Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Almighty Buck Businesses Communications Network Privacy Security Technology

65 Percent of Major US Banks Have Failed Web Security Testing, Says Report (ibsintelligence.com) 25

According to IBS Intelligence, websites run by some of the largest banks in the U.S. have scored the poorest in a new security and privacy analysis audit. "The non-profit Online Trust Alliance (OTA) anonymously audited more than 1,000 websites, ranking their security and privacy practices," reports IBS Intelligence. "None of the sites investigated knew about the test." From the report: In the firm's Online Trust Audit & Honor Roll for 2017 many U.S. banks were among the worst for security and privacy. The industry had both the most failing grades and the least "Honor Roll" recipients. For firms to receive the Honor Roll award, they must achieve an overall score of 80% or higher across three categories: consumer protection, security and privacy. A failure in any of the three squashes its chance entirely. Look away now if you're a U.S. banking customer, as only 27% of the 100 largest banks in the country made the grade. The figure represents a 28% drop from 2016. According to the OTA, the sector had been showing signs of improvement. Yet, due to "increased breaches, low privacy scores and low levels of email authentication," things have slipped. Large banks were found to have moderately good website security (17% of failures) but dropped the ball when it came to their email security (45%) and privacy (34%).
This discussion has been archived. No new comments can be posted.

65 Percent of Major US Banks Have Failed Web Security Testing, Says Report

Comments Filter:
  • only 65%? (Score:3, Interesting)

    by turkeydance ( 1266624 ) on Monday July 03, 2017 @09:12PM (#54739359)
    IBS Intelligence has some explaining to do/
  • by Anonymous Coward on Monday July 03, 2017 @09:51PM (#54739527)

    I've worked on several websites that handle PII, including sites for major banks and government agencies. Implementing proper security for your average consumer is expensive. Not to implement but to support. Users will constantly forget their passwords, lose access to 2FA, lock themselves out and generally "better idiot" your idiot proof system. You have to have a call center to support this and that costs money. If you don't, people will b*tch about your terrible customer support, when the company/agency is really trying their best to protect them. So a lot of companies just say f**k it and dumb it down.
     
    And for some reason this seems to be unique to the US. My wife is from Asia and most banks there (as well as in Europe it seems?) require 2FA systems like challenge response and customers have zero problems with it. My wife's bank provides her with a card has challenge-response codes that she has to use when she logs in. She's not technically inclined at all, has zero problems using it and understands that if she loses it she can't login until she gets a new one and that it's her fault and not the banks. I know that if I even suggested that on most of the projects I've worked on in the US, they'd think I was joking or crazy.

    • Re: (Score:2, Insightful)

      by Bert64 ( 520050 )

      The difference is that the US was generally the first to implement a lot of things like online banking etc, and those initial systems used fairly simplistic security with just usernames and passwords so people have gotten used to them and don't want to change anything.
      In other countries, the online banking implementations have often had 2fa from the start so that's all the users have ever known.

      • The difference is that the US was generally the greediest.

        FIFY

      • It is widely accepted that the first cash machine was put into use by Barclays Bank in its Enfield Town branch in North London, United Kingdom, on 27 June 1967. The first US ATM came a year later, in 1968, followed by Canada in 1969. If you want to talk about "bank from home" on-line, then the UK and US were pretty much the same time, give or take a few months either way.

        In any case, your contention that US on-line bank security sucks because it was a first adopter doesn't bear scrutiny.

        By the way, it's fu

    • Physical security is relatively inexpensive because people are always watching. If somebody starts sneaking around my neighborhood kicking in doors, it won't be long before neighbors call the police.

      Now, imagine that these hoodlums had an invisibility cloak. The story would be much different. Our "safe" neighborhoods would be under much greater threat, because the bad guys would know they have little chance of being caught.

      The Internet is a lot like this scenario. Thieves and black-hat hackers can sneak aro

    • by DrYak ( 748999 )

      My wife is from Asia and most banks there (as well as in Europe it seems?) require 2FA systems like challenge response and customers have zero problems with it. My wife's bank provides her with a card has challenge-response codes that she has to use when she logs in.

      European here.

      Most banks have moved beyond pre-printed cards for more security.
      Now users are issued a PKI card (a physical one with a dedicated pocket-calculator-like terminal. Or one with electronics directly on the card. Or a virtual one in smartphone app).

      To log, and to confirm security points, the user is asked to sign some pieces of data.
      (Either typing it on the terminal or on the built-in electronic.
      Or even using some optical exchange with the screen (barcodes, qr-codes) and confirming it on the devic

  • by Anonymous Coward

    "Failed web security testing." In what sense? Does it mean someone hack in and steal all my money? Does it mean they implement a slightly weaker version of some cryptographic protocol that nobody can break?

    I'm sorry but "failed web security" is an arbitrary meaningless statement. It doesn't convey anything about what the risk to customers is.

  • by ytene ( 4376651 ) on Tuesday July 04, 2017 @12:20AM (#54740121)
    First and most obvious point... there is no legal distinction between "an anonymous scan" and a "hack". If the Online Trust Alliance scanned the cyber defenses of any other institution without knowledge or permission, then they broke the law.

    Secondly, as I'm regularly told by a friend of mine who works for a Wall Street bank, there has recently been a pattern of "shake down" attempts on major institutions for which on-line security is a matter of reputational importance. What happens is that a company or organisation produces a "report" which shows the company in a poor light, then provides the company or organisation with a high level summary of said report, showing some pretty critical/damning language. The company or organisation is invited to purchase a full copy of the report, ahead of publication, so that they have time to "fix the vulnerabilities" identified.

    The thing is, there is every chance that the OTA actually means well and/or has done useful work.

    But the bottom line is that if the OTA acted without the knowledge *and* permission of those they "scanned", then they broke the Computer Fraud and Abuse Act.
    • there is no legal distinction between "an anonymous scan" and a "hack"

      Can you provide a source for this? Or an example of someone being prosecuted (and convicted of a crime) solely for port scanning with no malicious intent?

      From what I can see, it's something of a grey area and intent matters.

      This page [nmap.org] says "no United States federal laws explicitly criminalize port scanning".

      • by ytene ( 4376651 )
        Can I provide a source? Well, sort of. I am not a lawyer. If you are contemplating accessing a computer system [for example performing a port scan] without prior permission, then I would encourage you to discuss your plans with a lawyer if it is reasonable to assume the owner of the computer might take issue with your actions.

        If you read the provisions of the [UK] Computer Misuse Act (1990), see here:

        http://www.legislation.gov.uk/... [legislation.gov.uk]

        or the [US] Computer Fraud and Abuse Act, here:-

        https://en.wik [wikipedia.org]
  • And businesses all have no perception of, or value in, security.

    News at 11.

    Everyone who has ever contracted IT completely unsurprised.

  • by Hognoxious ( 631665 ) on Tuesday July 04, 2017 @02:32AM (#54740485) Homepage Journal

    Which were worst? Ummm, I'd just like to make sure my money's safe, that's all.

  • ... infected the testing algorithms and caused Photobucket to cut linking services unless members pay a $400 ransome.

  • Don't get me started on passwords and security questions... I'm a senior software developer (not for a bank) and I can tell you there is absolutely no reason why a user must be limited to 12 characters! Also I don't need to tell you why "What highschool did you go to?" Or "when did you graduate high school?" are horrible security questions. When I see shit like this at a BANK I'm just appalled.

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...