Javelin Strategy & Research has released a report evaluating the security of online customer interaction at the 24 major US financial institutions, with a focus on protection of private data during customer inquiry or enrollment. According to it, nearly 46% of top banking institutions have an opportunity to further fully protect ‘contact us’, ‘help’, or other interaction pages against criminal hijacking.
The report, titled ‘US Online Channel Security: an Assessment of the 24 Top Financial Institutions’, analyzes the home and log-in page security at the major 24 US financial institutions, for SSL/TLS or EV-SSL encryption, which are critical security-attributes to guard against compromise by insertion of incorrect links or information. In this report Javelin also researched online banking enrollment procedures for existing customers and examined the protections associated with the retrieval of lost or forgotten usernames and passwords.
Javelin also published a companion report titled ‘Improving Web Application Security Using New 2010 OWASP Top 10 Risk Model: Best Practices for Mitigating Online Vulnerabilities and Threats’. In it Javelin presented a model that identifies the risks organizations face today based on the OWASP model. The model demonstrates how to weigh vulnerabilities under the new system and set mitigation priorities.
James Van Dyke, president and founder, said: “We were surprised to find so many banks overlooking this potential area of exploit. A cross-site scripting flaw on a customer-facing Web site could allow criminals to access the internal network or at the very least, insert counterfeit content alongside legitimate content on a site and redirect customers to a fraudulent third-party site. For financial institutions, it’s all about shoring up even the most seemingly-innocuous areas of risk.”
Mary Monahan, research director and managing partner, said: “These reports are a how-to guide for improving Web site vulnerabilities, with focus on customer interaction and effective use of finite security resources. Instead of being reactive and responding to the volumes of attacks, the security community can risk-weight and strengthen vulnerable areas specific to each institution, while integrating best-practice models such as the proposed 2010 OWASP Top 10.”