The Register comments on the state of things, based on a 2006 study that was just released:

In a paper titled “Analyzing Web sites for user-visible security design flaws,” researchers from the University of Michigan found 75 percent of bank sites surveyed had at least one such design flaw. The report was presented Friday at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University.

“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” said Atul Prakash, a professor in the university’s Department of Electrical Engineering and Computer Science, who initiated the study. Doctoral students Laura Falk and Kevin Borders also participated.

The flaws aren’t bugs, but rather features built into the design of the sites.

Why so long to announce? Many of the flaws are user interface related, such as not letting users know when they are being redirected and not telling them when SSL is disabled. Those are tough issues to baseline, since there is hardy a consensus on the best way to educate users about page and site safety. One thing is clear, however, the US regulators could be doing far more to protect consumers. It should not require a university study to find weak passwords and non-unique IDs.

Google has been kind enough to extend SSL to an entire mail session, not just the authentication page. This helps a little, as the sensitive information your bank foolishly sends in email now could be encrypted in transit, but banks should know better and their examiners/auditors should get on the ball.