Nearly half of large US banks are leaving themselves unprotected against hijacking of online customer interaction, according to Javelin Strategy & Research.
Javelin analysed the home and log-in page security at the top 24 US financial institutions, for SSL/TLS or EV-SSL encryption, which it says are critical for guarding against compromise by insertion of incorrect links or information.
The research shows that 46% of the firms have an opportunity to more fully protect "contact us", "help", or other interaction pages against criminal hijacking.
Furthermore, one in five sites uses easy-to-guess authentication information such as date-of-birth, e-mail addresses, and ZIP codes while just one in four requires users to choose a new password longer than six digits.
Only a quarter of banks minimise data exposure by truncating social security numbers during enrolment, with as many providing alternatives to SSN for enrolment or username and password retrieval.
Finally, over nine in ten use generic error messages when a customer's login fails, but one in ten still gives specific information that can be used in a brute force attack, says Javelin.
James Van Dyke, president, Javelin, says: "We were surprised to find so many banks overlooking this potential area of exploit. A cross-site scripting flaw on a customer-facing Web site could allow criminals to access the internal network or at the very least, insert counterfeit content alongside legitimate content on a site and redirect customers to a fraudulent third-party site."