Many banks could do more to boost security for customer-facing Web applications, according to research released Tuesday by Javelin Strategy & Research.
Researchers at the Pleasanton, Calif.-based firm evaluated home and login page security at the top 24 U.S. financial institutions, including Bank of America, Capital One, Citibank, US Bank, and Wells Fargo. They found that 46% don't use SSL or Extended Validation (EV) SSL encryption on their home page, said Robert Vamosi, research analyst at Javelin.
"It protects against redirection to a spoofed page and assures visitors they're not going to a phishing site," he said. "We thought it was a best practice that banks move in that direction and start putting SSL and EV SSL on their home page and not just starting on their login page."
The study had more encouraging results when it looked at the banks' "help" and "contact us" pages, where 58% of the institutions use SSL encryption. While those pages can seem trivial, the customer contact information they request is important to secure, Vamosi said.
Javelin also found that many banks no longer require entire Social Security numbers when enrolling existing customers into online banking. Instead, they ask customers to input only the last four digits of their Social Security numbers or some type of alternative authentication.
"The downside is that 20% of the alternatives featured easy-to-guess authentication questions like zip code or date of birth," Vamosi said.
In the case of a forgotten password or user name, only one in four of the banks studied require users to choose a password longer than six digits. And while 90% of banks return generic error messages when a customer's login fails, the remaining10% provide specific information that can be used by attackers, the study showed.
In addition to the study, Javelin also released a report on how financial institutions can prioritize their Web application security risks based on the Open Web Application Security Project's proposed top 10 list.