Paul Van Oorschot, Canada Research Chair in Network and Software Security at Carleton University, and PhD student Mohammad Mannan, a specialist in Internet security, tested the standard banking claim of a "100 per cent online security guarantee" against the fine print that makes it conditional on fulfilling complicated security requirements.
The researchers opened up bank accounts at Canada's five major banks and one online bank, and surveyed 123 technically advanced users, mainly computer-science students, professors and security researchers.
Most in the survey are more security-aware than average customers, and still failed to satisfy common security requirements. Expecting average people to meet them is "extremely naive," they write.
"We conclude that most average users are ineligible for the 100 per cent reimbursement guarantee banks assert, and doing online banking with 'confidence' and 'peace of mind' is no more than a marketing slogan which misleads users."
They found that despite strong recommendations about password uniqueness, most banks allow weak passwords, such as "123456" and "111111."
In one case, RBC listed "iwthyh," an acronym for the Beatles' song I want to hold your hand, as an example of a "rock-solid" password, even though it doesn't meet RBC's password length requirement of eight characters.
The researchers also found weaknesses in banks' Secure Sockets Layer, a protocol for transmitting private documents known as SSL certificates. Software designed to infiltrate or damage a computer system without the owner's knowledge, known as malware, can easily access all user information, including on SSL-protected sites, the study says.
The researchers also point out that malware can replace a bookmarked login URL with a phishing site URL that masquerades as the bank. And increasingly, phishing sites include SSL certificates to gain the confidenc of users.
Meanwhile, most banks' customer agreements require users to install and maintain up-to-date copies of anti-virus, firewall and anti-spyware programs. The survey of 123 tech-savvy users found fewer than half reported using anti-spyware on computers used for banking, and more than a quarter do not use anti-virus software. Ten per cent do not use any firewall.
Further, 65 per cent of users didn't read the banking agreements when they signed on to online banking and 85 per cent couldn't name any conditions for being eligible for the 100 per cent reimbursement in the case of hacking.
"Banks advertise that users can start online banking 'in minutes.' However, to comply with the security requirements and recommendations, we expect most users would be delayed hours or days, if indeed technically capable of doing so at all."
Maura Drew-Lytle, spokeswoman for Canadian Bankers Association, says the expectations of banks are fair and are no more stringent than what people should have on their home computers to do simple things like sending e-mails.
It's also fair to expect customers to read agreements before they agree to the terms, she added.
The study points out agreements can be changed at any times, and customers will be notified by notice on the bank's website.
-- Canwest News Service