29 July 2008 | 9,326 views

Widespread Flaws in Online Banking Systems

Check Your Web Security with Acunetix

After a recent survey it shows online banking may not be as secure as you might think. People tend to think banks are the pinnacle of security and that assumption continues to their websites.

Sadly however, even in my own personal experience, the truth is far from that. Many many banks have flaws that can leak information and allow for fairly easy theft of data and credentials.

Online bankers, beware. More than 75 percent of bank Web sites surveyed by a research team had at least one design flaw that could make customers vulnerable to cyber thieves.

University of Michigan computer scientist Atul Prakash and his graduate students Laura Falk and Kevin Borders examined the Web sites of 214 financial institutions in 2006 and found design flaws that, unlike bugs, cannot be fixed with a patch.

The security holes stem from the flow and the layout of these Web sites, according to their study. The flaws include placing log-in boxes and contact information on insecure Web pages as well as failing to keep users on the site they initially visited. Prakash said some banks may have taken steps to resolve these problems since this data was gathered, but overall he still sees much need for improvement.

A shocking 75% with flaws! This study is 2 years old but still the results are quite scary and I seriously doubt the architecture of these banks technology platforms has changed that much.

And with 40% of Americans using online banking systems…that’s a lot of people at risk! I’d guess the figures are probably similar for countries with similar broadband penetration and perhaps even high in some places like Korea and Singapore.

About 40 percent of Americans use the Internet for banking, according to a February 2008 survey conducted by Pew Internet. In 2011, 76 percent of online households will bank online, according to Forrester Research.

The flaws leave cracks in security that hackers could exploit to gain access to private information and accounts. The FDIC says computer intrusion, while relatively rare compared with financial crimes like mortgage fraud and check fraud, is a growing problem for banks and their customers.

A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to nearly $16 million in losses in the second quarter of 2007. There were two and a half times more computer intrusions in the second quarter of 2007 compared to the first quarter. In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking, the report states.

536 is not too bad for the number of cases, but still that’s only for a certain segment of people.

There are a list of the main flaws, which are mostly what we would expect to see in the full article.

Source: Livescience (Thanks Navin)


Recent in Exploits/Vulnerabilities:
- The Jeep HACK – What You Need To Know
- Dharma – Generation-based Context-free Grammar Fuzzing Tool
- Hacking Team Hacked – What You Need To Know

Related Posts:
- Phishing Fraud Cases Growing in the UK
- Microsoft Opens the Gates to Hack Their Web Services
- Regional Trojan Threat Targeting Online Banks

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 231,039 views
- AJAX: Is your application secure enough? - 119,597 views
- eEye Launches 0-Day Exploit Tracker - 85,254 views

Low-cost VPS Hosting

18 Responses to “Widespread Flaws in Online Banking Systems”

  1. Navin 29 July 2008 at 1:11 pm Permalink

    cheers!! :)

  2. d347hm4n 29 July 2008 at 2:02 pm Permalink

    >.>, time to be that little bit more careful when accessing your bank.

  3. k 29 July 2008 at 4:03 pm Permalink

    So why are we reading about a 2 year old study? Yes we know it still has relevance today, but isn’t this simply rehashing old news?

    (Not trying to take a shot at you, no really I’m not, but it just seems like the same old rhetoric that we try to sell to our customers as “consulting” :P)

  4. Darknet 30 July 2008 at 8:37 am Permalink

    k: I didn’t know about the study actually, blame Livescience for publishing it two days ago :) Perhaps the research wasn’t public before this..anyway sometimes there’s not much to talk about so I have to make do. The contact form is always available if you have a more interesting story to report.

  5. UK Online Banks? 30 July 2008 at 4:13 pm Permalink

    What about UK banks online systems?

    The WWW is worldwide so just doing research into US online banking systems is not applicable to anyone outside the US (me included)

  6. Morgan Storey 31 July 2008 at 3:02 pm Permalink

    I used to be with a bank that was dedicated to the IT industry, when they first started sending us paper statements it had our full credit card numbers on it. We got them to stop sending them.
    Then I found flaws in their online systems, and I let them know (SQL injection in their payment page anyone), needless to say we are not with them anymore.

  7. gul 1 August 2008 at 2:23 pm Permalink

    I’m currently at the Societe Generale, you might have heard from it for the ‘Kerviel’ case. And, every time I need only information, I use a cool technique. I pick up the phone, call for my banker and just ask what I need. Seems strange, but at work, there is a web proxy, I don’t trust network administrators, and at home… with the flaws discovered years ago, I am not really confident in consulting my accounts. So I use that old fashioned way to get my informations, and the only security I got is that my banker know me well…
    But I know of ineffective it could be… last year, in Montreal, I was going to my bank, with no papers in my pockets, not even an ID. i asked for 700CAD, sign a paper telling I was myself and leave with all that money… I was amazed no one knew me and, I got no problem in getting so many cash. Which shall be a lot harder to get in France with the same method. Anyway, if you want money, hacking computers is not the easiest way ;)

  8. Navin 2 August 2008 at 1:37 pm Permalink

    Social Engineer dude!! the simplest way to get some1 to handover ALL his belongings to you!! No matter how many years this keeps going on, social engineers still seem to have that charm…..I know this seems like a Mitnick fanboy, and believe me, I am…..but there’s no method of getting someone bankrupt and still getting them to smile and say,”hope to see you again mate”.

    Atleast in your case U had to sign a paper, there could be a possiblity for a social engineer to get the bank workers sign on it!!

    Read this story tht’d been published in Darknet a year ago

    Soc Engg Rules!!

  9. Morgan Storey 4 August 2008 at 4:44 am Permalink

    @Navin: oh yeah there is no patch for human stupidity. Security is layers, social engineering cannot be 100% defeated, but it can be negated against somewhat.
    There was a current affairs show here in Aus that did a test, using credit cards that wheren’t theres they paid for stuff in stores, and signed names like Donald Duck and Mickey Mouse. Every time they got away with it, and it was plain as day what they had signed.
    There was another one in the register where researchers tempted people with a chocolate bar for their password or personally identifiable info 80% of people handed over their info etc.
    There are ways around it though of course;
    -Two factor authentication: SMS, or tokens, or even certificates. (I don’t like BIO-auth)
    -Distributed systems; no single repository of all your info, no single number that is you, (see social security number, or ID card). This way if one number or system is compromised not enough data falls to cause issue.

  10. gul 4 August 2008 at 7:22 am Permalink

    No patch for human stupidity…
    True and false ;)

    You can teach basis to people to improve their awareness of what they really are doing. After all, it’s like with computer, since they haven’t the proper security software, they roughly do what you want, not really properly. Cause while you think security is just a bunch of crap making you loosing your time and nothing else… you’re half true. ut if you know what security imply, their is not problem. You can even let people know your password, for exemple the proxy one. So they can go to the internet for a day, do what ever they want, and then, you change it. Even if the trusted guy surf on illegal web site, you go to your administrator and explain him, it’s not you, and he can check IP/mac addresses. But, if you don’t even understand what imply a password on a proxy, you can just be doomed to hate security and screw the infosec guys.

    Social engineering is the best way to get money, but I have to admit, it’s funnier hack into some big company database for credit card number and used that data to get rich ;) But being Ocean(Clooney) is sexier than Kevin Mitnick… Never figured why :p

  11. Navin 4 August 2008 at 1:53 pm Permalink

    thats a gr8 comparison (Daniel Ocean/ Kevin Mitnick)…. but I’m eternally a fan of Soc Engg after tht time I read “the art of deception”. In my opinion its one of those books tht you simply MUST read if you’re learing about network security.

    I do understand the point you’re trying to make……and its true tht today, getting past an aware employee is almost (I stress on the word almost) as tough as breaking into a database….but definitely in the future, once security of databases is increased, Soc engg will be the most effective way…….Its all about the moment baby!! :) I don’t think any sys admin will say, “oh great” when you hack into their servers, but when you Soc engg, and believe me, this is experience speaking, the amount of trust tht people place on you is simply amazing….. They totally trust you with stuff so intimate tht you’d prolly think to yourself… “WOW”

    And then ofcourse there’s tht saying, “Servers don’t make mistakes, Only people do” ;)

  12. gul 4 August 2008 at 2:52 pm Permalink

    Haven’t found the time to read it, but it’s on my todo list :)

    In fact, for me, both are important, tech and social engineering skills. So you can use both to have greater and easier access to datas / services / computers / etc. And, after your pentest you can said to the tech guys : Dude, you’ve done well, but not enough. And, no, that’s not just the secretary fault. And to the administrative people : And that was your fault too, not just some techies doing bad job.
    And then, you just have to explain how to avoid further mistake to both of them, and to work with the other side (techies/administratives) to enforce security, and stop complaining about how the others are doing so big mistakes ;)

    Really, security is just both aspects.

    So, we have to become both Kevin and Daniel… Must add it to my todo list :p

  13. Morgan Storey 5 August 2008 at 3:53 am Permalink

    @Gul: I agree security is wholistic, if you have all the firewalls, IDS, and server security in the world, but no lock on your server door with your server room facing the lobby you are not secure (don’t laugh I have sorta seen this).

  14. gul 5 August 2008 at 8:15 am Permalink

    Even poor physical security is not a good idea. And having seen poorly designed lockers, it can be as effective as ‘admin’ as password.

    If your not aware of phisical security, have a look at jerome poggi presentation : http://www.clusif.asso.fr/video/clusif-crochetage-poggi.avi

    Sorry, it’s in french… but you can figure out the important things without it ;)

  15. Navin 5 August 2008 at 2:58 pm Permalink

    thts a nice video…. yeah there was this article I’d read once upon a time about the most commonly used web mail passwords in the UK and names of a certain football club tht starts with an “L” and rhymes with skewerpool was right up there in the top 5….. along with two other popular EPL teams in the top 10……. and the most common password was……guess what?? 1234567 (mostly upto the minimum no. of digits possible).

    And as you’ve mentioned, both are important!!

    And as someone had mentioned…. network security is like a steel chain… its only as strong as its weakest link!!

  16. ZaD MoFo 5 August 2008 at 6:16 pm Permalink


  17. gul 6 August 2008 at 8:44 am Permalink

    Hey, I was thinking it’s an adequate act… but… One day, I call for banking information, my bankier was absent, so I got an other one. Only asking for my bithday… Cool… ? Being such a big secret, I’m confident no one could get my informations… or not…

    At least, I will be able to told them that it can’t be me cause I just talk to my bankier and their identification methods are poor and they can’t prove it was really me…

    And.. yes, you are a number, at least for them :D

  18. Morgan Storey 6 August 2008 at 11:11 am Permalink

    @Navin: That was me, it is one of my favourite sayings: “A chain is only as strong as it’s weakest link”
    I know of one large company (a four letter acronym) that’s CEO had his password be the companies name, so only a 4 character password, and exactly the same as the company name…. YIKES Being the CEO he had full access to HR files, Accounting files, corporate secret documents. These are the people that need a kick up the bum.

    I don’t think we need to have personal banking, and frankly I couldn’t care less, but we do need security, I don’t think personal banking gives 100% nothing does, at least user/pass/one-time key is at least revokeable, not like someone who just looks/sounds like you.