UK public dissatisfied with banking security
In an unpublished study for Unisys, the Ponemon Institute surveyed the attitudes of 697 UK citizens to banking security and safety. Apparently over 70 per cent of customers find their bank untrustworthy, and internet banking is the least trusted. Banks with no high street presence fared worst, with the two at the bottom of the trust scale being internet-only banks. Although the sample was small at 679 respondents, this fits well into a developing picture of general discontent with banking security for the ordinary member of the public. For example, although many customers are now prepared to use hardware two factor authentication devices that generate one-time access tokens, most banks still reserve these for business or high transaction volume customers only.
Unfortunately these feelings are not just irrational fears but do to some extent reflect reality. In autumn 2006 heise Security conducted a test of the security of online banking sites and found that major online banking sites including those of NATWest, Link, Cahoot and the Banks of Scotland and Ireland were vulnerable to Frame Spoofing -- a very basic security issue known for almost a decade. The Bank of England and UBS were shown to be vulnerable to Cross Site Scripting attacks. Both vulnerabilities provided easy means for counterfeiters to manipulate online banking sites into almost perfect phishing traps.
However, in addition to insecure IT, poor privacy and non-technical leaks of customer information featured among the issues that reduce trust. There is an apparent groundswell of public concern in the aftermath of several high profile breaches, not all of which were high tech. Not only has phishing reached significant proportions (not infrequently assisted by similar-looking genuine promotional emails from the banks themselves), but there have been several instances of banks committing basic information management errors such as dumping unshredded customer paperwork into publicly accessible waste bins.
Interestingly, another recent data breach study by Ponemon (this time in the USA) showed that there the greatest concern seems not to be banking security but leakage of medical and welfare information. Chacun àson goût.
also see:
- You can't Bank on Security, Testing of UK bank pages reveals possible vulnerabilities, heise Security
- Banking, phishing and the suspension of disbelief comment by Edward Henning, heise Security
- 2007 Consumer Survey on Data Security US-based research by Ponemon Institute, Vontu (PDF)
(mba)