Security Design Flaws that Affect Usability in Online Banking.

摘要

As the popularity of online banking Websites has increased, the security of these sites has become increasingly critical as attacks against these sites are on the rise. However, the design decisions made during construction of the sites could make usability more difficult, where the user has difficulty making good security decisions. This study analyzed 6 design flaws of this nature: (a) a break in the chain of trust, (b) providing a secure login method on an unsecure page, (c) providing bank contact information or security advice on an unsecure page, (d) having policies that are insufficient for userids and passwords, (e) generating e-mails containing sensitive information that are sent in an unsecure manner, and (f) the multi-factor authentication solution consisting of the presentation of an image in combination with the userid and password. Each of these flaws can lead to security and usability issues. Analysis of 80 banking sites was performed to determine the frequency of the flaws. The sampling of banking institutions was determined from banking institution lists available from the Federal Deposit Insurance Corporation (FDIC). Banking institutions were selected from 5 bank charter classes. The banking sites were downloaded for static analysis. The analysis was performed through a combination of automated programs and manual review. The results found instances of all 6 design flaws. The most prevalent issue found was insufficient policies for userids and passwords. The second most prevalent design flaw was the break in the chain of trust. The design flaw with the smallest number of occurrences was emailing sensitive information in an unsecure manner. The banking charter class of the banking institution did not appear to have a relationship to the frequency of the flaws. However, it appears that banking institutions with a smaller asset size have a higher frequency of the flaws than those with a larger asset size. It is recommended that banking institutions address these design flaws to improve usability for their customers while improving security.