Security Flaws in Design

I came across a study entitled Analyzing Websites for User-Visible Security Design Flaws (PDF) by three University of Michigan researchers. They analyzed the websites of 214 U.S. banks for design flaws that affected security. This is different from typical security flaws that are in software and are fixed with bug patches — this kind of flaw affects how users perceive the security of the site and how they might be fooled into giving their confidential information to the wrong people.

Note that these flaws don’t apply only to bank sites — the authors only researched bank sites because they have high security requirements.

1. Break in the chain of trust: Some websites forward users from a secure page to new pages that have different domains without notifying the user. In this situation, the user has no way of knowing whether the new page is trustworthy.
2. Presenting secure login options on insecure pages: Some sites present login forms that forward to a secure page but do not come from a secure page. This is problematic because an attacker could modify the insecure page to submit login credentials to an insecure destination.
3. Contact information/security advice on insecure pages: Some sites host their security recommendations, contact information, and various other sensitive information about their site and company on insecure pages. This is dangerous because an attacker could forge the insecure page and present different recommendations and contact information.
4. Inadequate policies for user IDs and passwords: It is important to maintain consistent and strong policies on passwords and user IDs. The researchers found that some sites allow customers to use short passwords or require email addresses for user names.
5. Emailing security sensitive information insecurely: Emailing any sensitive information is dangerous. Some sites offered to send statements and passwords through email, but not very many people have secure email.

They found that only 24% of the sites were completely free from any of these flaws. I certainly hadn’t considered all of these aspects, and obviously most companies/developers don’t either.