Saturday, July 26, 2008

Study on Bank Site Security Design Flaws

This blog concerns our recent paper on prevalence user-visible design flaws at financial web sites that will be presented at the Symposium on Usable Security and Privacy on July 25th, 2008 in Pittsburgh. Here are the key links:







3 comments:

Jonathan K. Cohen said...

I realize that liability issues, among others, preclude your associating particular banks with particular security problems. However, most users do not have access to the kind of static analysis tools that you have, and they probably can't build them, either. Asking users to do an in-depth security assessment of their own banking web pages is unrealistic. Bring up these problems with the banks; if they do not take corrective action, publicize the list. It's the banks' responsibility to assure security, and in their own best interests to stem losses from malicious parties.

Lichiou said...

I have just come across your study today and surprised by the similar approach we have taken. I had done a very similar study between November last year and January this year after the deadline set by the FFIEC online banking guidelines. In addition to web site contents, I also examined the digital certificates on the bank sites. I have observed very similar patterns as you did but the banks are now using more and more so called "two-factor authentication" on the login page. The various "two-factor authentication" methods are just as confusing as the site information they have provided, which create another layer of problem for usability.

My paper is currently under review in a conference and I will be happy to send you a copy by emails if you are interested.

prakash said...

Lichiou, I would very much like to get a copy of your study.

Some emails I have received have raised concerns about the authentication processes at web sites. Perhaps your study can help shine light on that problem. We did not look at authentication process in our study, but I do have concerns there in terms of whether they are adequate.

I was just talking to a person from Europe. In his country, everyone is issued a hard token (smartcard). The government (or Fed-equivalent) has created the infrastructure so that any bank can leverage a common infrastructure for authenticating customers. The result is that customers have to only carry one smartcard, irrespective of the number of accounts they have. Both a smartcard and a PIN is required for serious transactions.

But it is not clear if there are privacy implications of this and whether there is an entity in the U.S. that can do something like this.

I think it would be interesting to look at different solutions that are being used in various countries.