Banks and Fed sites score as least trustworthy in OTA 2017 security and privacy audit

We frequently hear that we can’t have privacy and security; sadly, that is often still the case as an audit of over 1,000 top websites analyzed for security and privacy practices showed an alarming trend for the third year in a row. The Online Trust Alliance said, “Sites either qualify for the Honor Roll or fail the Audit. In other words, sites increasingly either take privacy and security seriously and do well in the Audit, or lag the industry significantly in one or more critical areas.”

There is good news and bad news coming out of the audit (pdf). The good news is that 52 percent of websites, the highest percent in nine years of the annual analysis, qualified for the OTA’s Honor Roll. The flipside is that 46 percent of the websites failed the audit; of those, bank did the worst.

Of the top 100 banks analyzed for both good cybersecurity and privacy practices, 65 percent failed. Not even one bank made it to the “Top of Class.” Granted, the OTA upped its failure threshold this year, but an increased number of data breaches, website security vulnerabilities and inadequate privacy disclosures also played into the high number of bank websites that flunked OTA’s tests.

Banks scored the lowest in SSL security due to using outdated and insecure ciphers. There was a “huge increase” in bank websites receiving failing privacy scores, but 85 percent of the banks analyzed did have the best basic anti-bot protection. This year’s audit also scored sites on disclosure of cross-device tracking; banks came in at 34 percent, with the top 100 US federal government sites faring much worse by scoring a miserable 4 percent for disclosing such tracking.

OTA explained that sites can earn 100 baseline points in three core assessment categories: consumer protection, site security and privacy. Sites can score bonus points for best practices or receive penalty points for vulnerabilities, breaches and legal settlements. To make it onto OTA’s Honor Roll, a site must not fail any of the three core categories and achieve an overall score of 80 percent of higher.

More than 60 percent of Fed sites and large banks received failing grades in at least one or more categories. The OTA report explained, “The security oversights and inadequate privacy policies observed reflect the need to add resources in these areas. These missteps often reflect a lack of ongoing security discipline, failure to take a user-centric view on privacy, and/or organizations not embracing data stewardship and responsible privacy principles.”

It’s not all gloom and doom. In fact, while banks and US government sites were the least trustworthy, more sites than ever are trustworthy. 76 percent of consumer services sites made the Honor Roll. News sites were the most-improved with 48 percent making the Honor Roll; last year, only 23 percent made it onto the list.

The best of the best from the audit made it to OTA’s Top of Class. Although OTA doesn’t list the sites which failed the audit, the 2017 full report (pdf) does include a list of the top sites which made it to the Honor Roll as well as the percent of those analyzed which failed.