digg

Facebook Connect Join Digg About

Majority of banking websites found insecure

tech.yahoo.com A new study from the University of Michigan has found that more than 75 percent of banking websites are not completely up to snuff when it comes to security.

Who dugg this? Made popular Aug 3, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

85 Comments

show profanity settings
expand all
  • inactive, on 08/03/2008, -1/+59I'm not worried. I don't have money in my bank accounts anyways. Maybe the thieves that get into my account will feel sorry for me and put money into the account.
  • gracias, on 08/03/2008, -4/+612 year old study, does not list secure or insecure banks, Buried.
  • JD52, on 08/03/2008, -0/+26Most I've seen also suffer from low self image... little girly banks.
  • delusionz, on 08/03/2008, -1/+20I better take my 60 dollars out FAST!!!
  • BaoUnit, on 08/03/2008, -1/+18Sir, may I ask where you live?
  • Snokage, on 08/03/2008, -1/+16would be nice if they re-conducted the story and released their results to all Banks to have them update their security.
  • itsradBrad, on 08/03/2008, -2/+14I swallow all my cash. It keeps me regular and I have money to spend once, sometimes twice a day.
  • anachronaut, on 08/03/2008, -0/+9So my neighbor's cash is in my backyard? I'm off to rent a backhoe!
  • rssman, on 08/03/2008, -0/+9That's correct! Unfortunately, many banking websites in the US do not provide a virtual keyboard, which makes users vulnerable to malicious software such as keyloggers. Some employees do not even know what "virtual keyboard" means. In Turkey, most banking websites provide a virtual keyboard and many websites require an SMS confirmation before making any transaction.
  • virtualonliner, on 08/03/2008, -1/+10That is why keep my money buried in my backyard.
  • funkyloki, on 08/03/2008, -2/+9Yes the study is two years old, but they just published it. And it would be the height of irresponsibility to start posting which banks were secure and insecure since the research was done two years ago.
  • Donegal, on 08/03/2008, -1/+8Thanks for the relevance.
  • DivisibleByZero, on 08/03/2008, -1/+8Yeah, I love it when my online bill payment sites employ crazy password complexity rules. Like some jackass is going to figure out my weak password, then login to my account and pay my electricity bill. Oh no!
  • ahoyhoy1, on 08/03/2008, -0/+6But then the banks will steal your money with stupid fee for going below the minimum balance.
  • cubicledrone, on 08/03/2008, -1/+7The IT employee that offered to fix it was shouted down in a meeting, publically ridiculed, screamed at, harassed for weeks and fired by some middle manager with a space-age piece of plastic in his ear and a name tag on his door. Bob the middle manager wears blue long-sleeve shirts in July and walks a big malamute around in the park so he can meet a type-A cast-iron bitch to date. He just bought a new set of cooking utensils on his platinum card for $4800 for the Home Depot discount. He couldn't cook if he had a flamethrower and a clear view of six tons of hamburger.

    And he wouldn't get fired if Godzilla urinated his name on the table at a board meeting.
  • DivisibleByZero, on 08/03/2008, -0/+6Yeah, a virtual keyboard is totally secure. It's trivial for a hacker to deploy a keylogger, but a mouse-click logger? That's some science fiction stuff right there. (even if it doesn't know where the keyboard is relative to the screen, all it would have to do is take a screenshot on every mouse click).

    The SMS confirmation is huge though, and I wish US banks would do that, or start issuing RSA fobs like paypal is doing.
  • ahoyhoy1, on 08/03/2008, -0/+6How do i take out my -72 dollars from overdraft fees?!
  • insomniac8400, on 08/03/2008, -0/+6I believe the login issue was brought up before and some people pointed out that it posts via https. The login is secure, but you just don't get the lock in the bottom corner. Although chase and others do have https on the main page.
  • N0153T4NK, on 08/03/2008, -1/+6Yea god forbid somebody take my minimum balance away from me.
  • TenebrousX, on 08/03/2008, -2/+7Do you even know what sarcasm is?
  • DivisibleByZero, on 08/03/2008, -0/+4But chase does such helpful things as requiring me to put digits in my username, setting a maximum of 8 characters for my password, and letting me reset my password if I just give them my mother's maiden name and the city I was born in. There's no way any of those things are secure.

    Their "security" also identified me as a credit card thief the time I ran out of gas (made two small purchases to buy a can and then fill it with a gallon, then filled my tank). When I tried to make a withdrawal at the strip club ATM that night, it was declined, so I called the number on the back of the card which told me I had to call back during business hours.

    When I called back the next morning, it was a completely automated system. "Press 3 if your mother's maiden name is Smith...." I guess the computer works union hours.

    I only had the account because I used to work for them on some of their stock trading apps. Believe me, if you think your personal bank account is insecure, you'll love realizing that the entire stock market is held together by bailing twine and duct tape.
  • DivisibleByZero, on 08/03/2008, -0/+4I wish "redirecting outside the bank without warning" wasn't on the list. Sadly, people are dumb enough to not be able to catch that sort of thing themselves.
  • S1ngular1ty1, on 08/04/2008, -0/+3Most modern keyloggers also take screen shots so you are still hosed unless you have multi factor authentication.
  • Zachariah, on 08/04/2008, -0/+3I'm sick of banks asking me "security" questions that as far as I can tell are just easier backdoors to my account than my username/password combo.
  • ligyron, on 08/03/2008, -1/+4Be smart and bury it in your neighbor's backyard. No one will look for it there
  • Poseur117, on 08/03/2008, -5/+8This makes me feel better about my life's saving being accessible online.
  • ligyron, on 08/03/2008, -4/+7Do you even know what insecure means?
  • diemunkiesdie, on 08/03/2008, -0/+2If you are going to post some angry information about a news story that happened, post a link to the story so we can see it for ourselves!
  • inactive, on 08/03/2008, -6/+8Most banks are thieves anyways.
  • strictnein, on 08/04/2008, -0/+2Yes, let's resort to personal insults. A random person calling me a "dick" on the internet. Seriously, can't you do better than that?

    Did you read what I said? I do not get hit for $30 overdraft charges, I do not pay $2 to check my balance, I get a relatively low credit card rate, and my bank does not change the monthly payment dates. And this is all from a major US bank, not some little mom and pop country shop. I also have my savings in a savings account where they belong. One that gets a reasonable amount of interest.
  • strictnein, on 08/03/2008, -4/+6How so?
  • exile, on 08/03/2008, -1/+3Thankfully my mattress is fully firewalled.
  • Beatmiser, on 08/04/2008, -0/+2I'm not interested in their personal lives... I just want to know if my money safe!!
  • miaow, on 08/04/2008, -0/+2I'm glad the poll is there for us.
  • DivisibleByZero, on 08/04/2008, -0/+2Moving the buttons around only works if the onclick event makes its way to the virtual keyboard before the logger. Which is implausible given that the logger is running somewhere within your OS, whereas the virtual keyboard lives in your web browser. That logger's taken the screenshot before your virtual keyboard knows anything about it.

    Stuff like that is designed as a workaround for a logger that logs the coordinates of the clicks without taking the screenshot. The fun thing about security through obscurity is that the attacker will always come up with a more convoluted way around your convoluted system, and the user is the one who suffers. A randomized keyboard is a usabiliy nightmare with no real security benefit.
  • spyda256, on 08/04/2008, -0/+1I'm pretty sure you nailed it right on the head...If you're in the industry you know it's true, which is so sad.
  • strictnein, on 08/04/2008, -0/+1Chase does SMS confirmation every once in a while.
  • strictnein, on 08/04/2008, -1/+2All things that you know ahead of time. How are these ways I'm being "ripped off"?

    It takes a while for banks to process checks. Everyone knows this. And it's a zero sum game. If every bank holds onto the funds longer to collect interest for a longer period of time, then how does it benefit anyone?
    Your bank charges you $2 to check your accounts at non-bank ATMs? That sucks.
    You get $30 overdraft charges? That sucks. Maybe setup your credit card as a back up which most banks lets you do. That way you only get hit for a couple of bucks. Or, maybe, keep better track of your money? And again, this is known ahead of time.
    Checking account interest: known before you sign up for the account. A checking account isn't for long term savings, hence the name "Checking account".
    Credit card interest: known before you sign up for the card, and assuming you have good credit, you can get pretty good rates.
    Your bank changes monthly payment dates? That sucks as well.

    Sounds like you're just signed up with a crappy bank and don't like to read the Terms and Conditions.
  • inactive, on 08/04/2008, -0/+1Because he's not running for President. Let's keep private lives private. Unless he was doing it on the taxpayers' dime, I really could care less.

    Also buried for irrelevance.
  • inactive, on 08/04/2008, -0/+1Most banks just have a username/password.

    My local bank demands you use alphanumeric username and password (letters and numbers for each). And It requires answers to < 6 secret questions. Then with each login, It asks you answer to one of the secret questions along with the username/password.
  • theandyj, on 08/04/2008, -0/+1dat chit fort knox?
  • spoulson, on 08/04/2008, -0/+1Damn, it's 2008 and banks are STILL operating insecurely on the web? These examples are prime audit targets by the Treasury Dept, who can shut their doors if they didn't fix these issues. I mean seriously, no SSL on login page? Emailing confidential information?! *sigh* Aside from the money, a bank's most important asset is its customers' data.
  • S1ngular1ty1, on 08/04/2008, -0/+1I'm glad my bank lets me use my cell phone as a 2nd factor of authentication. Makes my login much more secure. You would have to have my cell phone and know my login ID and password to get into my bank account.
  • DivisibleByZero, on 08/04/2008, -0/+1And contrary to what most banks seem to think, "multi-factor authentication" does not mean giving it your mother's maiden name as well as a password.
  • Ladadadada, on 08/06/2008, -0/+1Do I smell a bit of resentment there ?

    Unfortunately, it's scarily accurate which is why I appreciate a good line manager when I can find one. Their main job is to shield the guys who do the work from the middle managers while still getting an adequate budget out of them.
  • Ladadadada, on 08/06/2008, -0/+1Bah ! I had a bank's WEBSITE tell me that it only worked during business hours.

    I mean SERIOUSLY... they had to actually put in extra work to make the website NOT work during the non-business hours.
  • gettarat, on 11/24/2008, -0/+1Chin up ol buddy. You'll find love someday.
    http://homedepothours.com/
  • JNudda, on 08/04/2008, -0/+1@those who buried poseur: wooooosh
  • Ladadadada, on 01/01/2009, -0/+1If I read that description correctly, this is what is known as two-factor authentication. It requires you to know something (your PIN) and to have something (the PIN-Calculator).

    Lots of banks have this sort of thing available but most of them require that you ask them for it. They won't just offer you the extra security on their own.

    Of course, the way I first read it, it sounded as if the "calculator" was on their website in which case you put in your PIN to their website and get a new PIN back which you then put back into their website to log in. Clearly, this would NOT be two-factor and would be no more secure than just the plain old PIN. Unfortunately, I wouldn't put it past many banks to implement something like this and call it two-factor. Bah !
  • Ladadadada, on 08/06/2008, -0/+1Having the login page not on SSL still leaves you open to spoofing the login page. If you can do that (which you CAN if you are a man-in-the-middle) then you can add a bit of javascript that sends the POST variables to a third-party webserver while still allowing the normal SSL POST request to the bank to go through.

    It changes the attack from being purely passive to being active which is a little more dangerous for the crooks but it still leaves an avenue open for attack. Having the login page signed with SSL removes this avenue as well.
  • Fetching more discussions...
    Show 51 - 87 of 87 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.