Studies: Banking Web sites, corporate computers are insecure

Separate studies find widespread security design flaws in bank Web sites and internal threats to corporate networks, too.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

July 23, 2008 4:07 p.m. PT

2 min read

A new study about security problems with financial Web sites may have you thinking twice about doing online banking.

And a separate study found widespread security problems in corporate computers across numerous industries.

More than 75 percent of the Web sites of more than 200 financial institutions were found to have at least one design flaw that could put customer data at risk, according to a study released this week from the University of Michigan.

Atul Prakash, a professor in the university's Department of Electrical Engineering and Computer Science, and two doctoral students examined the Web sites of 214 financial institutions in 2006. They found that every single one of them, including sites from some of the largest banks, had at least one flaw that can't be fixed with a software patch, like many vulnerabilities and bugs can.

The flaws stemmed from the flow and the layout of the sites. For example, nearly half of the banks were found to have placed secure login boxes on insecure pages, putting customers at risk of hitting spoofed pages.

Fifty-five percent of the sites were found to have contact information and security advice on insecure pages, which could allow an attacker to change an address or phone number that could be used to gather customer information.

Thirty percent of the sites redirected customers to a site outside the bank's domain without warning, and 28 percent allowed customers to use weak or inadequate user IDs and passwords, the study found. And more than 30 percent offered to e-mail passwords or statements to customers.

Corporate networks also aren't so clean either, with internal threats rising from the use of unauthorized removable storage and instant messaging and lack of up-to-date antivirus software, according to a separate study released on Wednesday.

In security audits of more than 100,000 corporate PCs and servers during the first half of this year, 12 percent of infected computers had a missing or disabled antivirus program, according to the study, conducted by Promisec, an audit and management software firm.

More than 10 percent had unauthorized personal storage like USB sticks or external hard drives; 9 percent had unauthorized peer-to-peer applications installed and 8.5 percent had a missing third-party desktop agent, the study found.