Tuesday, July 29, 2008

Is your online bank account safe?

A recent report by researchers at the University of Michigan demonstrates that bank & brokerage websites are plagued by security flaws. These widespread design flaws make it easier for accounts to be compromised. According to Finextra, an examination of 214 bank websites revealed that more than 75% have cracks in security that hackers could exploit to access customer information and accounts.

‘Says Atul Prakash, professor in the department of electrical engineering and computer science: "To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country. Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."’

This should be a cause for concern for all banking customers, the prospect of going online and finding your account cleared out is a nightmare. Security remains the top concern for banking institutions, and regular steps have been taken to improve the situation. The state of affairs is not as dire as outlined by researchers because many of the security flaws are difficult to exploit.

The real issue with the banking industry is the lack of a systematic defined approach to security testing their websites. There needs to be a single standard that all online financial institutions are tested against.

Cisco has some excellent initiatives such as SAFE that improve the security of customer deployments by defining configurations and testing steps that reduce vulnerabilities. The company also has service-focused teams of specialists that aid customers in securing their networks.

During my time at Cisco, I drove an initiative called SITE (Security Integration, Test and Evaluation) which defined a structured process for evaluating potential vulnerabilities, performing boundary & penetration testing, and evaluating the results in a logical matter. This approach was incorporated as part of the quality system and utilized across the company in testing multiple product lines. The process could be scaled from “light” to “heavy” based on the needs of the team performing the evaluation. The use of automation tools for “fuzzing” (sending in deliberately mal-formed packets) and other security testing was crucial for meeting tight deliverable schedules within the framework of SITE. Over the years, the original SITE initiative has evolved and now is included within the scope of other security enhancement programs (run by some real sharp engineers) that raise the standards to even a higher level.

What does the banking industry lack? Basically the online financial industry needs to define a SITE type of initiative and a set of common standards for securing their websites. The problem is not the inclusion of vulnerabilities (which will always pop-up), but the lack of screening for vulnerabilities in a structured manner. Banks do not have a methodical approach to find the vulnerabilities, nor a structured system for ranking and resolving the issues. Most banks are flying blind to what potential vulnerabilities currently exist on their websites because testing has only been performed piecemeal over time.

Banks and brokerages have a lot at stake; losses from compromised accounts continue to mount. It is time to raise the bar in the financial industry and reduce the exposure faced by customers. This requires a change in direction for security practices, and includes a need for information services cooperation between competing institutions. The best approach would be to create a focused team with IT representatives from multiple banks to define a central testing standard utilizing a structured approach for evaluating the security of online banking websites. After adoption, the methodology would need to be driven as a requirement across the industry.