Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

Study Finds Bank of America SiteKey is Flawed 335

Posted by Hemos from the trying-something-new dept.
An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."
This discussion has been archived. No new comments can be posted.

Study Finds Bank of America SiteKey is Flawed More

Study Finds Bank of America SiteKey is Flawed

Comments Filter:

  • As a BOA customer... (Score:2, Informative)

    by porkThreeWays ( 895269 ) on Monday February 05, 2007 @12:02PM (#17890270)
    I can say sitekey is the most useless piece of junk meant to make my life harder. It's one of those pieces of security that sound good to PHB's but is retarded in practice. Other banking notables? Linking your ip address to your bank account and activex controls that won't let you in until it's verified you have antivirus software installed. Get with the program guys. Half baked schemes to make online banking "safer" rarely do so and in many cases make it less safe.

    Give me an online banking system with a good old fashioned username and password and I'm set.

  • The Real Question is... (Score:4, Informative)

    by Expertus ( 1001346 ) on Monday February 05, 2007 @12:04PM (#17890302)
    when will these 'researches' be arrested for pointing out flaws in a security system.

  • you have succeffully logged out! (Score:3, Informative)

    by IceFox ( 18179 ) on Monday February 05, 2007 @12:10PM (#17890390) Homepage
    This coming from a bank who's website frequently goes down and when clicking links within my accounts page will suddenly (and randomly) tell its users how they have "successfully logged out" without a link to the main page to re-login and continue. And lets not forget the determination to automagically remove bank statements after six months and yet at the same time keeps pestering its users to cancel their paper copies. I would have to say that Bank Of America is the perfect example of how not to run a banking website. Every time I call their tech support I am costing THEM money.

  • The system is actually technically flawed (Score:5, Informative)

    by jyoull ( 512280 ) <jim@@@media...mit...edu> on Monday February 05, 2007 @12:16PM (#17890468)
    Discussion and links to papers here:

    http://bbaadd.com/blog/2006/08/security-why-siteke y-cant-save-you.html [bbaadd.com]

    This overview of "Fraud Vulnerabilities in SiteKey Security at Bank of America" is written for a non-technical audience. Some details have been greatly simplified, and some new material is presented. Readers seeking more depth of coverage should consult the original paper, available at the above URL.

    Although this report discusses SiteKey at Bank of America Corporation, the general risks discussed here apply to all SiteKey sites including ING Direct and Vanguard.com, and they apply even more generally to any security method that relies solely on server-side interventions to detect and stop online fraud.

  • Re:Flawed system or flawed usage? (Score:5, Informative)

    by monkeydo ( 173558 ) on Monday February 05, 2007 @12:40PM (#17890798) Homepage
    If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)

    Did you read the paper? The study attempted to control for this by telling one of the three groups that the purpose of the study was to test security awareness. This group did just as badly as the others.

  • Re:Flawed system or flawed usage? (Score:5, Informative)

    by thebigbluecheez ( 1010821 ) on Monday February 05, 2007 @01:17PM (#17891416)
    As a Bank of America customer, I have to tell you that you're not entirely correct here.

    If I log in from a new computer (or clear cookies on my own), I have to add that computer to the safe list. That is, I have to get a new cookie.

    In order to authorize a new computer, I have to answer one of three preselected security questions. These questions include:
    What is your maternal grandmother's first name?
    What is your maternal grandfather's first name?
    In what city where you born?
    What was the name of your first pet?
      and 5 more that I don't care to take the time to count.

    After this authorization takes place, my sitekey is displayed, allowing me to verify the authenticity of the site.

    That's not to say it's foolproof, but it isn't quite as simple as you make it out to be.

    What really makes it fun is when my mom's cookies get cleared, and she can't recall the answers to her questions. /missed the aforementioned security classes //not an expert, just a user.

  • Re:Flawed system or flawed usage? (Score:3, Informative)

    by diamondsw ( 685967 ) on Monday February 05, 2007 @01:20PM (#17891468)

    This scheme is worthless. Once the user enters his username the bank discloses the picture. There's nothing stopping a phishing site or trojan from immediately using the username to obtain the correct picture and displaying it to the user. IE, the explaining text should say 'if you recognize your SiteKey you still have no idea wether or not it's safe to enter your passcode'.
    Wrong. If you have not saved your userid (and thus have to enter it, as you would at a phishing site) then BofA will ask your security questions before allowing you to log in with the SiteKey. If you go to a phishing site, you would not only miss your security questions, but it would then have to get the sitekey picture.

    So a phishing site, even with your userid, will have to try to retrieve your security questions and present them, long before it would ever get to the SiteKey.

    If you can come up with something better, I'm all ears. I thought this was a rather ingenious way of using Challenge-Response on the web.

  • Re:Flawed system or flawed usage? (Score:3, Informative)

    by Anthracks ( 532185 ) on Monday February 05, 2007 @02:30PM (#17892774) Homepage
    FYI, the study you're referring to was the Milgram Experiment [wikipedia.org] and it raises all sorts of interesting ethical questions for researchers.

  • Re:Flawed system or flawed usage? (Score:2, Informative)

    by Yottabyte84 ( 217942 ) <yottabyte@@@softhome...net> on Monday February 05, 2007 @07:06PM (#17897134)
    They could intentionaly suppress the image about 5% of the time, and berate users who enter thier password anyway. "If this were a real phishing site, you balance of $AMOUNT would have just been sent to $TERRORIST_ORGINIZATION. You're not a terrorist, are you?"

Slashdot Top Deals

Anyone can make an omelet with eggs. The trick is to make one with none.

Close