July 29, 2008
http://www.columbiatribune.com/2008/Jul/20080729Busi012.asp
SAN FRANCISCO (AP) - Many banks are unwittingly training their online customers to take risks with their passwords and other sensitive account information, leaving them more vulnerable to fraud, new research shows.
Web surfers could find themselves the victims of identity theft because they’ve been conditioned to ignore potential clues about whether the banking site they’re visiting is real.
That’s the conclusion by University of Michigan researchers who found design flaws in 76 percent of the 214 U.S. financial institution Web sites they studied.
The study, to be presented Friday at a security conference, examined the sites of top banks and smaller institutions alike. The researchers aren’t detailing which banks had problems, however.
The researchers found that many banks silently redirect users to third-party sites, plop "secure login" boxes on insecure Web pages and improperly use Social Security numbers or e-mail addresses as default user names.
The research didn’t uncover vulnerabilities in the Web sites themselves or problems with the sites’ coding that could allow criminals to break in. Instead, it found design flaws that teach people bad surfing habits.
One of the biggest problems: Even if the login boxes on banks’ pages are properly secured - meaning they send and receive encrypted data through a technology known as Secure Sockets Layer - if the full page itself isn’t protected with the same technology, it’s more difficult to tell whether the site is real or fake.
SSL-equipped sites show a padlock icon in the address bar and signal not only the encryption technology but also that the site’s owner is legitimate.
Also, if users aren’t notified that they’re being taken to another site, then it’s hard to determine if the new site is trustworthy because the online registration certificate carries a different company’s name.
So even if they were inclined to dig that deep, consumers could still fall victim to "phishing" scams because they’re accustomed to entering personal information into a site that isn’t their bank’s - and hasn’t been clearly vouched for by the bank.
Hackers could take advantage by sending them bogus pages dressed up like the bank’s Web site. That site would then redirect to another site under the criminal’s control, and users might not question the redirection. The best policy is to not click on links sent in e-mails.
No comments:
Post a Comment