Sycorr survey says ...: Financial institutions ignoring easy security fixes, audit by Fargo software company shows
Fargo - Nearly every bank and credit union in the country isn’t taking a simple step that could make it more difficult for fraudsters to glean personal information from customers, according to a local software development and online marketing company.
Sycorr Inc., a Fargo technology service company that specializes in financial institutions, has published a Web post and online video to show how bank and credit union marketing websites could be susceptible to “clickjacking.”
The video and blog also provide the fix that they say 97 percent of U.S. banks and credit unions haven’t done: changing one line in the server configuration to prevent a website from opening within another site’s frame.
The information comes from Insights by Sycorr, software the company built that analyzed and benchmarked data about security, search authority, social media and mobile use for more than 11,700 U.S. bank and credit union public branding websites.
While the software didn’t audit the institutions’ actual online banking sites, the marketing sites often serve as the portal for customers to access their accounts.
“Everyone will say we take security very seriously, but what this test showed us is their actions are not following through,” said Max Pool, co-founder of Sycorr.
When a server doesn’t prevent its website from being opened within a frame, fraudsters can set up fake websites with a slight misspelling of the bank or credit union’s address.
They then could layer a login page over the bank’s actual website. That faux screen can skim a customer’s information and store it for later use, then direct the user to the real site, so he or she never realizes it was a fraudulent site, said Jeremy Neuharth, cofounder of Sycorr.
Another statistic Sycorr is highlighting: 44 percent of bank and credit union websites don’t use SSL – Secure Sockets Layer – technology that creates an encrypted link between a Web server and browser.
While security experts may say these changes won’t stop all cyber-attacks, this is low-hanging fruit for fraudsters, Neuharth said.
“These are such easy fixes, why don’t we fix it anyway and make it more difficult for them,” said Neuharth, who talked about the company at a recent 1 Million Cups event in Fargo.
Sycorr started more than four years ago, and Neuharth and Pool partnered in the business a year ago. It has five employees plus an additional eight to 12 contractors at any given time, Neuharth said
They write custom software for banks and financial institutions, for example to integrate back office systems, or data migration when there’s a merger and acquisition.
The company is passionate about the world of financial institutions, Neuharth said, noting that even its graphic artist attended the Dakota School of Banking.
“It allows us to come to a solution a lot faster because we have that base of understanding,” Neuharth said.
Pool and Neuharth said they wanted to release the findings from the Insights software to the masses in the hopes of raising the bar for banks and credit unions, and to “nudge” the industry to improve.
Pool said they plan to release more findings from their metrics, but the security gaps were “too important” not to put out right away.
Pool and Neuharth said they didn’t want to blow the clickjacking out of proportion
“This is a security hole,” Neuharth said. “It’s not the worst attack that has happened in the industry.”
Consumers can take steps to protect themselves, such as avoiding clicking on links in emails and typing in the address themselves, and looking for the SSL certification – a green bar or padlock on the left side of the address bar to show the site’s identity has been verified.