Many U.S. banks are unwittingly training their online customers to take risks with their passwords and other sensitive account information, leaving them more vulnerable to fraud, new research shows.
The result is that even the most security-conscious Web surfers could find themselves the victims of identity theft because they have been conditioned to ignore potential clues about whether the banking site they're visiting is real — or a bogus site served up by hackers.
That's the conclusion by University of Michigan researchers who found design flaws in 76 percent of the 214 U.S. financial institution Web sites they studied.
The study, to be presented Friday at a security conference, examined the sites of top banks and smaller institutions alike. The researchers aren't detailing which banks had problems, however.
"We want banks to make the right decisions so people who are trying to be careful can do online banking securely," said the paper's lead researcher, Atul Prakash, a professor of computer science and engineering.
The researchers found that many banks silently redirect users to third-party sites, plop "secure login" boxes on insecure Web pages, and improperly use Social Security numbers or e-mail addresses — which an outsider can figure out — as default user names.
All of those banking tactics put users at risk.
"Conventional wisdom is that the clients — or PCs — are inherently insecure devices," said Avivah Litan, a banking security analyst with Gartner Inc. "What this study shows is that the servers — or the bank and other consumer-facing Web sites — are also inherently insecure."
The research didn't uncover vulnerabilities in the Web sites themselves, or problems with the sites' coding that could allow criminals to break in. Instead, it found design flaws that teach people bad surfing habits.
One of the biggest problems: Even if the login boxes on banks' pages are properly secured — meaning they send and receive encrypted data through a technology known as Secure Sockets Layer — if the full page itself isn't protected with the same technology, it is more difficult to tell whether the site is real or fake.
SSL-equipped sites show a padlock icon in the address bar and signal not only the encryption technology but also that the site's owner is legitimate.
Also: If users aren't notified that they are being taken to another site — say a bank uses a partner site for online bill-paying — then it is hard to determine if the new site is trustworthy, because the online registration certificate carries a different company's name.
So even if they were inclined to dig that deep, consumers could still fall victim to "phishing" scams because they are accustomed to entering personal information into a site that isn't their bank's — and hasn not been clearly vouched for by the bank.
Hackers could take advantage by sending them bogus pages dressed up like the bank's Web site. That site would then redirect to another site under the criminal's control, and users might not question the redirection.
To fight that, the best protection remains: Don't click on links sent in e-mails.