little bit of confusion.

    "US bank" != "US Bank"

    The headline says "75% of US bank websites..." Note the lack of capitalisation on the word "bank", indicating that it is not part of a proper noun.

    Capitalisation matters!!

    "I helped my Uncle Jack off a horse"

    "I helped my uncle jack off a horse"

    QED

  38. sam bo
    Paris Hilton

    long passwords

    The great thing about requiring long, strong and complicated passwords is that the average user does not have a photographic memory and therefore writes their unmemorisable password on a post-it note and sticks it on the monitor.

    Paris because she likes it... long strong and complicated too.

  39. Anonymous Coward
    Anonymous Coward

    John @ Some problems are solved.. - Biometrics

    John, you missed something when you read the information.

    The use of biometrics creates two immediate attack vectors: print simulations (fake fingerprints a la Chaos Computer Club - which is incidentally a repeat of an article they did before) and "borrowed" fingers.

    Both those vectors are countered by NAMING the fingers. When you personalise the token (i.e. make it yours by recording the biometrics) you are asked to name your fingers. Say you choose "FRED". Only you know which finger the device needs when it asks for finger "F", "R", "E" and "D" - and the accpting party can dynamically select how many fingers you need to show correctly before it allows you access.

    The token will lock up if you try too much and, depending on the security levels of the channels, may even null some certificates so you'd have to go back to the issuing Bank to get them re-enabled, even if the token itself is unlocked again.

    This is a Swiss product - they're a little bit more thorough than you may be used to.

    ANother example of that is storing the fingerprints - they're stored inside the EAL 4+ rated crypto chip. They're not leaving the token, which means no hugely dangerous central database to hack either. You, as user, control access to your electronic identities, the way it should be.

This topic is closed for new posts.

Other stories you might like