Last week, news hit several sites and publications, including IT Business Edge, that essentially said online banking is a disaster. More specifically, the study, written by Atul Prakash at the University of Michigan, said that 75 percent of 214 bank sites surveyed had design flaws and were insecure.
SC Magazine provided details about the flaws. Among them were forwarding users from secure to insecure pages without alerting the visitor; locating login options on insecure pages, and inadequate user IDs and passwords.
There are bits of good news amid the rubble, however. One is that the survey was done in 2006, so it is possible that some of the problems have been alleviated. The fact that the survey results are being released now, however, suggests the sponsors have good reason to believe the problems persist.
The other bit of good news is that vendors appear to be addressing online banking security.
One company with a new product is RSA Security, which now is part of EMC Corp. The company's SecureID Display Card is being tested by one bank in the United States and several overseas. The card, this Bank Systems & Technology story says, is a tool for meeting multi-factor authentication requirements created by the Federal Financial Institutions Examination Council (FFIEC). The story says that the companion software, RSA Authentication Manager 7.1, can be operated via a token embedded on a cell phone.
Another online-banking security-related product that made the news earlier is month was Kaspersky's Internet Security 2009. TechWorld reports that it features a virtual keyboard, which the site calls "a novel but simple" safeguard against keylogging. The story says details are not set, but it is believed that the virtual keyboard will cache passwords and other vital information entered by users. The caching will keep the data safe from software that logs keystrokes being entered into a physical keyboard. TechWorld says that the idea is not new, but that Kaspersky is the first to offer it in a standard security program.
Also this month, Aladdin Knowledge Systems and IdenTrust partnered to provide identity authentication for online banking and other financial transactions. The companies will offer certificate-based two-factor security.
In one sense, it is possible to overlook a study that is a couple of years old. It is important not to, however. Securing online banking is a tremendously important issue from the real and psychological points of view. The most obvious danger, of course, is that banking sites will be hacked and customer information stolen. In the bigger picture, the inability to protect banking and financial sites clearly is a poor reflection on the overall state of Internet security.