76% of bank websites have design flaws that can put your information at risk

[jeffrey]

Many U.S. banks are unwittingly training their online customers to take risks with their passwords and other sensitive account information, leaving them more vulnerable to fraud, new research shows.

The result is that even the most security-conscious Web surfers could find themselves the victims of identity theft because they have been conditioned to ignore potential clues about whether the banking site they're visiting is real — or a bogus site served up by hackers.

That's the conclusion by University of Michigan researchers who found design flaws in 76 percent of the 214 U.S. financial institution Web sites they studied...

Web site design flaws make banking riskier - Security - MSNBC.com

[Broken Arrow]

Quote:

To fight that, the best protection remains: Don't click on links sent in e-mails.

Words to live by.

[Joan.of.the.Arch]

"The researchers found that many banks silently redirect users to third-party sites, plop "secure login" boxes on insecure Web pages."


Well, at least I do look to see if it is a secure page. Can that be faked?

I joined a credit union last month. This article made me look up "whois" on the two slightly different homepage URLs that are used first to go to the credit union site, and from there to the online account access. Guess what? Sure enough, when I click on the first homepage to go to log in for account access, it does redirect me to another server (different DNS) owned by a different company in a different country than the first site. (USA versus Canada)

So my credit union is redirecting me to another server. And yes, I am being trained to accept re-direction to another server. With the DNS bug that became public knowledge (last month?) I am at risk to be surreptitiously redirected to a spoof site that looks just like where I want to be and, I think, which shows the same URL up top, even though it really is at yet a third URL. If I cannot see the real URL, I won't know the difference and I will submit my private info, thus giving the spoofers all that they need to get into my account and immediately drain it.

It could all be avoided if all banking [credit union] online functions were on the same server, not contracted out to a business that provides the online banking customized for each bank, right? Is that the gist of it? I found the article a little disjoint and may be missing something.