A new study from researchers at the University of Michigan reveals that 76% of more than 200 bank websites had at least one security design flaw.This is truly shocking news. I had to go back and read the results a couple of times just to make sure I had it right. I could not believe that 24% of the tested sites didn’t have a flaw. How is this possible? Have that many companies really gotten their acts together on software security?
Well, it turns out that the kind of flaws that the Michigan researchers were looking for aren’t the kind that can be identified by a scanner or automated code test. Instead, they were looking for the kind of problems that cause customers to make bad decisions about security when they’re using a particular bank’s site. To include:
- a break in the chain of trust
- presenting secure login options on insecure pages
- contact information/security advice on insecure pages
- inadequate policies for user IDs and passwords
- emailing security-sensitive information insecurely
If you think about the ways that most users interact with their bank’s website, you could argue that these problems are just as worrisome, if not more so, than the software bugs that lurk in every Web application. One would assume that the vast majority of banks do some sort of code review of their Web applications before deploying them. Those reviews are vital and can catch a lot of serious issues. But it seems clear from the Michigan team’s work that not many banks are doing any kind of usability/design review to see how users interact with their applications and where they might trip up.
“However, our work shows that most financial websites are not adequately protected against secure usability design flaws. These flaws can prevent even the most knowledgeable user from making proper security decisions. We found that 76% of sites have at least one design flaw. The pervasiveness of these flaws indicates that they are not well-understood by Web security experts,” the researchers wrote in their conclusion. “Our work also shows that the current set of Web security analysis and design techniques still leave significant security gaps.”