I just received an email that appeared to be from my bank, telling me to log into a web site and verify my account number. Fortunately, my spam filter caught it and filed it away with all the other emails telling me that I won a foreign lottery, or that the wife of some dead dictator wants me to help her distribute a hundred million dollars for “Christian charity.”

We like to assume that our banks are safe, and the banks themselves create the impression of safety with grand physical structures with imposing Roman columns, armed rent-a-cops at the door, and a huge safe with a steel door. Online, banks create the impression of safety with password-enabled logins and verification questions. Generally, online banking is safe, and very convenient—it’s great for me, since I spent two or three months a year traveling around the world, and I can pay my bills from a hotel room in China if I need to.

But have financial institutions gone far enough to create online security? Or is it even possible? Everyone in the IT game knows that when they get an email that appears to be from their bank asking them to click on a link and give their password, it’s a phishing scam. Yet, the phishing scams continue, and people continue to fall victim. And because the scam doesn’t originate from the bank, there’s not a lot the bank can do from a technological viewpoint, it’s purely an educational solution.

It is certainly possible for a bank to create a highly secure web site for its online banking customers, and online banking can be just as safe as when you hand your deposit over to the teller in person. But although it’s possible, is it always happening? A study by University of Michigan researchers (http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) took a look at the web sites of major banks, to see just how secure they really are.

The policies themselves were shown to be weak in a lot of cases. The two-factor approach my bank uses (enter the password, and then enter additional qualifying information) is a good one, and some banks, especially in Europe, make that second factor the use of a portable hardware token that generates a one-time-only passcode, making the online bank ultra-secure. But not all banks use that extra step, and some even have lax password policies that let customers use easily guessed passwords, such as email addresses or social security numbers. The study found five common design flaws in banking web sites, which could easily be remedied. These flaws are:

1. Break in the chain of trust
2. Presenting secure login options on insecure pages
3. Contact information/security advice on insecure pages
4. Inadequate policies for user IDs and passwords
5. Emailing security – sensitive information insecurely