It is all over the news today, how many banking web sites have been found to be insecure due to basic security flaws in Web site design. According to the reports the biggest security issues were;
1. Forwarding users to insecure domains.
2. Presenting secure log on options on insecure pages.
3. Displaying contact and security information on insecure pages.
4. Inadequate policies for user ids and passwords.
5. E-Mailing sensitive information.
Forwarding users to insecure domains occurs quite often with the use of advertisements for products and services that are not secure on the same pages as security content. IE 7 tip; when you are prompted that a website you are visiting has secure and insecure data and the message asks you if want to view the insecure data, click the "No" button. Often this insecure data are un-trusted domains, outside links, advertisements, or just poor design. No matter what it is if you choose yes you have broken the secure channel.
Log on options on insecure pages are very common on the web. You often see a log on/password box somewhere on the front page of web sites. Unless you see a valid certificate notification (the yellow padlock) your credentials may not be securely transmitted.
By displaying contact and security information on insecure pages it makes it easier for a thief to spoof the legitimate website and create fraudulent websites designed to fool a user.
Password polices are very important. A long password (or pass phrase) is best to use as they are hard, if not impossible to guess or break. American express is a bad example. Their password policy requires your password to be between 6 and 8 characters only and cannot contain any special characters! Bank of America on the other hand is a good example. On one page you are prompted for a user name and account type. Then you move to another page where you have an image called a 'site key' that you have registered and a quote. Only once you confirm all of this data do you enter in your password which is 8-20 characters. Not only that but the computer system you are using must be registered.
Regular email is not secure. Sending log on credential via email is a very bad practice and it should never happen whether is a bank, your work log on information, or your kids soccer users’ forum.
ars technica link
Full report link
John "Mike" Wright