More than three-quarters of bank Web sites are insecure, leaving their customers vulnerable to having their money stolen online or their identities compromised, according to a report by researchers at the University of Michigan at Ann Arbor. The report, to be released Friday at a computer-security and -privacy conference at Carnegie Mellon University, is based on an examination of 214 bank Web sites in 2006.
Among the problems the researchers identified were the following:
° Secure login boxes on insecure Web pages. A hacker could reroute data entered in the boxes or create a spoof copy of the page to harvest financial information.
° Putting contact data and security advice on insecure pages. An attacker could change an address or phone number and set up his own call center to gather private data from customers.
° Easily guessed user IDs and passwords. Some sites used Social Security numbers or e-mail addresses as user IDs.
“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” Atul Prakash, a professor of electrical engineering and computer science at Michigan, said in a prepared statement.—-Andrea L. Foster
