Design flaws make online banking vulnerable: study

News Flash

SMS BOS < SPACE > MF, MUTUAL FUND QUERY AT 56388
COS GETTING FRESH FDI IN SECTORS WHERE FDI CAPS HAVE GONE UP: SOURCES
NEW NORMS TO CONSIDER TOTAL FOREIGN INVESTMENT NOT TOTAL INVESTMENT: SRCS
CCEA NOD NEEDED ONLY FOR INVESTMENTS OF RS.1200 CR AND ABOVE: SOURCES
GOVT TO EASE NORMS FOR FDI REQUIRING CABINET APPROVAL: SOURCES
NO PLANS TO OFFER HOME LOANS AT 8%: NW
OCTOBER UNEMPLOYMENT RATE RISES TO 10.2% VS 9.8% (MOM)
EMPLOYERS CUT PAYROLLS BY 190,000 IN OCTOBER VS ESTIMATE OF 175,000
FOREIGN FUNDS NET BUY RS.587.02 CR IN EQUITIES ON NOVEMBER 6 (PROVISIONAL)
DOMESTIC FUNDS NET BUY RS.236.62 CR IN EQUITIES ON NOVEMBER 6 (PROVISIONAL)
KINGFISHER RAISES FUEL SURCHARGE BY RS.200 ON SECTORS MORE THAN 1000 KM
KINGFISHER RAISES FUEL SURCHARGE BY RS.100 ON SECTORS UPTO 1000 KM
JET AIRWAYS RAISES FUEL SURCHARGE BY RS.100-150 ON SECTORS UPTO 1000 KM
NET PROFIT AT $455 MN VS LOSS OF $24.6 BN (YOY)
TOTAL REVENUES AT $26.05 BN VS $898 MN (YOY)
MUTUAL FUNDS NET BUY RS.34.3 CR IN EQUITIES ON NOVEMBER 5
FOREIGN FUNDS NET BUY RS.267.6 CR ($56.8 MN) IN EQUITIES ON NOVEMBER 5
OVER 7% GROWTH ACHIEVABLE IN FY'11
TO EXPLORE STIMULUS EXIT MODE NOW; WINDING DOWN STIMULUS TO CUT DEFICIT
SENSEX UP 1.65%, NIFTY UP 1.8% FOR THE WEEK
CNX MIDCAP INDEX UP 3.9%, BSE SMALLCAP INDEX UP 1.6%
BSE PSU INDEX UP 4.77%, REALTY UP 4.4%, METAL INDEX UP 4%
INDEX GAINERS: BHARTI UP 9.4%, JP ASSOCIATES UP 8.6%, IDFC UP 7%
GETS U.S. FDA NOD FOR GENERIC ACULAR
TO RAISE UPTO $300 MN VIA FCCBS
EXTENDING 8% HOME LOAN SCHEME TILL 31ST MARCH , 2010
INDIAN RAILWAYS SHOULD RATIONALISE PASSENGER FARES UPWARD
TO RAILWAYS: STOP CROSS SUBSIDISING FARES AND FREIGHTS
IMPOSES 20% SAFEGUARD DUTY ON IMPORT OF SODA ASH
ROAD DEFICIT REMAINS THE GREATEST PROBLEM IN INFRASTRUCTURE IN INDIA

Updated: 24/07/2008 | 12:42 PM IST

Top Stories

Press Trust of India

Thursday, July 24, 2008 (New York)

Blog

Comments:

Read (0)

Post

Rate the story

A majority of websites floated by banks have design-related flaws that could make customers vulnerable to cyber-theft, endangering their money or even their identities, a study has found.

Led by an Indian American professor at University of Michigan, a study that surveyed web sites of 214 financial institutions in 2006 found that more than 75 per cent of them had at least one design flaw that made customers vulnerable to cyber thieves.

These design flaws were not bugs that could be fixed with a patch, the authors said, but they stemmed from the flow and layout of Web sites.

The flaws include placing log-in boxes and contact information on insecure web pages as well as failing to keep users on the site they initially visited.

Atul Prakash, Professor at the Department of Electrical Engineering and Computer Science, who led the research along with doctoral students Laura Falk and Kevin Borders, said some banks may have taken steps to resolve the problems since data was gathered, but there is still much room for improvement.

The findings will be presented for the first time at a Symposium on Usable Privacy and Security meeting at Carnegie Mellon University tomorrow.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said.

"Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

The flaws leave cracks in security that hackers could exploit to gain access to private information and accounts.

The Federal Deposit Insurance Corporation (FDIC) says computer intrusion, while relatively rare compared to financial crimes like mortgage fraud and check fraud, is a growing problem for banks and their customers.

A recent FDIC Technology Incident Report, compiled from suspicious activity reports filed by banks, listed 536 cases of computer intrusion, with an average loss per incident of $30,000. That added up to nearly $16-million loss in the second quarter of 2007.

Computer intrusions increased by 150 per cent between the first quarter of 2007 and the second. In 80 per cent of the cases, the source of the intrusion was unknown but it occurred during online banking, the report stated.

The design flaws Prakash and his team looked for include placing secure login boxes on insecure pages, which allow hackers to reroute data entered in boxes or create a spoof copy of the page to harvest information. A full 47 per cent of banks were guilty of this.

Another flaw was putting contact information and security advice on insecure pages, which an attacker could manipulate by changing an address or phone number and setting up his own call center to gather private data from customers who need help, Prakash said.

Besides, breach in the chain of trust occurs when a bank redirects customers to a site outside the bank's domain for certain transactions without warning, Prakash added. He found this problem in 30 per cent of the banks surveyed.

Allowing inadequate user IDs and passwords, which are easy to guess or find out also amounts to a security flaw, the study found.