Study Finds Bank of America SiteKey is Flawed 335
An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords.
The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images.
Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."
As a BOA customer... (Score:2, Informative)
Give me an online banking system with a good old fashioned username and password and I'm set.
The Real Question is... (Score:4, Informative)
you have succeffully logged out! (Score:3, Informative)
The system is actually technically flawed (Score:5, Informative)
http://bbaadd.com/blog/2006/08/security-why-sitek
This overview of "Fraud Vulnerabilities in SiteKey Security at Bank of America" is written for a non-technical audience. Some details have been greatly simplified, and some new material is presented. Readers seeking more depth of coverage should consult the original paper, available at the above URL.
Although this report discusses SiteKey at Bank of America Corporation, the general risks discussed here apply to all SiteKey sites including ING Direct and Vanguard.com, and they apply even more generally to any security method that relies solely on server-side interventions to detect and stop online fraud.
Re:Flawed system or flawed usage? (Score:5, Informative)
Did you read the paper? The study attempted to control for this by telling one of the three groups that the purpose of the study was to test security awareness. This group did just as badly as the others.
Re:Flawed system or flawed usage? (Score:5, Informative)
If I log in from a new computer (or clear cookies on my own), I have to add that computer to the safe list. That is, I have to get a new cookie.
In order to authorize a new computer, I have to answer one of three preselected security questions. These questions include:
What is your maternal grandmother's first name?
What is your maternal grandfather's first name?
In what city where you born?
What was the name of your first pet?
and 5 more that I don't care to take the time to count.
After this authorization takes place, my sitekey is displayed, allowing me to verify the authenticity of the site.
That's not to say it's foolproof, but it isn't quite as simple as you make it out to be.
What really makes it fun is when my mom's cookies get cleared, and she can't recall the answers to her questions.
Re:Flawed system or flawed usage? (Score:3, Informative)
So a phishing site, even with your userid, will have to try to retrieve your security questions and present them, long before it would ever get to the SiteKey.
If you can come up with something better, I'm all ears. I thought this was a rather ingenious way of using Challenge-Response on the web.
Re:Flawed system or flawed usage? (Score:3, Informative)
Re:Flawed system or flawed usage? (Score:2, Informative)