Many banks have design flaws that facilitate phishing
The Street picked up some tips I published for people to protect themselves online. That fact got me reading the article originally, but what I want to call your attention to today is the other half of the article, which details some interesting research implying that online banks commit an awful lot of errors that enable phishing against their customer bases. States the article,
The study found that of the 214 U.S. financial institution Web sites that were analyzed, 76% of them had at least one design flaw which could compromise your financial data.
Unlike many studies that focus on the vulnerabilities of the coding of the Web sites, where hackers may be able to gain access to information, this study focused on design flaws of the banks' sites that made it easier for users to be tricked into giving up private information (phishing). The flaws include placing log-in boxes and contact information on insecure Web pages (47% of banks), putting contact information and security advice on insecure pages (55% of banks), redirecting customers to a site outside the bank's domain for certain transactions without warning (30% of banks), emailing security-sensitive information insecurely (31% of banks) and allowing easy-to-guess user IDs and passwords such as Social Security numbers or email addresses.
The first of these topics (placing logins on pages that are not secured by SSL) is a personal pet peeve of mine and something I've written about in the past. Fortunately it's getting better, and many online banks are correcting this bad behavior, but clearly based on this research many have not. I will dig into the research in more depth and give you a summary of what it says and my commentary on it.