• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

Widespread Flaws in Online Banking Systems

July 29, 2008

Views: 9,503

[ad]

After a recent survey it shows online banking may not be as secure as you might think. People tend to think banks are the pinnacle of security and that assumption continues to their websites.

Sadly however, even in my own personal experience, the truth is far from that. Many many banks have flaws that can leak information and allow for fairly easy theft of data and credentials.

Online bankers, beware. More than 75 percent of bank Web sites surveyed by a research team had at least one design flaw that could make customers vulnerable to cyber thieves.

University of Michigan computer scientist Atul Prakash and his graduate students Laura Falk and Kevin Borders examined the Web sites of 214 financial institutions in 2006 and found design flaws that, unlike bugs, cannot be fixed with a patch.

The security holes stem from the flow and the layout of these Web sites, according to their study. The flaws include placing log-in boxes and contact information on insecure Web pages as well as failing to keep users on the site they initially visited. Prakash said some banks may have taken steps to resolve these problems since this data was gathered, but overall he still sees much need for improvement.

A shocking 75% with flaws! This study is 2 years old but still the results are quite scary and I seriously doubt the architecture of these banks technology platforms has changed that much.

And with 40% of Americans using online banking systems…that’s a lot of people at risk! I’d guess the figures are probably similar for countries with similar broadband penetration and perhaps even high in some places like Korea and Singapore.

About 40 percent of Americans use the Internet for banking, according to a February 2008 survey conducted by Pew Internet. In 2011, 76 percent of online households will bank online, according to Forrester Research.

The flaws leave cracks in security that hackers could exploit to gain access to private information and accounts. The FDIC says computer intrusion, while relatively rare compared with financial crimes like mortgage fraud and check fraud, is a growing problem for banks and their customers.

A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to nearly $16 million in losses in the second quarter of 2007. There were two and a half times more computer intrusions in the second quarter of 2007 compared to the first quarter. In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking, the report states.

536 is not too bad for the number of cases, but still that’s only for a certain segment of people.

There are a list of the main flaws, which are mostly what we would expect to see in the full article.

Source: Livescience (Thanks Navin)

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Exploits/Vulnerabilities, Privacy, Web Hacking Tagged With: hacking banks, hacking-web-applications, hacking-websites, Privacy, web-application-security, web-security



Reader Interactions

Comments

  1. Navin says

    July 29, 2008 at 1:11 pm

    cheers!! :)

  2. d347hm4n says

    July 29, 2008 at 2:02 pm

    >.>, time to be that little bit more careful when accessing your bank.

  3. k says

    July 29, 2008 at 4:03 pm

    So why are we reading about a 2 year old study? Yes we know it still has relevance today, but isn’t this simply rehashing old news?

    (Not trying to take a shot at you, no really I’m not, but it just seems like the same old rhetoric that we try to sell to our customers as “consulting” :P)

  4. Darknet says

    July 30, 2008 at 8:37 am

    k: I didn’t know about the study actually, blame Livescience for publishing it two days ago :) Perhaps the research wasn’t public before this..anyway sometimes there’s not much to talk about so I have to make do. The contact form is always available if you have a more interesting story to report.

  5. UK Online Banks? says

    July 30, 2008 at 4:13 pm

    What about UK banks online systems?

    The WWW is worldwide so just doing research into US online banking systems is not applicable to anyone outside the US (me included)

  6. Morgan Storey says

    July 31, 2008 at 3:02 pm

    I used to be with a bank that was dedicated to the IT industry, when they first started sending us paper statements it had our full credit card numbers on it. We got them to stop sending them.
    Then I found flaws in their online systems, and I let them know (SQL injection in their payment page anyone), needless to say we are not with them anymore.

  7. gul says

    August 1, 2008 at 2:23 pm

    I’m currently at the Societe Generale, you might have heard from it for the ‘Kerviel’ case. And, every time I need only information, I use a cool technique. I pick up the phone, call for my banker and just ask what I need. Seems strange, but at work, there is a web proxy, I don’t trust network administrators, and at home… with the flaws discovered years ago, I am not really confident in consulting my accounts. So I use that old fashioned way to get my informations, and the only security I got is that my banker know me well…
    But I know of ineffective it could be… last year, in Montreal, I was going to my bank, with no papers in my pockets, not even an ID. i asked for 700CAD, sign a paper telling I was myself and leave with all that money… I was amazed no one knew me and, I got no problem in getting so many cash. Which shall be a lot harder to get in France with the same method. Anyway, if you want money, hacking computers is not the easiest way ;)

  8. Navin says

    August 2, 2008 at 1:37 pm

    Social Engineer dude!! the simplest way to get some1 to handover ALL his belongings to you!! No matter how many years this keeps going on, social engineers still seem to have that charm…..I know this seems like a Mitnick fanboy, and believe me, I am…..but there’s no method of getting someone bankrupt and still getting them to smile and say,”hope to see you again mate”.

    Atleast in your case U had to sign a paper, there could be a possiblity for a social engineer to get the bank workers sign on it!!

    Read this story tht’d been published in Darknet a year ago
    https://www.darknet.org.uk/2007/04/social-engineering-gets-a-big-diamond-heist/

    Soc Engg Rules!!

  9. Morgan Storey says

    August 4, 2008 at 4:44 am

    @Navin: oh yeah there is no patch for human stupidity. Security is layers, social engineering cannot be 100% defeated, but it can be negated against somewhat.
    There was a current affairs show here in Aus that did a test, using credit cards that wheren’t theres they paid for stuff in stores, and signed names like Donald Duck and Mickey Mouse. Every time they got away with it, and it was plain as day what they had signed.
    There was another one in the register where researchers tempted people with a chocolate bar for their password or personally identifiable info 80% of people handed over their info etc.
    There are ways around it though of course;
    -Two factor authentication: SMS, or tokens, or even certificates. (I don’t like BIO-auth)
    -Distributed systems; no single repository of all your info, no single number that is you, (see social security number, or ID card). This way if one number or system is compromised not enough data falls to cause issue.

  10. gul says

    August 4, 2008 at 7:22 am

    No patch for human stupidity…
    True and false ;)

    You can teach basis to people to improve their awareness of what they really are doing. After all, it’s like with computer, since they haven’t the proper security software, they roughly do what you want, not really properly. Cause while you think security is just a bunch of crap making you loosing your time and nothing else… you’re half true. ut if you know what security imply, their is not problem. You can even let people know your password, for exemple the proxy one. So they can go to the internet for a day, do what ever they want, and then, you change it. Even if the trusted guy surf on illegal web site, you go to your administrator and explain him, it’s not you, and he can check IP/mac addresses. But, if you don’t even understand what imply a password on a proxy, you can just be doomed to hate security and screw the infosec guys.

    Social engineering is the best way to get money, but I have to admit, it’s funnier hack into some big company database for credit card number and used that data to get rich ;) But being Ocean(Clooney) is sexier than Kevin Mitnick… Never figured why :p

  11. Navin says

    August 4, 2008 at 1:53 pm

    thats a gr8 comparison (Daniel Ocean/ Kevin Mitnick)…. but I’m eternally a fan of Soc Engg after tht time I read “the art of deception”. In my opinion its one of those books tht you simply MUST read if you’re learing about network security.

    I do understand the point you’re trying to make……and its true tht today, getting past an aware employee is almost (I stress on the word almost) as tough as breaking into a database….but definitely in the future, once security of databases is increased, Soc engg will be the most effective way…….Its all about the moment baby!! :) I don’t think any sys admin will say, “oh great” when you hack into their servers, but when you Soc engg, and believe me, this is experience speaking, the amount of trust tht people place on you is simply amazing….. They totally trust you with stuff so intimate tht you’d prolly think to yourself… “WOW”

    And then ofcourse there’s tht saying, “Servers don’t make mistakes, Only people do” ;)

  12. gul says

    August 4, 2008 at 2:52 pm

    Haven’t found the time to read it, but it’s on my todo list :)

    In fact, for me, both are important, tech and social engineering skills. So you can use both to have greater and easier access to datas / services / computers / etc. And, after your pentest you can said to the tech guys : Dude, you’ve done well, but not enough. And, no, that’s not just the secretary fault. And to the administrative people : And that was your fault too, not just some techies doing bad job.
    And then, you just have to explain how to avoid further mistake to both of them, and to work with the other side (techies/administratives) to enforce security, and stop complaining about how the others are doing so big mistakes ;)

    Really, security is just both aspects.

    So, we have to become both Kevin and Daniel… Must add it to my todo list :p

  13. Morgan Storey says

    August 5, 2008 at 3:53 am

    @Gul: I agree security is wholistic, if you have all the firewalls, IDS, and server security in the world, but no lock on your server door with your server room facing the lobby you are not secure (don’t laugh I have sorta seen this).

  14. gul says

    August 5, 2008 at 8:15 am

    Even poor physical security is not a good idea. And having seen poorly designed lockers, it can be as effective as ‘admin’ as password.

    If your not aware of phisical security, have a look at jerome poggi presentation : http://www.clusif.asso.fr/video/clusif-crochetage-poggi.avi

    Sorry, it’s in french… but you can figure out the important things without it ;)

  15. Navin says

    August 5, 2008 at 2:58 pm

    thts a nice video…. yeah there was this article I’d read once upon a time about the most commonly used web mail passwords in the UK and names of a certain football club tht starts with an “L” and rhymes with skewerpool was right up there in the top 5….. along with two other popular EPL teams in the top 10……. and the most common password was……guess what?? 1234567 (mostly upto the minimum no. of digits possible).

    And as you’ve mentioned, both are important!!

    And as someone had mentioned…. network security is like a steel chain… its only as strong as its weakest link!!

  16. ZaD MoFo says

    August 5, 2008 at 6:16 pm

    @gul

  17. gul says

    August 6, 2008 at 8:44 am

    Hey, I was thinking it’s an adequate act… but… One day, I call for banking information, my bankier was absent, so I got an other one. Only asking for my bithday… Cool… ? Being such a big secret, I’m confident no one could get my informations… or not…

    At least, I will be able to told them that it can’t be me cause I just talk to my bankier and their identification methods are poor and they can’t prove it was really me…

    And.. yes, you are a number, at least for them :D

  18. Morgan Storey says

    August 6, 2008 at 11:11 am

    @Navin: That was me, it is one of my favourite sayings: “A chain is only as strong as it’s weakest link”
    I know of one large company (a four letter acronym) that’s CEO had his password be the companies name, so only a 4 character password, and exactly the same as the company name…. YIKES Being the CEO he had full access to HR files, Accounting files, corporate secret documents. These are the people that need a kick up the bum.

    I don’t think we need to have personal banking, and frankly I couldn’t care less, but we do need security, I don’t think personal banking gives 100% nothing does, at least user/pass/one-time key is at least revokeable, not like someone who just looks/sounds like you.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

AI-Powered Malware - The Next Evolution in Cyber Threats

AI-Powered Malware – The Next Evolution in Cyber Threats

Views: 240

Introduction Artificial Intelligence (AI) is reshaping cybersecurity on both sides of the … ...More about AI-Powered Malware – The Next Evolution in Cyber Threats

Falco - Real-Time Threat Detection for Linux and Containers

Falco – Real-Time Threat Detection for Linux and Containers

Views: 369

Security visibility inside containers, Kubernetes, and cloud workloads remains among the hardest … ...More about Falco – Real-Time Threat Detection for Linux and Containers

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Views: 676

As threat surfaces grow and attack sophistication increases, many security teams face the same … ...More about Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance

Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

Views: 597

With more businesses running Linux in production—whether in bare metal, VMs, or containers—the need … ...More about Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked)

SUDO_KILLER - Auditing Sudo Configurations for Privilege Escalation Paths

SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Views: 638

sudo is a powerful utility in Unix-like systems that allows permitted users to execute commands with … ...More about SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 482

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (228)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (230)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (74)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (235)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,299,280)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,111)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,648)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,694)
  • Password List Download Best Word List – Most Common Passwords (933,536)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,176)
  • Hack Tools/Exploits (673,304)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,194)

Search

Recent Posts

  • AI-Powered Malware – The Next Evolution in Cyber Threats May 21, 2025
  • Falco – Real-Time Threat Detection for Linux and Containers May 19, 2025
  • Wazuh – Open Source Security Platform for Threat Detection, Visibility & Compliance May 16, 2025
  • Best Open Source HIDS Tools for Linux in 2025 (Compared & Ranked) May 14, 2025
  • SUDO_KILLER – Auditing Sudo Configurations for Privilege Escalation Paths May 12, 2025
  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy