Home > Uncategorized > Security Problems in Banks’ Web Sites

Security Problems in Banks’ Web Sites

Several University of Michigan security researchers conducted a study in which the on-line Web sites of over 200 banks were analyzed. The researchers reported that 76 percent of these sites have faulty security practices that leave their customers at elevated risk of fraud and information theft. Some of these practices include requiring customers to use email addresses or Social Security numbers as login names, redirecting customers’ connections without informing them, displaying icons that indicate to customers that connections are secure when they are in fact not secure, and so on. The names of the banks were not disclosed.

I’ve generally looked up to the banking industry as the best of the best when it comes to information security. Banks generally spend a larger portion of their IT budgets on IT security than do organizations in other sectors, and from what I have observed, the number of information security staff and consultants is higher than elsewhere. However, no one is perfect, and banks are no exception. A little over four years ago I observed something that really opened my eyes up to just how imperfect some banks are in some of their information security practices. At that time phishing schemes were growing at an astounding rate, Huge numbers of bogus messages that appeared to be from banks such as Bank One, Wells Fargo, and Washington Mutual were being sent to Internet users. (Ironically, a colleague of mine at the time succumbed to one such phishing ploy, even though he claimed to be an information security expert!) The Bank of America (B of A) had just bought Fleet Financial, and despite all the warnings issued to users at the time, sent a message to Fleet customers that they were required to visit a B of A Web site and enter the PINs, passwords, and so on that they had used for Fleet banking transactions to obtain continued banking service. I could hardly believe it, and the fact that I was at the time a B of A stockholder caused my level of concern to grow considerably. I called B of A, finally got connected to the correct extension, and talked to an extremely professional and courteous representative. She wrote down what I said and told me that she would get me an answer to my inquiry soon. Within only one day she called me back and told me that the B of A had quit using this method of informing Fleet customers about their need to revalidate their banking credentials. I was genuinely impressed, but also was somewhat disillusioned that this bank could make a mistake of that magnitude in dealing with its customers. (My guess is that the information security staff flagged this inadvisable security practice, but got overruled by senior management.)

Regarding all the security problems that were found in the recent study on bank Web sites, I suspect that the real cause of most of them is being in a hurry to get new sites up and running in an attempt to beat the competition. Unfortunately, hurried up efforts such as these almost invariably preclude giving serious consideration to security. Even if security in these sites is improved later, something that is unlikely, security is likely to remain deficient because retrofitting security is not as effective as building in security right from the start. My guess, therefore, is that if another research team were to conduct a study on the security of bank Web sites ten years from now, the findings would lamentably be similar to the ones reported recently. Time will tell, but unless something such as legislation forces banks to tighten their Web security practices, rushed Web development motivated by business needs at the cost of sound security practices is likely to continue as it does now.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.