InformationWeek: ” “More than three-quarters of bank Web sites have design flaws that could expose bank customers to financial loss or identity theft, according to a University of Michigan study that will be presented this week at the Symposium on Usable Security and Privacy. The study, Analyzing Web Sites For User-Visible Security Design Flaws, examined 214 bank Web sites in 2006. It was conducted by University of Michigan computer science professor Atul Prakash and doctoral students Laura Falk and Kevin Borders.”

• “In this paper, we examine the prevalence of user-visible security design flaws by looking at sites from 214 U.S. financial institutions. We specifically chose financial websites because of their high security requirements. We found a number of flaws that may lead users to make bad security decisions, even if they are knowledgeable about security and exhibit proper browser use consistent with the site’s security policies. To our surprise, these design flaws were widespread. We found that 76% of the sites in our survey suffered from at least one design flaw. This indicates that these flaws are not widely understood, even by experts who are responsible for web security. Finally, we present our methodology for testing websites and discuss how it can help systematically discover user-visible security design flaws.”
• Related news, Washington Post. Banks: Losses From Computer Intrusions Up in 2007 – “U.S. financial institutions reported a sizable increase last year in the number of computer intrusions that led to online bank account takeovers and stolen funds, according to data obtained by Security Fix. The data also suggest such incidents are becoming far more costly for banks, businesses and consumers alike. The unusually detailed information comes from a non-public report assembled by the Federal Deposit Insurance Corporation, the federal entity that oversees and insures more than 9,000 U.S. financial institutions. The statistics were gathered as part of a routine quarterly survey called the Technology Incident Report, which examines so-called suspicious activity reports (SARs).”