« Tips: Taking your digital camera on vacation | Main | Refurbished electronics: A bargain shopper's guide »

August 13, 2008

Many Banks Don't Follow Safe Web Practices

Unsecuredbankcards Robbers of old hit up banks because, obviously, that's where the money was. Today's cyberthieves are no different, so financial institutions' Web sites have high security requirements.

Yet three engineers at the University of Michigan found plenty of flaws in banks' online security. One alarming result of their study concerns how banks present log-in pages to users. The study (available if you have Adobe Acrobat installed.) looked at the state of 214 U.S.-based financial institutions in 2006, and found that 47 percent of those banks ask users to log in on non-SSL pages. (SSL pages can be distinguished from others because they have an https address and a picture of a lock in the lower bar of the Web page.) That means a cybercriminal could hijack the page and cause the log-in data to be sent elsewhere.

Another notable problem cited was the offer by 31 percent of the institutions to send statements and other sensitive information via e-mail. The danger: Most users don't have secure e-mail.

The study pointed out other security flaws, including "breaks in the chain of trust," where an initial web page is secure but the user is forwarded without notice to an insecure page; posting contact information and security advice on insecure pages, which gives an attacker a chance to forge the page and provide incorrect contact information; and inadequate requirements for strong passwords.

According to the study, 76 percent of the sites exhibited at least one of those security problems, 68 percent had two or more, and 10 percent had all five.

We're hoping that at least some of the sites studied have by now improved their security practices. Meanwhile, you should follow your own list of safe online practices. Take a look at our September cover story, "7 Online Blunders," to find out how to avoid identity theft. For more information about online and computer safety, see our "Special section: Cyber-Insecurity" on ConsumerReports.org. To find the security software you'll need to protect yourself online, check out our latest Ratings of security suites and antiphishing tools. (Ratings are available to subscribers only.)

—Donna Tapellini

For complete Ratings and recommendations on appliances, cars & trucks, electronic gear, and much more, subscribe today and have access to all of ConsumerReports.org.
Print This Page
Posted at 07:10:57 AM in Computer Security | Computers and Internet | Desktop Computers | Internet/Online | Online Security | Security Software | Technology | Web/Tech | Wired/Wireless Network

Comments

Posted by: Marble Host | Feb 27, 2009 1:13:21 AM

They believe the thief is from Nigeian background It appears he used on of statement as proof of name and address in branch

Post a comment

All comments are reviewed by our moderators, and will not appear on this blog unless they have been approved. Comments that do not relate directly to the blog entry's contents, are commercial in nature, contain objectionable or inappropriate material, or otherwise violate our User Agreement or Privacy Policy, will not be approved. Approved posts generally appear within 24 hours of receipt. For general inquiries not related to this blog, please contact Customer Service.

If you have a TypeKey or TypePad account, please Sign In

About this blog

Consumer Reports' electronics reporters, editors, and testers will quickly report on new developments and trends.

RSS Feed

Recent Posts

Consumer Reports Electronics Blog Categories

Consumer Reports Electronics Blog Archives

-    July 2009
-    June 2009
-    May 2009
-    April 2009
»    View All

More Consumer Reports Blogs