Banking Web Sites Still Insecure
This should, of course, come as no surprise to anybody in IT security, particularly those specializing in protecting web sites. But a study released by researchers at the University of Michigan says 75% of banking web sites have design flaws that open online customers to cybercriminals, according to Finextra and CNET.
Now, make a note. The study talked about design flaws, not necessarily coding flaws. Of course, these design flaws are coded into the web sites, but they're not really coding flaws in the way OWASP would see them. They're flaws in the flow and layout of the sites that can lead to exploitation.
They include things like putting logins and contact information on insecure -- meaning non-SSL -- pages, allowing weak user IDs and passwords and weak authentication (an OWASP biggie), and redirection of sites to domains outside the bank without warning.
The fully study can be found here.
Now, make a note. The study talked about design flaws, not necessarily coding flaws. Of course, these design flaws are coded into the web sites, but they're not really coding flaws in the way OWASP would see them. They're flaws in the flow and layout of the sites that can lead to exploitation.
They include things like putting logins and contact information on insecure -- meaning non-SSL -- pages, allowing weak user IDs and passwords and weak authentication (an OWASP biggie), and redirection of sites to domains outside the bank without warning.
The fully study can be found here.
posted by The IT Security Guy at 9:06 AM
1 Comments:
You would think that banks and sites dealing with large amounts of money would recognize these design flaws as quickly as possible and do everything they can to fix them, but I guess they just don't take action until someone is exploited and complains about it.
Post a Comment
<< Home