SAN FRANCISCO -- Many banks are unwittingly training their online customers to take risks with their passwords and other sensitive account information, leaving them more vulnerable to fraud, new research shows.

The result is that even the most security-conscious Web surfers could find themselves the victims of identity theft because they've been conditioned to ignore potential clues about whether the banking site they're visiting is real -- or a bogus site served up by hackers.

That's the conclusion by University of Michigan researchers who found design flaws in 76 percent of the 214 U.S. financial institution Web sites they studied.

The study, to be presented Friday at a security conference, examined the sites of top banks and smaller institutions alike. The researchers aren't detailing which banks had problems, however.

"We want banks to make the right decisions so people who are trying to be careful can do online banking securely," said the lead researcher, Atul Prakash, a computer science and engineering professor.

The researchers found that many banks silently redirect users to third-party sites, plop "secure login" boxes on insecure Web pages, and improperly use Social Security numbers or e-mail addresses -- which an outsider can figure out -- as default user names.

"Conventional wisdom is that the clients -- or PCs -- are inherently insecure devices," said Avivah Litan, a banking security analyst. "What this study shows is that the servers -- or the bank and other consumer-facing Web sites -- are also inherently insecure."

The research didn't uncover vulnerabilities in the Web sites, or problems with coding that could allow criminals to break in. Instead, it found design flaws that teach people bad surfing habits.

One of the biggest problems: Even if the login boxes on banks' pages are properly secured -- meaning they send and receive encrypted data through a technology known as Secure Sockets Layer -- if the full page itself isn't protected with the same technology, it's more difficult to tell whether the site is real or fake.