In such a way ended University of Michigan (USA) group of researchers in head of Professor Atul Prakash. He and his postgraduates Laura Falk and Kevin Borders examined 214 credit finance organization web-sites over a period of 2006.
The results have been submitted on July 25, 2010 during symposium devoted to practicable confidentiality and security in Carnegie Mellon University.
Listed design defects are not related to program errors and they cannot be recovered with a “hotfix”. The core of the issue is in the site structure and its whole planning. Widespread error is the placement of registration and authorization strings on insecure pages. One more issue is the absence of motivation that can hold any user on the page to make a lead. According to professor Prakash, many banks still have the same issues.
“To our wonder, design defects were so popular that we can meet them even on sites belonging to very big banks, – tells Prakash. – We concentrated our attention on those occasions when users tried to be careful but site structure made impossible to choose the right decision from the security point of view while Internet banking.”
These defects leaded to the “holes” in security system which can be used by hackers to get clients’ private information and get an access to their accounts.
University of Michigan website listed five main design errors that should be fixed according to professor Prakash on each banking website:
1) Authorization pages are not properly secured with SSL
This issue has been noted on 47% of all banking websites. If a hacker will use this defect, he can retarget inputted data or create a fake page to receive bank clients’ personal data. Moreover, hacker has an excellent opportunity to do man-in.the-middle attack when user can see the same URL but the page is changed to hacker’ fake page. Even very watchful users can be trapped.
The solution – use SSL on pages with confidential information. User can identify a secure page which has -s after http:// i.e. https://
2) Contact pages are not protected with SSL
This defect had been seen on 55% sites. Hackers can change contact details to collect a personal information of every client who have contacted them. Clients believe that all the info on site pages is true, that is why Professor recommends website owners to place the contact information on the page secured with SSL protocol.
3) The gap in the chain between a bank and its “Trusted” partners
When a bank has a deal with third party organizations, it just sends a client to another site with another domain name. About 30% of banking sites do like that. Here a bank should inform a client that he/she will be redirected to a trusted partner page.
4) The usage of weak login and password
Some American banks allow the usage of email or social card number as a login name. It is easy to remember for a client but it is also easy to crack for a hacker. One more common error is the lack of politics concerning password creation or the allowance of weak password. There has been figured about 28% of all banking sites that allow such logins and passwords.
5) Confidential information distribution with the help of unencrypted Email messages
The important information (password or abstract of account) sent by Email was not protected in 31% of banking sites.
Talking about the abstract of account, it should be noted that banks did not inform a client about the form of the abstract (i.e. it is an abstract, a link to it or just an alert informing the user that an abstract is ready). The usage of Email except an alert seems to be not a good idea for American experts.