Analyzing Websites for User-Visible Security Design Flaws
July 25, 2008 by Richard Conlanhttp://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf
Media buzz about this paper:
* Information Week: Most Bank Sites Are Insecure
* Slashdot: Most Bank Websites Are Insecure
* Network World: Bank Web sites full of security holes, University of Michigan survey finds
* Ars.Technica: Study: websites of financial institutions insecure by design
The study was highly motivated by personal experiences dealing with banks and banking. Online banking tends to have login boxes on insecure pages. When needing to reach customer service the contact information is also commonly on an insecure page. Setting up a retirement account online require using SSN as an ID.
The goals of the study was to not examine bugs or browser flaws, but design flaws that would confuse users and even cause problems for security-savvy users. The study analyzed 214 websites (mostly banks) and searched for design issues.
One of the most dangerous was the tendency of banks to use HTTP pages. In the presence of a DNS attack everything about the legit page is indistinguishable from a non-legit page since even the browser URL would be correct. Many many banks do this and it is completely insecure - even a security-aware user would not distinguish the page unless they somehow detect the DNS spoofing. Given the recently reported DNS vulnerability this is a very realistic and dangerous attack vector.
It is also quite dangerous to put Contact Information on an HTTP page. Once again, the page could be spoofed and include the attackers contact information instead of the bank, allowing for a trivial social engineering attack when the customer calls in.
Another common vulnerability is that practice of the bank delegating certain tasks to third-party sites. Often the third-party site has no clear connection to the bank, and therefore there is a break in the chain of trust since the user cannot distinguish between being sent to a legit or malicious third-party site. This is especially bad because even if the bank’s site were HTTPS, an attacker could detect the point at which the session tries to change IP address (implying a change of servers) and present some other third-party site in place of the actual site. Again, even a careful user would not have any real method to detect such an attack.
Many banks have unclear policies that don’t allow the customer to predict the security of the bank’s actions. For instance, many banks offer to “e-mail statements”. Most likely this means that they will send an e-mail notifying of the availability of the statement online, but as worded the user cannot predict this and must decide amidst the ambiguity.
76% of banks analyzed had at least one of the above mentioned flaws.
October 5th, 2008 at 04:30
Though I’ve always been wary of the security of online banking, I never realized the extensive flaws of the system. As an online banking customer, I will certainly be wary of the details from now on. Thank you for your precaution. You might also find it interesting to check out this post: http://blog.mylaptopgps.com/2008/10/02/laptop-stolen-from-national-bank-of-canada/, as it pertains to the security of banks, not only online, but also on their personal laptops.