Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Most Bank Websites Are Insecure 269

Anonymous writes "More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy. The study, 'Analyzing Web Sites For User-Visible Security Design Flaws,' examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders."
This discussion has been archived. No new comments can be posted.

Most Bank Websites Are Insecure

Comments Filter:
  • Surprise - really... (Score:5, Informative)

    by Anonymous Coward on Thursday July 24, 2008 @07:50AM (#24317005)

    It is actually a surprise, earlier the banks would just cover the damages caused. But with the current global economy it is actually a bit surprising that the banks are letting this happen.
    But then again they might not - the study is from 06 and those were diffent times for banks.

    • The Big Problem (Score:5, Informative)

      by WED Fan ( 911325 ) <akahige@trashmaCOUGARil.net minus cat> on Thursday July 24, 2008 @08:43AM (#24317593) Homepage Journal

      The big problem here is that while our funds are secured by Federal Insurance, our identities are not. And the potential for damage from ID theft are greater than the potential for loss of the little electronic digits that represent our money.

      It can take years and lots of money to recover from ID theft. I am currently dealing with my sister-in-law's ID theft. She is a world traveler and spends 10 months out of the year in Africa, India, and the UK. We have signature authority on most of her stateside accounts. The problem is, she loves Internet Cafes and does her banking online.

      She opened a new account in NYC before her last trip. She was in Nigeria for less than a week and we started to get alarming indications that something was wrong. Sure enough, some got her on what was her first visit to an cafe, her new account and her old WAMU account had to be shut down before it was raided. We are now getting credit warning letters in her name and we are hoping she doesn't get stopped in some country because someone used her name for a crime. Imagine the passport issues.

      The problem might not be the bank's entirely, but there are measures they can take.

      • Re:The Big Problem (Score:5, Insightful)

        by somersault ( 912633 ) on Thursday July 24, 2008 @08:58AM (#24317755) Homepage Journal

        In that case I don't see how it was the bank's fault in any way.. using an internet café for banking (in Nigeria of all places, famous for 419 scams..) doesn't strike me as the best idea in the world. Even if the keyboards are glued in so that people can't attach keyloggers and whatnot, someone could have setup a mini camera, or perhaps the owner of the café has installed monitoring software that allows him to record everything.. she'd be better off with a WiFi enabled PDA or something at least?

        • Re: (Score:2, Insightful)

          by relguj9 ( 1313593 )
          I have to agree, those both kind of jumped out at me, logging into a bank account at #1 a public workstation and #2 in Nigeria...

          While I am sure there a lot of things that the bank can do to improve the system, I truly don't believe that they could have prevented the loss in her situation.

          While I don't agree with tin-foil paranoia, a healthy fear and common sense are important to protect yourself, especially in unfamiliar environments.

          I feel like I'm posting the obvious here but I'll post it anyway
          • Re:The Big Problem (Score:5, Insightful)

            by dgatwood ( 11270 ) on Thursday July 24, 2008 @12:50PM (#24321953) Homepage Journal

            They could have made it several orders of magnitude harder by adding two-factor authentication with a SecurID or CryptoCard style of physical token. At that point, the only way to commit real identity theft (as opposed to simply being able to see the partial account numbers (your bank does only list part of the account numbers, right?) shown on the screen) would be to inject a man-in-the-middle proxy that was configured for your particular bank with detection and interception of the logout click and returning a bogus "you have logged out" page, then transferring control over the session immediately to a human operator to work with it further. While such sophisticated attacks are possible, they are much less trivial, and thus much less likely.

            I find it utterly hilarious that my webmail at work is orders of magnitude more secure than online banking. Instead of fixing the problem of authentication, the banks would rather come up with more and more absurd "solutions" like making your passwords impossible to remember (and incompatible with passwords from other online banking sites due to different rules) so you have to write them down, then setting up lists of security questions for the inevitable forgotten password. I mean jeez, a CryptoCard token is what, $70 in quantities? They probably spend close to that for each user every year just because of the extra customer support overhead of their draconian password schemes....

          • I've been thinking a lot lately about ID management as a solution to these kinds of problems. Financials are only one thing that's moved onto the web—it seems health is next. As we put more and more of ourselves into The InterPipes, I think there's going to come a point when we need to actively create and manage an online identity.

            The real key to good ID mgmt is not simply collecting all of your information in one place, being able to create different personas and share those based on who you're talk

        • Re: (Score:3, Informative)

          by Lord Ender ( 156273 )

          If banks required two-factor authentication like they should, then even using a totally-pwned internet cafe for your banking would have greatly-reduced risk.

          • Re: (Score:3, Interesting)

            by somersault ( 912633 )

            Why is this just about banks then? Plenty of other websites have access to credit and debit card details (and debit cards don't have the same level of protection as debit cards), and generally have weaker login requirements than most banks, though you'd probably suggest that they should have stricter security as well. If my bank didn't have the moronic irrelevant security questions then I'd probably still be using the system today, but instead I've just decided not to bother with it as it has caused me a fa

            • Re:The Big Problem (Score:5, Interesting)

              by dgatwood ( 11270 ) on Thursday July 24, 2008 @01:00PM (#24322173) Homepage Journal

              What forms of 2 factor authentication would you propose for a public computer btw? Some kind of USB dongle or something? What if the cafe didn't allow those? The risk might be reduced with a 2 factor system, but I still think it's better to avoid banking on a public terminal.

              Factor 1: pin number. This is something you know. Usually 4 digits, but may be arbitrary. Probability of guessing: 1/ 10^k where k is the number of digits. If digit count is variable, this makes it even more fun since 0004 and 4 are then different values.

              Factor 2: CryptoCard token or similar. You push a button and it gives you the next number in a pseudorandom sequence that was pre-seeded. The computer on the other end knows the next few numbers in the sequence (the exact number probably varies depending on configuration) and if the number you enter isn't one of those, it rejects the login attempt. No number can be used twice. Probability of a successful guess: about 1 / 50,000 - 1/200,000, depending on the bank's level of paranoia about skipping numbers without a resync. :-)

              Total probability: 1 / 500,000,000 - 1/2,000,000,000 depending on paranoia level for number skipping and assuming a 4 digit PIN....

              Even better, I think the resync process is also basically protected against identity theft unless you have the pin number, since you can't substitute a different token and get two numbers in a sequence that would be valid for the original token, IIRC, and the resync doesn't buy you anything other than a few more tries to guess the PIN number.

        • Re: (Score:3, Insightful)

          by owlstead ( 636356 )

          No, the bank could have opted for transaction based authentication with a little security device not connected to the computer. I've got one from VASCO from my bank. There is no way that they could raid my account after using an internet cafe.

          The current one uses the chip of my bank card together with a semi-random number generated by a clock(the device has a battery and after a few years the battery - and therefore the device will run out). Other banks use the mobile phone (SMS) for confirmation. Less secu

      • by Skapare ( 16644 )

        She needs to have her own computer with her, with its own security so it can't even be operated by someone who might take it.

    • by Lobster Quadrille ( 965591 ) on Thursday July 24, 2008 @09:45AM (#24318569)

      A while back I emailed my bank about several critical holes on their website. Their response: because the actual banking takes place through a third-party, the access logs that are publicly available on the site, the ability to manipulate the content of the website through javascript, the ability to alter login forms, and the ability to hijack the CMS' admin sessions are non-issues.

      I have a new bank now.

  • by Dystopian Rebel ( 714995 ) * on Thursday July 24, 2008 @07:50AM (#24317007) Journal

    Banks are protected from their mistakes by the US Federal Reserve.

    • by bondsbw ( 888959 ) on Thursday July 24, 2008 @08:00AM (#24317083)

      Banks are protected from their mistakes by the US Federal Reserve.

      Consumers (or lenders, technically) are covered up to the greater of their account balance or $100,000, but identity theft is far from protected.

    • Profit... (Score:5, Interesting)

      by Anonymous Coward on Thursday July 24, 2008 @08:15AM (#24317213)

      Banks are protected from their mistakes by the US Federal Reserve.

      Profits always get privatized, banker's mistakes often get nationalized. The private citizen always gets stuck with bailing the banks out but gets little or no benefit from profits since these shipped of to tax havens like Lichtenstein. Which makes it all the more gratifying when something like this [bbc.co.uk] happens.

      • You're happy that the German mafia is going to recover some protection money that wasn't paid to them because some guy denounced the people who resisted ?

    • Re: (Score:3, Informative)

      by kthejoker ( 931838 )

      This may be somewhat true, but the FDIC is an *insurance* company, and if a lot of banks had to start hitting it up due to identity theft, its premiums (in the form of government deficit) would go up. And that tanks the economy, which tanks banks, etc ...

      So, no, banks do not get off scot-free for this kind of thing because of some magical safety net. TINSTAAFL.

  • Bank logins (Score:5, Insightful)

    by AvitarX ( 172628 ) <me@@@brandywinehundred...org> on Thursday July 24, 2008 @07:55AM (#24317041) Journal

    If this report makes it any harder to login to my account I am going to have to find the publishers, and beat them.

    My current bank forced me to select 6 questions, many of which there were no choices I knew the answer to, but that someone stealing my identity could find.

    When one of these comes up that I can't answer I call the customer service, and am verified by my mothers maiden name. Defeating the purpose of all the questions anyway.

    Also, my user-name is not a password, don't make me change it to one.

    • by bondsbw ( 888959 ) on Thursday July 24, 2008 @08:04AM (#24317105)

      At least your username isn't your Social Security Number. I'm looking at you, Regions Bank.

      • And Sallie Mae.

        • BoA defaults to that, but you have the ability to change it.

          • Re: (Score:3, Interesting)

            by MBGMorden ( 803437 )

            Their credit card accounts don't seem to (or didn't - I've had my account online for about 8 years or so now). Not sure about their checking. They DO have an annoying login though. If you've never logged in on this computer before, you have to answer 2-3 extra questions before logining in, and then after logging in they present you with a "sitekey" which you're supposed to verify is correct (and reenter your password). Thing is, in God only knows how long of accessing that site, the sitekey has NEVER be

      • Re: (Score:3, Informative)

        by Sandbags ( 964742 )

        Hell, BB&T not only doesn't use 2 factor authentication, they also don't enforce strong passwords, nor do they prevent browser caching of passwords. The login field was recently "moved" in order to "prevent some types of known security attacks" but the login fields are still ON the MAIN PAGE...

    • Re:Bank logins (Score:5, Interesting)

      by SatanicPuppy ( 611928 ) * <Satanicpuppy@nosPAm.gmail.com> on Thursday July 24, 2008 @08:17AM (#24317231) Journal

      That makes me absolutely apeshit; do NOT force me to choose one of your crappy questions! Let me write my own question, and my own answer.

      Whenever I get to write my own question, the question is always a mnemonic for a password...Secure, and easy to remember, since the question implies the answer uniquely, and you don't get any "Did I abbreviate my hometown name in the 'What was the name of your high school question?'" problems.

      The thing I do if they force the question, is use a stock response for all questions of that type, which is, itself, password like. E.g my first pet was: Wc@e%rddt^y, whereas my first car was" L!kj%nb^

      • Re: (Score:3, Insightful)

        Comment removed based on user account deletion
        • Re:Bank logins (Score:4, Insightful)

          by Tanktalus ( 794810 ) on Thursday July 24, 2008 @08:57AM (#24317749) Journal

          Minor nit: sure, my bank has my email address. I do NOT want them emailing me. Under ANY circumstances. If it's important, send me normal snail mail.

          If I have to start weeding out "legitimate" email from my bank vs "phishing" that appears to be from the same bank by actually opening the mail to look at it ... well, I'll probably just ignore the legitimate stuff, to be honest.

        • 'What was the name of your high school question?'

          Yes please make them make made make up my own question. High school: I went to several schools in several cities and even countries. Maiden name of my mother: You have no need to know that. You want my data, OK. I am not giving you my parents data as well.

          They already have your mother's maiden name. They just want to see if you are who you claim you are. I usually have to reverify my computer after each upgrade of Firefox :(

      • by notthepainter ( 759494 ) <oblique@alu3.14m.mit.edu minus pi> on Thursday July 24, 2008 @09:03AM (#24317851) Homepage

        whereas my first car was" L!kj%nb^

        Wasn't that a great car? Mine got great mileage. Finicky carb but at least it was easy to rebuild.

      • Re:Bank logins (Score:5, Interesting)

        by CastrTroy ( 595695 ) on Thursday July 24, 2008 @09:10AM (#24317943)
        I use random password like strings for the answers to those questions also. It's too easy for just about anybody who knows me to guess the correct answers to those questions. You don't even have to know me, you can just check out my facebook profile. My first highschool is obvious, because there is only 1 in my hometown.
        • Re: (Score:3, Insightful)

          by SuperQ ( 431 ) *

          I do the same thing, I just generate additional strong passwords and keep them in a GPG encrypted file.

          The problem is these questions are NOT 2 factor authentication, and like you say only make the authentication method weaker.

      • by tlhIngan ( 30335 ) <slashdot@worf.ERDOSnet minus math_god> on Thursday July 24, 2008 @10:23AM (#24319167)

        The problem with the questions is based on a watered-down version of bank security measures.

        There were guidelines issued that said banks and other financial institutions should use two-factor authentication. The banks, however, fought back because such changes (keyfobs, scratch tickets, etc) cost money, and the guidelines were watered down to what they are now - "sorta-wannabe-two-factor".

        In reality, it's another password.

        http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx [thedailywtf.com]

        Heck, some banks are really idiotic, too...

        http://thedailywtf.com/Articles/Banking-So-Advanced.aspx [thedailywtf.com]

      • Re: (Score:3, Funny)

        by severoon ( 536737 )
        I'm used to seeing l33t on /. occasionally, so I tried to read your pet name and car make and my brain exploded.
    • Re:Bank logins (Score:4, Interesting)

      by Z00L00K ( 682162 ) on Thursday July 24, 2008 @09:04AM (#24317861) Homepage Journal
      The bank I use Swedbank [swedbank.se] uses a security token with a challenge/response for several stages:
      • At log in to authenticate.
      • Whenever a new payable account is registered.
      • The total sum to pay of all bills registered at that session.

      This means that it's hard for any intruder to actually do something even if they are able to crack the encrypted channel between me and my bank.

      The use of username/password or a non challenge/response technology are definitely insufficient since they are open for man in the middle attacks and other attacks.

  • Surprise (Score:5, Interesting)

    by MyLongNickName ( 822545 ) on Thursday July 24, 2008 @08:00AM (#24317079) Journal

    Having worked in the banking industry for nearly a decade, I was a bit skeptical. Many times we will have some security firm come in and look at our public facing web site, and come back with a list of 25-30 items that are 'security issues'. Most of them are complete crap, and maybe 1 or 2 are legitimate concerns. Management gets in a tizzy and insists that all items must be addressed, even when many items make no sense or are even counterproductive to implement.

    I skimmed the underlying study (the article itself was worthless except for the link), and some of the concerns are very valid. For example, I have NO idea why a bank wouldn't insist on using SSL for any banking transaction.

    • Re: (Score:3, Insightful)

      I am neither a Web designer or programmer nor am I a cracker. In many respects I'm just a typical computer geek who knows enough to stay out of trouble. I am wondering why these banks don't hire competent employees (or contractors) though. Some of the problems mentioned in the PDF seem very obvious to me:

      Break in the chain of trust: Some websites forward users to new pages that have different domains without notifying the user from a secure page. In this situation, the user has no way of knowing whether the new page is trustworthy.

      Inadequate policies for user ids and passwords

      (i.e. email addresses for IDs and short crackable passwords)

      E-Mailing security sensitive information insecurely

      (I always found it BIZARRE that banks and its employees aren't trained to use PGP and the like for even large moneyed account holders and more s

      • Re:Surprise (Score:4, Informative)

        by Fozzyuw ( 950608 ) on Thursday July 24, 2008 @08:51AM (#24317681)

        (i.e. email addresses for IDs and short crackable passwords)

        There's a line a bank must tread between obvious security and usability. There's one bank I use that forced me to take THEIR login ID but let me set my own password. It's the only bank I have to save my login ID in an accessible location so I can go and look it up, because I can't damn well remember what stupid number they gave to me at the end of some sort of concatenated user name based on my real name.

        There extra security in having hard to guess logins and passwords, but you're also making it difficult to the point of uselessness to make people remember endless amount of logins and passwords where they're just going to start writing them down on stick-it-notes at their work desk. In that sense, allowing them to make easily remembered logins can be MORE security by avoiding having your customers take their own extreme measures to remember their credentials.

        What I'm seeing happening recently is that banks are having you pick a specific picture associated with your account and have you just enter your login ID. They then direct you to a "second" login page that will show your "site key" (the image you selected) along with some text you might have filled in yourself (describing the picture). This, I assume, is to defeat phishing sites. A phishing site shouldn't be able to know your "site key" picture and text, which is to alert the user that they're not on the right website.

        Though, I personally have no pity to people who fall for phishing sites. Knowing how to read and check an address bar is part of being able to use the Internet properly. Otherwise, it would be like allowing people to drive without a license. Sure, some people can do it successfully but they're more likely to make a mistake that is easily avoidable, just because they didn't know better.

        - logons etc on insecure pages

        This is often a misunderstanding. One that I had at a point as well. Your login form has to submit to a SSL page, not reside on an SSL page to be secure. This is why several banks have login's on non-SSL pages, because their main informational site doesn't need the extra overhead of SSL to transmit their advertisement stuff.

        However, should your login fail and they send you back to a non-SSL page with your information filled in, then I would be concerned. Though, I've not seen a bank do that yet. General rule of thumb is that if you're paranoid about it, submit the login form, without/wrong credentials and you'll get a login/SSL page.

        • Re: (Score:3, Insightful)

          by CastrTroy ( 595695 )
          Couldn't the phishing site just take your login ID from you, post it to the banks website, possibly through a proxy botnet machine so it wouldn't look like a whole bunch of requests were coming from a single machine, and download the site key image and show you the proper one? I don't think any phishing scams haven't gotten this sophisticated yet, because it's easy enough to just do it the old fashioned way. But if things get hard enough, and all bank websites start using tricks like this, then I could se
        • Re:Surprise (Score:4, Insightful)

          by CastrTroy ( 595695 ) on Thursday July 24, 2008 @09:25AM (#24318203)
          If the login form isn't on and SSL page, how does the user ensure that the page is being posted to the correct location? Do they have to view the source to figure out where it is being posted to? For all you know, that unsecured login page had some javascript inserted that takes the information you enter, and sends it to a different page. Or even simpler, just has the form action replaced with something else completely different. Without looking at the page source, and verifying every line, you have no idea where the form is going to submit to or what's going to happen once you enter your credentials.
        • You said,

          There extra security in having hard to guess logins and passwords, but you're also making it difficult to the point of uselessness to make people remember endless amount of logins and passwords where they're just going to start writing them down on stick-it-notes at their work desk.

          One can easily enough save a password with a password manager, or save a login straight from a Web browser or using something like Microsoft's newer CardSpace feature (available with XP and Vista). All these options are better than crackable passwords. If these aren't possible for something like work (if you decide to do your banking at work, which I wouldn't do for many reasons) then I would write down my ID and carry it with me. Having to be inconvencienced by one logon account would be worth it

        • Re: (Score:3, Interesting)

          The problem with not having the login page on SSL is that a phishing site that managed to poison DNS could get you to send them your login information.

          With an SSL login page this would be much more difficult. If someone managed to hijack the domain name (either through compromising DNS servers or changing your hosts file because you were foolish enough to install that "free" screensaver), and you were forced to log in through SSL, your browser would yell at you because the site key would not match what t

      • I am wondering why these banks don't hire competent employees (or contractors) though. Some of the problems mentioned in the PDF seem very obvious to me:

        Well, I work for a large bank and I can tell you, most of the people who work in this industry are borderline incompetent.

        Most good IT people avoid us since banks have to deal with SOX, which was about the dumbest idea ever, and many other regulations that mean even the most trivial changes can take weeks to implement. Not a lot of incentive to go bug hunting when it'll mean filling out (and faxing!) a bunch of lame paperwork.

        It once took two weeks for me to add an index to a table.

    • Many times we will have some security firm come in and look at our public facing web site, and come back with a list of 25-30 items that are 'security issues'. Most of them are complete crap, and maybe 1 or 2 are legitimate concerns... even when many items make no sense or are even counterproductive to implement.

      What are the security concerns that you consider to be "complete crap" and "make no sense" and are "counterproductive"?

      • Its been a while since I've dealt with it, but the biggest that came to mind was adding "security questions" to retrieve your password. This not only required a lot of time to implement, but actually decreases the security in my humble opinion.

    • Re:Surprise (Score:5, Interesting)

      by TheMooose ( 1332077 ) on Thursday July 24, 2008 @08:40AM (#24317547)
      I worked as a web developer for scores of Credit Unions all over the US. In the last 4 years the NCUA (like the fed for CUs) became freakishly paranoid, and like most "governing" bodies, took no time to understand buzz-words. They started implementing draconian requirements that forced the CUs, large and small, to spend great deals of money on website security. That money would have gone into members' accounts at year end. While working for the CUs, I found that the most damaging attacks were often nothing the NCUA could have dreamed of. They worried about open ports and front page extensions while the Chinese and Russian hackers focused on SQL injection and Cross-site scripting (XSS). In one case I was involved with, the attackers were able to compromise a content management system via SQL injection and dynamically change the links to home banking for dozens of CUs. My advice is for these banks and credit unions would be to have their websites and underlying systems audited, if not code reviewed, by a well seasoned team of professionals and to not rely on the scanning services unless they just want a warm fuzzy feeling.
      • Re: (Score:3, Insightful)

        by geekoid ( 135745 )

        "They worried about open ports and front page extensions "
        good, they should be.

        "Chinese and Russian hackers focused on SQL injection and Cross-site scripting (XSS)."

        If SQL injection is possible, immediatly fire the developer.
        Sorry, no excuse.

        "to have their websites and underlying systems audited, if not code reviewed, by a well seasoned team of professionals "
        excellent advice.

    • even if... (Score:2, Interesting)

      Several times now my father in law has asked me to help him fix his computer because "it's running slow". You would not believe what a mess of malware he gets hit with by browsing the web and running whatever attachments all his friends send him.

      Even if the banking site is secure, your average user is taking a huge risk doing banking on any PC hooked up to the internet. They just don't understand what is running on their PC. They have no good way to identify that there is malware running, or identify what

    • Not surprised (Score:3, Interesting)

      Given how many banks employ Wish It Was Two-Factor authentication [thedailywtf.com], I'm not surprised at all.

      The concept of two-factor authentication is stupidly simple: Something you have, and something you know.

      Somehow, banks (and credit card companies) seem to be confusing this with "two things you know" -- which actually isn't one bit more secure than "one thing you know".

      The reality is, all the technology to do this right exists. It is trivial to do. But banks don't want to pay for it. (Which, in itself, is a WTF -- I'

  • by SimonGhent ( 57578 ) on Thursday July 24, 2008 @08:05AM (#24317113)

    It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders

    and was filed from a Caribbean island.

  • by Rogerborg ( 306625 ) on Thursday July 24, 2008 @08:09AM (#24317145) Homepage

    Since if I enter my username (composed from my real name) and an incorrect password three times, it locks me out.

    I say "my" username, but if I enter any username - easily deductible by composing any two first and last names - and an incorrect password three times... that account gets locked out.

    I'm sure that nobody with malice aforethought, a dictionary of names, and a frisky Perl script will ever feel the urge to increase every customers' security by having them locked out.

    • Re: (Score:3, Insightful)

      by MobyDisk ( 75490 )

      I don't know of any way to deal with this problem. NOT having an account lockout means someone can brute-force a password. Having an account lockout means someone can DOS the account.

      You could probably minimize the problem by doing the lockout by IP address or something, but ultimately you can't solve this problem in it's entirety. Account lockouts are a trade-off.

      If you know of a solution, please post it.

      • You could probably minimize the problem by doing the lockout by IP address or something

        ... which is what VMS has done since 1977, but apparently everyone else is stuck with security models from 1976.

      • by KWTm ( 808824 ) on Thursday July 24, 2008 @09:17AM (#24318071) Journal

        if I enter my username (composed from my real name) and an incorrect password three times, it locks me out.

        I say "my" username, but if I enter any username - easily deductible by composing any two first and last names - and an incorrect password three times... that account gets locked out.

        I don't know of any way to deal with this problem. NOT having an account lockout means someone can brute-force a password. Having an account lockout means someone can DOS the account.

        You're not thinking outside your (rather small) box. The answer is to make the account harder to guess. Let users choose their own account name, and you won't be able to guess that "SamJones" is a valid account. You could try "SammyTheMan", but at least the range of possible logins has just increased by an order of magnitude. Maybe, for those users who really have no creativity and try to insist on using FirstnameLastname, the bank could require that your login be FirstnameLastnameBirthmonthBirthday. "SamJones0413" is two-and-a-half orders of magnitude harder to guess than "SamJones".

        If you did want to solve the problem of account lockout, you could try this: the first time an incorrect password happens, lock the account for 0.1 seconds. For every subsequent attempt, increase the lockout time by 10. After 3 bad guesses, you'd have to wait almost 2 minutes. After four guesses: 16 minutes. Five guesses: 2+3/4 hours. Six guesses: a day and 3 hours. Seven guesses: a week and a half. Eight guesses: 3+1/2 months. So, on the one hand, if the account does get DOS'd, it's merely "relatively" DOS'd to some extent; on the other hand, if Evil Hacker really wanted to DOS the account to a great extent, then it would be inconvenient for Evil Hacker, who might actually wait 2 minutes for the fourth guess but probably won't wait 16 minutes to enter the fifth guess. The Innocent End User, checking her account at the end of the day, might not even know that it had been semi-DOS'd.

        Lots of creative ways you can solve these problems. I came up with this in the time it took me to type this post. I'm sure others have more ideas.

      • Re: (Score:2, Informative)

        by Daryen ( 1138567 )
        Actually there's a pretty good solution to this, and it is already in place in several places on the internet. If you get the password wrong 3 times than you must wait X seconds before attempting again and enter a captcha. This way you aren't completely locked out, but it would take years to brute force your account. (Unless you use the password 4444 like my boss *headdesk*)
      • The usual band-aide fix for brute-force password attacks is to limit the amount of logins per time period. If you do it right it would theoretically take too long to guess a password for it to be practical.
    • by Jesus_666 ( 702802 ) on Thursday July 24, 2008 @08:34AM (#24317457)
      Which is one reason why smartcard-based systems rock. If homebanking access to the account is only possible via the smartcard nobody can perform such an attack on your account without having access to the card. If the attacker does get hold of your card you're still protected by a password and you can go to the bank and have your homebanking card locked (note: The homebanking card should always be separate from any ther cards your bank issues).

      And it's not like it's that difficult to do; PC/SC and CTAPI are well understood and implemented in all major OSes. Germany has a well-established smartcard standard for homebanking (HBCI aka FinTS) and there are clients for every major OS, even Linux (via a Gnucash plugin). It's certainly doable.
    • Comment removed based on user account deletion
  • Having a form on an insecure page isn't necessarily a security risk. The form itself can still POST to a https connection. That said, having a form on a page served over ssl is by far best practice since it lets the user know prior to sending data that it's secured.
    • by mea37 ( 1201159 )
      Actually, even if you POST using https, if the page displaying the form is not secure then there is a security risk [opera.com].
      • That risk is just a basic man-in-the-middle. My bank allows you to put in your username on page 1, and then directs you to page 2 which contains a specific picture. If it's one of the pictures I've chosen, I put in my password. If not, I know it's phony.

        Both pages are SSL'd, so the unsecured page doesn't apply, but that system would defeat the attack mentioned in your link.

        • Re:A bit exaggerated (Score:4, Informative)

          by Ken D ( 100098 ) on Thursday July 24, 2008 @08:38AM (#24317517)

          I've always thought that little bit (the "sitekey") was a worthless, useless showmanship.

          Since they don't show you the picture until you put in your username, what's to prevent a man in the middle from taking your username, sending it to the REAL site, getting the REAL picture, and then showing it to you?

          • The SSL cert. That was the OPs point; if you don't have a cert, then you can't be warned that the cert is unsigned.

            I've actually read good stuff about the sitekey; I'll see if I can dig it up.

        • by mea37 ( 1201159 )

          I'm aware of what the attack mentioned in "my" link is called. That doesn't make it a non-threat.

          The picture system does not defeat a man-in-the-middle if the page where you log in isn't SSL'd. (Your bank probably knows this, and it's why they SSL the pages.) Unless, of course, you think attackers can't be patient.

          Once your man is in the middle, he can watch one login session, capture your picture, and present it to you the next time. Yes, the attacker can be that smart -- "pick the picture" is becoming

    • It's really not an exaggeration. If there is a man in the middle, all insecure pages can not be trusted. With AJAX, your login information could be submitted to a hackers server before you even hit the submit button. The lock images that the banks put on the forms just makes things worse.

      An even bigger problem is user training, in which they have failed miserably to train you.

      I will admit that even if the bank does not put the login form on insecure pages, having an insecure website with a dumb us

    • by wkk2 ( 808881 )

      Having a secure form on an insecure page is worthless given the current DNS problems. The right solution is to have http: tell you to type https: Don't even allow a redirect. My bank redirects https: back to http: with a secure form on an insecure page. I guess they are too cheap to purchase a crypto accelerator. Smart cards are probably the best solution.

  • For those with signatures off:
    "The password entered is too long." - TCF Online Banking

  • by Rik Sweeney ( 471717 ) on Thursday July 24, 2008 @08:14AM (#24317199) Homepage

    I had to call my ISP the other day (Virgin Media, because they're thieving, lying cheats), and had to go through the usual name, address and phone number. Then they asked me for my security password. I gave the wrong answer and the lady on the other end of the phone said the following:

    "It's usually your mother's maiden name"

    What the fuck?! Are you kidding me?! That's secure isn't it, giving me hints!

    "What's your house number?"
    "Erm, 11"
    "Ooh, 1 out, try again"
    "Er... 10?"
    "Other way, dear"
    "12?"
    "OK, great. What can I do for you today Mr. Smith?"

  • Send me your login information for your bank and I'll test the security for your - let you know if your money is safe.
  • As this study is US specific is it insinuating that the rest of us are safe (unlikely), or is it that they are so parochial that they have forgotten that 96% of humanity is not in the USA (probable).

    Many banks in the UK are now giving you card readers. I suspect that some parts of Europe have been doing it for years. Nothing is foolproof but it shows that they want me to think they are trying anyway...

    • Not just use related. One of the biggest banks in the world, with branches in 60 countries would be on the list: http://www.hsbc.co.uk/1/2/personal/contact [hsbc.co.uk]
    • by blueg3 ( 192743 )

      Is your statement about banks in the UK giving out card readers insinuating that the rest of the world's banks don't give out card readers, or are you so parochial that you have forgotten that 99% of humanity is not in the UK?

  • by courteaudotbiz ( 1191083 ) on Thursday July 24, 2008 @08:35AM (#24317489) Homepage
    I have my personal bank account at Scotiabank in Canada, and I have a MasterCard credit card with another company.

    On my bank's website, all I need to have is my banking card number and a password, and that's about it for the security features. If I were an average user, I could easily be fooled by a forged website reproducing my bank website and asking me for personal information. Fortunately, THERE'S A WARNING ON THE FRONT PAGE, right beside the month's special promotion and the [Contact Us] link, telling me that the bank never sends an EMail with an enclosed link to their online banking website...

    On the other hand, on my credit card company website, they first asked me for a security picture and a security passphrase, and they told me at first that, whatever the page I'm on on their website, once I'm logged in, I should see both the picture and the security passphrase. Also, when I login, I have to use a username and a password, so someone who knows my credit card number could not know what username I have on the website, and they ask me for my home phone number or my city of residence or my mother's maiden name... And the only thing I could do on this website is to view my credit card statement, WITHOUT my credit card number nor any information that could lead to identity theft...

    So I think my bank is WAY behind the market on the security technologies side, since someone could transfer all my money to another bank account and they only ask for two very simple informations in order to be able to do that...
  • From the actual research:

    Our study was conducted during November and December of 2006...

    Well, that's nice, but have things improved in the last 20 months? I know my bank has made some major changes to its online interface that appear to improve security (and are also, sometimes, a royal pain in the butt).

  • by Dekortage ( 697532 ) on Thursday July 24, 2008 @08:57AM (#24317739) Homepage

    From the research paper:

    We used wget to recursively download the financial institution websites during November and December of 2006. We chose to download the sites so that we had uninterrupted access and had a consistent, static view of each website. The websites may have fixed the design flaws mentioned in this paper after our initial download. Once we downloaded each website, we uses scripts to recursively traverse and analyze the HTML pages for certain patterns and identify the security design flaws.
    ...
    4.3 Contact Information/Security Advice on Insecure Pages: We searched each web page for the string "contact", "information", or "FAQ". If those strings where found, we checked whether the page was protected with SSL. If not, then we considered it to contain the design flaw.

    By this logic, even this page [chase.com] would cause Chase's site to fail. Also:

    We searched each web page for the string "login". If the string was found, we searched the same page for the strings "username" or "user id" or "password". If the string "login" and "username" or "user id" or "password" were found on the same page, we then verified whether the page was displayed using the http protocol. If this was the case, we assumed this site contained the design flaw.

    But my bank (which is not Chase) uses the phrase "sign in" instead of "login". Does this mean it is more secure?

  • We tracked down who it was that stole your identity. Guess what, they have the same name you do.

Avoid strange women and temporary variables.

Working...