Many banks are unwittingly training their online customers to take risks with their passwords and other sensitive account information, leaving them more vulnerable to fraud, new research shows.

The result is that even the most security-conscious Web surfers could find themselves the victims of identity theft because they've been conditioned to ignore potential clues about whether the banking site they're visiting is real _ or a bogus site served up by hackers.

That's the conclusion by University of Michigan researchers who found design flaws in 76 percent of the 214 U.S. financial institution Web sites they studied.

The study, to be presented Friday at a security conference, examined the sites of top banks and smaller institutions alike. The researchers aren't detailing which banks had problems, however.

"We want banks to make the right decisions so people who are trying to be careful can do online banking securely," said the paper's lead researcher, Atul Prakash, a professor of computer science and engineering.

The researchers found that many banks silently redirect users to third-party sites, plop "secure login" boxes on insecure Web pages, and improperly use Social Security numbers or e-mail addresses _ which an outsider can figure out _ as default user names.

All of those banking tactics put users at risk.

"Conventional wisdom is that the clients _ or PCs _ are inherently insecure devices," said Avivah Litan, a banking security analyst with Gartner Inc. "What this study shows is that the servers _ or the bank and other consumer-facing Web sites _ are also inherently insecure."

The research didn't uncover vulnerabilities in the Web sites themselves, or problems with the sites' coding that could allow criminals to break in. Instead, it found design flaws that teach people bad surfing habits. Continued...