More than 75% of bank websites were flawed and could expose customers to cyber thieves eyeing their money or their identity, according to a survey by the University of Michigan. Atul Prakash, an electrical engineering professor and doctoral students Laura Falk and Kevin Borders based their findings on an in-depth study of websites of 214 financial institutions in 2006.

These design flaws stem from the flow and the layout of these websites. They include placing login boxes and contact information on insecure web pages as well as failing to keep users on the site they initially visited. “To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” Mr Prakash said.

“Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.”Mr Prakash said some banks may have taken steps to resolve these problems since this data was gathered, but overall he still sees much need for improvement.

The flaws leave cracks in security that hackers could exploit to gain access to private information and accounts.The Federal Deposit Insurance (FDIC) said computer intrusion, while relatively rare compared with financial crimes like mortgage fraud and cheque fraud, is a growing problem for banks and their customers.

A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to a nearly $16-million loss in the second quarter of 2007. Computer intrusions increased by 150% between the first quarter of 2007 and the second. In 80% of the cases, the source of the intrusion is unknown but it occurred during online banking, the report states.

The design flaws that Prakash and his team looked for are pacing secure login boxes on insecure pages, which was being done by 47% of banks. A hacker could reroute data entered in the boxes or create a spoof copy of the page to harvest information. In a wireless situation, it’s possible to conduct this man-in-the-middle attack without changing the bank URL for the user, so even a vigilant customer could fall victim.

To solve this problem, banks should use the standard ‘secure socket layer’ (SSL) protocol on pages that ask for sensitive information, Mr Prakash said (SSL-protected pages begin with https rather than http.) Most banks use SSL technology for some of their pages, but only a minority secure all their pages this way.

Putting contact information and security advice on insecure pages: At 55%, this was the flaw with the most offenders. An attacker could change an address or phone number and set up his own call centre to gather private data from customers who need help.

When the bank redirects customers to a site outside the bank’s domain for certain transactions without warning, it has failed to maintain a context for good security decisions, Mr Prakash said. He found this problem in 30% of the banks surveyed. Often the look of the site changes, as well as URL and it’s hard for the user to know whether to trust this new site.

The e-mail data path is generally not secure, Mr Prakash said, adding that 31% of bank websites had this flaw. These banks offered to e-mail passwords or statements. The researchers will present these findings at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University Friday.