Study shows bank websites to be insecure

By on July 24, 2008, 5:41 AM
A study released this week by a group of researchers from the University of Michigan shows an alarming picture after examining over 200 financial institutions websites and finding that over 75% of these had at least one design flaw.

It is important to note, however, the research did not focus on security holes per se, but design practices that could potentially put customers at risk. For example, about half of the bank websites showed a login box on insecure pages, while about a third redirected customers to external websites without any notification. In the other hand, making much of this information somewhat irrelevant is that research data was pulled from websites dating back from 2006, meaning banks should have resolved many of these issues by now, or so we hope.

A separate study also released this week looked into Corporate PCs and networks, showing bleak security practices with about 10 percent of a pool of 100,000 computers analyzed allowing the use of external storage or USB drives, 12 percent had missing anti-virus programs, and about 9 percent had peer to peer applications installed without authorization.




User Comments: 1

Got something to say? Post a comment
phantasm66 said:
I work in the financial world in IT providing these kinds of applications and this comes as no surprise at all.We simply do not work on projects in a manner that is compatible with security.When a project is undertaken, the goal is to deliver that application within budget, within agreed time frames, and to a standard that the company has deemed necessary in order to have the app running live. These are the goals. Security does not really come into it. It might come into it in the design phase, if you have a really good person who is security aware doing the architecture and design, but ultimately its about budgets, delivering on time, being seen to do a good job, etc. Security hardly gets a look in.Once completed, the application is handed over, usually to full time perm support staff. They just want to know how to drive the thing, and support it - not secure it. They usually have little idea how it was programmed (or they would be developers themselves) and after that, the only changes are those dictated by business users (who understand computer security even less than they understand IT) who are merely concerned with adding functionality. Again, security does not get a look in, any changes are just about making the application easier for users to use, faster, etc. Furthermore, banks tend to avoid running the cutting edge versions of things, and opt instead for versions of application servers, JDKs, frameworks, web servers etc that are often several years old. I'm talking, in some cases, for WebSphere 4.0, Java JDK 1.4, IIS 4.0, etc to still be in production use. Software that is known to have security issues due to their age. These systems don't get patched (patching them means they are down, which is bad, even although there are backup systems and even if its just for a moment, it is still not what anyone wants) and so long as they don't fall over and keep doing what they are supposed to, they get left alone. Often they get major service packs and things but this is frequently months after that pack became available. Making a change to a system - no matter how small - requires a lot of paperwork, change management approval and politics, none of which ever seem to go smoothly.The smart folks in these organisations want to do things about security, but its on the wish list really, because in the real world of life, its all we can do just to deliver these things working, and on time. Once they work, its on to the next project. Security only gets a look in reactively, i.e. after an attack we all get worried it might happen again and then try to do something about it. No one I work with is proactive about security at all.[Edited by phantasm66 on 2008-07-25 11:05:42]
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.