Pogo said it: We have met the enemy and he is us.

In a carefully crafted study, The University of Michigan reports that 76% of online banking websites contained at least one design flaw that could lead users to make “bad security decisions.”

The flaws are not the typical software bug that can be fixed with a patch and a mea culpa. They show up in websites that are designed by security experts and fortified with the latest security protocols, such as SSL, and can unintentionally make it easy for users to expose sensitive data to cybercriminals.

The Michigan analysis of online banking programs in 214 U.S. financial institutions focused on the recurrence of five common design flaws that the research team identified in preliminary research. Results: 76% of the sites had at least one design flaw; 68% had two or more flaws; 10% had all five. The five design flaws and the frequency (percent) of their occurrence are:

1. Content information/security advice on insecure pages (55%). To compromise such a system, an attacker “only needs to spoof or modify the page, replacing the customer service phone numbers with bogus numbers.”

 

A fraudster might set up a bogus customer service number with the malicious intention of later collecting information from a customer when she calls in response to, say, a bogus message informing the user of the need to reset her password. Most users will welcome such a message, carefully worded to allay suspicion. This example from the study’s files: “We regret to inform you that we have received numerous fraudulent e-mails which ask for personal account information... Please remember that we will never ask for personal account information via e-mail or web pages. . . To activate your [new Identity Theft Protection Program] please call.... .”

The user, assuming that the information is protected, then gives up her Social Security number, birth date, and other private information. The design flaw here is ignoring the well-known security principle of protecting not only the data channel, but also the context used to generate the session keys for the channel. In IT-speak, SSL 2.0 was vulnerable to cipher rollback attack because it did not adequately protect the key negotiation steps, the report says.

2. Presenting secure login options on insecure pages (47%). Login pages and options displayed on insecure pages leave users vulnerable. In this common case, a man-in-the-middle or a domain name hijacker can spoof the entire page and manipulate the secure data (without understanding it), thus gaining control of the dialog.

A trusting user might not be looking for positive evidence that sensitive login information is secure, and likely won’t notice its absence. Even more likely, she won’t be aware of the security hazard created by having protected and unprotected regions on the same page. Inserting a pop-up menu that preempts the insecure page will forestall the problem and raise a user’s mindfulness of the need for constant security vigilance.

3. E-mailing security-sensitive information insecurely (41%). Example: one bank offered to send statements via e-mail but did not tell users whether the e-mail message would simply be a notification about availability of a statement (not to worry), a link to the statement (vulnerable to phishing attack), or the actual statement (subject to eavesdropping).

4. Break in the chain of trust (30%). If a website declares that it is SSL-protected, a user will likely trust its security. But the trust issue can have more subtle aspects. Several sites studied by the Michigan team started a user’s web navigation off correctly, but for some transactions the program redirected users to a site with different company names on the URL and the signed security certificate.

In those cases, it’s up to users to decide whether or not to trust the new website. The study advises: 

“Browsers should be seamless for the user without [the need for] such decisions. When presented with a difficult or confusing decision, users are likely to avoid the decision and go with the default action or let the site guide them, which leads to a bad security decision.”

5. Inadequate policies for user IDs and passwords (28%). Favorite IDs are user’s e-mail address and user’s Social Security number. Both give far from adequate security. E-mail addresses are easily collected from the internet. Spammers do this all the time. A Social Security number is easy to calculate: each has only nine digits within the range of 0-9. The hazard is diminished if users are encouraged/required to change it after the initial usage. How effective an alternative will be depends on whether or not it is less predictable and more complex than e-mail addresses and Social Security numbers.

Design expertise included
The full study—“Analyzing websites for user-visible security design flaws”—is available at http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf.

To help banks analyze the adequacy of their website designs, the study includes the pattern-matching methods and algorithms the researchers used to detect design flaws. The group is also developing an updatable model of the study.

 

The electronic version of this article available at: http://lb.ec2.nxtbook.com/nxtbooks/sb/ababj1208/index.php?startid=36

TrackBack URI for this entry