Online Banking Insecure...Only 1 Bank Rated Excellent

Online Banking's Innate Security Flaws

Consumer rights organization Which? has criticized the online banking systems of some of Britain's biggest lenders, labelling them insecure in a new report released today.



Abbey and Halifax were singled out as particularly poor. Halifax has one of the least secure log-in procedures of the ten online
banks we looked at. It asks for three pieces of information to confirm
a customer’s identity.

"As each entry is typed in full, this makes the
information vulnerable" to a simple keylogger, a virus that sits on a
computer and tracks every keystroke with the aim of collecting
passwords.





The same two banks, along with HSBC and First Direct, were also found to have no visible security controls for money transfers. Which? Computing also found significant differences in how well money transfers appear to be protected. Abbey, First Direct,
Halifax and HSBC have no visible security controls for money transfers,
so if a banking session is hijacked, a criminal can enter the amount
they want to.


Which? also found that users of Abbey, Alliance & Leicester, HSBC and Halifax are not immediately logged out after a session, leaving them vulnerable if they use online banking on a shared computer.  Alliance & Leicester and HSBC were rated as 'average', while First Direct, Lloyds TSB, Nationwide, NatWest and RBS were given a 'good' rating.

Barclays was the only one of the 10 banks surveyed to get a rating of 'excellent'. The company requires all its online customers to use a "two-factor authentication" (2FA) system involving a PINsentry device which generates a one-time password for each session.

Tony Dyhouse, director of the government-backed Cyber Security Knowledge Transfer Network, said that banks face a difficult challenge in trying to balance security with convenience.


Editor's Note:  PINSentry is a great device for 2FA log-in, but keep in mind it's ONLY function is as an authenticator.  By contrast, HomeATM utilizes 2FA for log-in, but  it also enables consumers to conduct financial transactions (including money transfers) in real-time with 100% 2FA 3DES DUKKPT End-to-End (Zone 1-5) Encryption.  



Which? would you rater have at your bank?



41% of Americans Say No to Online Banking Citing Security Fears15 Jun 2009 by jfrank@homeatm.net (John B. Frank)  

"Compared with younger consumers, preboomers, who are 63 or older, are more explicit in their reasons for not using online banking - they are comfortable with other channels, such as the branch, and they are worried about the security ...
HomeATM - http://pindebit.blogspot.com/ 

Related articles

• Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)


• BofA Targeted by Malicious Code Phishing Attack (pindebit.blogspot.com)


• Anti-Phishing with Two Factor Authentication (information-security-resources.com)


• Online Banking's Innate Security Flaws (information-security-resources.com)


• Https = Httb.s. (pindebit.blogspot.com)


• Torpig Sinowa Botnet Harvests Online Banking Credentials (pindebit.blogspot.com)