Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, said some banks may have taken steps to resolve these problems since the data was gathered, but overall he still sees a need for improvement.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

Pinpointing the Flaws

These design flaws aren't bugs that could be fixed with a patch. They stem from the flow and layout of these Web sites, according to the study. The flaws include placing log-in boxes and contact information on insecure Web pages and failing to keep users on the site they initially visited.

The flaws leave cracks in security that hackers could exploit to gain access to private information and accounts. The Federal Deposit Insurance Corporation says computer intrusion, while relatively rare compared with financial crimes like mortgage fraud and check fraud, is a growing problem for banks and their customers.

A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to a nearly $16 million loss in the second quarter of 2007. Computer intrusions increased 150 percent between the first quarter of 2007 and the second. In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking, the report says.

Protection from Financial Phishing

It's no surprise to security researchers that many corporate computers are vulnerable to attacks. In June, Sophos released research that revealed 81 percent of corporate computers tested did not have the latest Microsoft security patches installed, had their firewall disabled, or were missing security software updates.

"It's important to remember that there are risks with any kind of banking. Online banking isn't inherently unsafe, but the way in which you bank online (and the care which you take when you do so) will be instrumental in determining if you are likely to fall victim to a cybercriminal," said Graham Cluley, a senior technology consultant at Sophos.

Banks would be wise to look at Prakash's study and determine if there is more they can do to make their Web sites more secure, Cluley said. More banks could also look at providing authentication tokens to users, which can help fight some of the phishing problem.

Phishing tokens are small hardware devices that produce a one-time six-digit number that can be entered at log-in alongside the user's regular username and password. Even if keyboard logging spyware has infected the PC and can grab the username and password, it won't find the random number very useful since it expires within a couple of minutes.

"It's not a complete solution -- and there are ways for cybercriminals to still steal from your bank account -- but it can help combat some of the more common attacks and make life for the hackers more tricky," Cluley said.