submitted: Aug 27th 2008 | by: gsmyth | Total views: 7 | Word Count: 595 | |

Data security came under the microscope at the University of Michigan with regard to banking practices recently, and the findings were quite disturbing. Researchers noted that over three quarters of banks actually train their customers to use insecure practices while they are banking, by doing things like redirecting them to third party websites without a flag, putting secure login boxes on insecure pages, and using email addresses or social security numbers as default user ids, many of which remain unchanged for months or years after an internet banking account is set up.

The study examined 214 US banking institutions, and found that just over three quarters of them - 76% - had design flaws that would either allow access by hackers, or trained customers through design flaws to ignore insecure practices. However, in the interests of protecting customers at these banks, they will not publicize which institutions leave your computer network security vulnerable.

Atul Prakash is a professor of computer science and engineeering who helped prepare the report. He says "We want banks to make the right decisions, so that people who are trying to be careful can do online banking securely." A banking security analyst with Gartner Inc, Avivah Litan, agrees, and goes one step further, saying "Conventional wisdom is that clients - or PCs - are inherently insecure devices. What this study shows is that the servers, or the bank and other consumer-facing websites, are also inherently insecure".

Some of the faults noted with the data security practices of the banks included putting secure login boxes on insecure web pages. This was one of the biggest problems, as even if the login boxes send and receive information through SSL (Secure Socket Layer) technology, if the full page itself isn't protected with the technology, it is diffiuclt to tell whether the site is real or fake. SSL encrypted web pages show a padlock icon in the address bar, and show not only that the page is secure, but that the site's owner is legitimate and their security certificate is current. If only the login box is secured, the padlock icon will not appear in the address bar, and as far as customers know, they are entering insecure information.

One of the other large problems that was found with the data security of online banking instititutions was that they often redirect customers to third party sites, for example partner sites for bill paying, without notifying the customer. These third party sites could be copied by hackers, and since customers have become used to entering information into a site that isn't their banks, their banking details are at risk.

The insecurity of information which we often assume to be sacrosanct was recently exposed, when hackers broke into Citibank's network of ATMs housed by Seven-Eleven stores. They were able to steal customer's PIN codes, netting the alleged thieves millions of dollars, as revealed in court recently. This demonstrates that even if your private computer network security is good, disturbingly, your information is still at risk.

This scam was possible because of the ATM system's infrastructure, built on Microsoft's Windows, as this allows machines to be remotely repaired after diagnosis. Industry standards call for the strongest possible encryption on PIN codes, however, they seem to be vulnerable while in transit between the computers that process the trnsaactions and the automatic teller machines.

Businesses are advised to engage registered IT consultants and network security services to help protect their banking information, or risk lengthy proceedings to reclaim money.

About the Author

Datacraft is the leading independent IT services and solutions company in Asia Pacific. Datacraft combines an expertise in networking, security, Microsoft solutions, storage and contact centre technologies, with advanced skills in consulting, integration and managed services, to craft IT solutions for businesses.

Comments

No comments posted.

You do not have permission to comment. If you log in, you may be able to comment.