Study Finds Security Flaws on Web Sites of Major Banks

["'Richard M. Smith'" <rms () computerbytesman com>]

http://www.nytimes.com/2007/02/05/technology/05secure.html?_r=1
<http://www.nytimes.com/2007/02/05/technology/05secure.html?_r=1&oref=slogin
&ref=technology&pagewanted=print>
&oref=slogin&ref=technology&pagewanted=print
 
February 5, 2007

Study Finds Security Flaws on Web Sites of Major Banks 

By
<http://topics.nytimes.com/top/reference/timestopics/people/s/brad_stone/ind
ex.html?inline=nyt-per> BRAD STONE

Internet security experts have long known that simple passwords do not fully
defend online bank accounts from determined fraud artists. Now a study
suggests that a popular secondary security measure provides little
additional protection.

The study, produced jointly by researchers at
<http://topics.nytimes.com/top/reference/timestopics/organizations/h/harvard
_university/index.html?inline=nyt-org> Harvard and the
<http://topics.nytimes.com/top/reference/timestopics/organizations/m/massach
usetts_institute_of_technology/index.html?inline=nyt-org> Massachusetts
Institute of Technology, looked at a technology called site-authentication
images. In the system, currently used by financial institutions like
<http://www.nytimes.com/mem/MWredirect.html?MW=http://custom.marketwatch.com
/custom/nyt-com/html-companyprofile.asp&symb=BAC> Bank of America,
<http://www.nytimes.com/mem/MWredirect.html?MW=http://custom.marketwatch.com
/custom/nyt-com/html-companyprofile.asp&symb=IND> ING Direct and Vanguard,
online banking customers are asked to select an image, like a dog or chess
piece, that they will see every time they log in to their account.

The idea is that if customers do not see their image, they could be at a
fraudulent Web site, dummied up to look like their bank's, and should not
enter their passwords.

The Harvard and M.I.T. researchers tested that hypothesis. In October, they
brought 67 Bank of America customers in the Boston area into a controlled
environment and asked them to conduct routine online banking activities,
like looking up account balances. But the researchers had secretly withdrawn
the images.

Of 60 participants who got that far into the study and whose results could
be verified, 58 entered passwords anyway. Only two chose not to log on,
citing security concerns.

"The premise is that site-authentication images increase security because
customers will not enter their passwords if they do not see the correct
image," said Stuart Schechter, a computer scientist at the M.I.T. Lincoln
Laboratory. "From the study we learned that the premise is right less than
10 percent of the time." 

...

 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.