- Full paper: Link to the full paper at the symposium web site
- SOUPS conference presentation and videos (also includes recommendations for designing secure web sites for our concerns)
- My home page can be reached at Atul Prakash
- Link to my Kevin Border's security blog: http://www.straightsectalk.com
- Other links in one place (news,etc.)
- Our source for list of financial institutions (mostly U.S. banks)
Saturday, July 26, 2008
Study on Bank Site Security Design Flaws
This blog concerns our recent paper on prevalence user-visible design flaws at financial web sites that will be presented at the Symposium on Usable Security and Privacy on July 25th, 2008 in Pittsburgh. Here are the key links:
Subscribe to:
Post Comments (Atom)
3 comments:
I realize that liability issues, among others, preclude your associating particular banks with particular security problems. However, most users do not have access to the kind of static analysis tools that you have, and they probably can't build them, either. Asking users to do an in-depth security assessment of their own banking web pages is unrealistic. Bring up these problems with the banks; if they do not take corrective action, publicize the list. It's the banks' responsibility to assure security, and in their own best interests to stem losses from malicious parties.
I have just come across your study today and surprised by the similar approach we have taken. I had done a very similar study between November last year and January this year after the deadline set by the FFIEC online banking guidelines. In addition to web site contents, I also examined the digital certificates on the bank sites. I have observed very similar patterns as you did but the banks are now using more and more so called "two-factor authentication" on the login page. The various "two-factor authentication" methods are just as confusing as the site information they have provided, which create another layer of problem for usability.
My paper is currently under review in a conference and I will be happy to send you a copy by emails if you are interested.
Lichiou, I would very much like to get a copy of your study.
Some emails I have received have raised concerns about the authentication processes at web sites. Perhaps your study can help shine light on that problem. We did not look at authentication process in our study, but I do have concerns there in terms of whether they are adequate.
I was just talking to a person from Europe. In his country, everyone is issued a hard token (smartcard). The government (or Fed-equivalent) has created the infrastructure so that any bank can leverage a common infrastructure for authenticating customers. The result is that customers have to only carry one smartcard, irrespective of the number of accounts they have. Both a smartcard and a PIN is required for serious transactions.
But it is not clear if there are privacy implications of this and whether there is an entity in the U.S. that can do something like this.
I think it would be interesting to look at different solutions that are being used in various countries.
Post a Comment