- From: <michael.mccormick@wellsfargo.com>
- Date: Fri, 25 Jul 2008 13:41:36 -0500
- To: <yngve@opera.com>
- Cc: <public-wsc-wg@w3.org>
The author of the study, Dr. Prakash at U of Mich, has cited Wells Fargo as the one secure bank he's aware of. -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Yngve N. Pettersen (Developer Opera Software ASA) Sent: Wednesday, July 23, 2008 4:53 PM To: public-wsc-wg@w3.org Subject: Arstechnica: Study: websites of financial institutions insecure by design <URL: http://arstechnica.com/news.ars/post/20080723-study-websites-of-financial-institutions-insecure-by-design.html > Hmmmm? ------------------ For example, nearly 30 percent of the sites the researchers examined performed what they termed a "break in the chain of trust." In this case, specific financial activities required that the user be sent to a site run by a different company, meaning they were no longer interacting with the original domain; in many cases, a different security certificate was required. In 17 percent of these cases, there was no warning that this would occur. Roughly half the sites requested login information on an insecure page. The information was typically sent using JavaScript that invoked a secure SSL connection, but the user had no indication of this, a practice that promotes a casual approach to security. Over a quarter of the sites had poor policies on the username/password combination. Some accepted short, insecure passwords. Others either accepted or defaulted to easily obtained usernames, such as e-mail addresses or Social Security numbers. ------------------- -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Friday, 25 July 2008 18:42:50 UTC