Thus ended the group of researchers from the University of Michigan (USA) led by Professor Atul Prakash. He and his graduate students Laura Falk and Kevin Borders examined 214 credit finance organization websites during a period in 2006.
The results were presented on July 25, 2010 at the symposium dedicated to practicable confidentiality and security at Carnegie Mellon University.
The design flaws listed are not related to bugs in the program and cannot be recovered with a “hotfix”. The core of the problem is in the structure of the site and all its planning. The common mistake is the placement of registration and authorization strings on non-secure pages. One more problem is the lack of motivation that can keep any user on the page to make a lead. According to Professor Prakash, many banks still have the same problems.
“To our surprise, design flaws were so popular that we can find them even on sites owned by very large banks,” says Prakash. “We focused our attention on those occasions when users were trying to be careful, but the structure of the site made it impossible to choose the right decision from a security point of view during Internet banking.”
These flaws lead to “holes” in the security system that hackers can use to obtain private customer information and gain access to their accounts.
The University of Michigan website listed five major design flaws that should be fixed according to Professor Prakash on every banking website:
1) Authorization pages are not properly protected with SSL
This problem has been observed in 47% of all banking websites. If a hacker uses this flaw, he can redirect the entered data or create a fake page to receive personal data from the bank’s customers. Also, the hacker has an excellent opportunity to perform a man-in-the-middle attack when the user can see the same URL but the page is changed to the hacker’s fake page. Even very attentive users can get caught.
The solution – use SSL on pages with sensitive information. The user can identify a secure page that has -s after http:// namely https://
two) Contact pages are not SSL protected
This defect had been seen on 55% of the sites. Hackers can change contact details to collect personal information from each customer who has contacted them. Customers believe that all information on the pages of the site is true, that is why the professor recommends website owners to put contact information on the page protected with the SSL protocol.
3) The gap in the chain between a bank and its “trusted” partners
When a bank has a deal with third party organizations, it simply sends a customer to another site with another domain name. About 30% of banking sites do that. Here, a bank must inform a customer that they will be redirected to a trusted partner’s page.
4) The use of weak login and password
Some US banks allow the use of email or social card number as a login name. It’s easy for a customer to remember, but it’s also easy for a hacker to crack. Another common mistake is the lack of policies related to the creation of passwords or the authorization of weak passwords. It has been estimated that around 28% of all banking sites allow such logins and passwords.
5) Distribution of sensitive information with the help of unencrypted email messages
Important information (password or account summary) sent via email was not protected on 31% of banking sites.
Speaking of the account statement, it should be noted that the banks did not inform the client about the form of the statement (ie, is it a statement, a link, or just an alert informing the user that the statement is ready). The use of email, except for an alert, does not seem to be a good idea for US experts.