Boarding Pass Hacker Targets Bank of America 160
Concerned Customer writes "The fake boarding pass guy is at it again. His blog shows a demonstration phishing website that is able to bypass the SiteKey authentication system used by Bank of America, Fidelity, and Yahoo. Users will be shown their security image, even though they're not visiting the authentic websites." This hack compounds the study showing that users don't pay attention to the SiteKey pictures anyway.
Crux (Score:5, Insightful)
This is the loophole that we use in our demonstration. Through deceit, we convince the user to enter her security question, and thus get the SiteKey image.
No matter what kind of security system you devise, you cannot take out the human element. The Internet seems like magic to people - it knows them, it knows things about them, people can find them from all over the planet. The average user is not curious enough to learn how this is accomplished, paranoid enough to distrust anything at first glance, or savvy enough to protect themselves. Bank of America is kidding itself if it thinks the SiteKey is any kind of deterrent to a hacker.
"Two-factor" authentication lame implementations (Score:3, Insightful)
All of my financial websites (bank, credit cards, etc.) have all gone to "two-factor" authentication.
Most often, the second factor is "security questions", like "what city were you born in?" and "what's your favorite restaurant?" I always answer these with random passwords, which I put in my password safe along with the real password. Unless you do that, these are actually less secure than just having a secondary password, because others can find out that stuff.
I know every business wants to do this cheaply and half-assed; it's the American Business Way. To do it "right" would probably take SecurID's or somesuch other token, which would get ugly for the customer after accumulating a couple of dozen different ones.
I've heard in comments here about banks that send you a list of code numbers, one-time-use, in the postal mail, and you use them up as you log in. That would be a good, cheap way to do two-factor that actually increases security.
The real problem of online banking (Score:4, Insightful)
You can implement a billion "security features", it won't mean jack as long as the only channel between bank and user is the computer. If that channel has been corrupted, the corrupter will be able to alter, delete or forge any kind of information either side should (in his opinion) get about the other end. There is no way to remove this problem unless you open a second, secure channel which is independent of the machine used for bank transfers.
Better, but still false security (Score:3, Insightful)
Re:Crux (Score:4, Insightful)
Dear me! (Score:1, Insightful)
We'd better be careful. This kid is dangerous. He could dismantle our entire society! Wait to see what happens when he points out that money is fictitious.
A bit less than it appears (Score:5, Insightful)
The obvious problem with SiteKey is the chicken-and-egg problem of getting the image to the server in the first place. There's some step where you're communicating in a fashion where you trust the server enough to give them your SiteKey, which they later show back to you. It's tied to a single computer, via a cookie, so if you log in from a different computer you need to send a new SiteKey or get them to send yours back to you, on the new computer.
So this attack only works if you can get the user to give up not only the password but also the "security question" (one of the dumbest bits of security I've ever seen; it's like a password only you can look it up.) Easy enough, if the user isn't alert (and they usually aren't.)
SiteKey depends on users to expect the key image, but the absence of the image doesn't usually trigger warning bells because they're not very common. You need some sort of phishing detector which says, "Hey, this site is known to require a SiteKey and isn't sending it to you."
Re:"Two-factor" authentication lame implementation (Score:3, Insightful)
Re:Crux (Score:5, Insightful)
Exactly. The deceit here is the same as before, there are just more hoops (for the customer, not the phisher). The problem with authentication here is that the banks want their customers to be able to log in from anywhere in the world. You simply can't properly authenticate a computer out in the wild without some additional device, like secureid.
Why not use referrer? (Score:5, Insightful)
Essentially this means that banks would be requiring everyone to physically type (or bookmark) their banks login page and that would be the ONLY way to get there. I suppose it could be modified to accept a referrer of the banks own domain so you could click a "Login Here" button.
I know power users can spoof their referrer using a browser setting and malware could do the same, but at least that would be another layer. What am I missing here?
Re:Crux (Score:5, Insightful)
The deceit is simply a man in the middle attack, and we all know this is not a new thing.
I'm a BOA customer, and I've been upset with their security for years, but it keeps getting better, which is kindof a problem in itself.
Some history here. BOA's main website: http://www.bankofamerica.com/ [bankofamerica.com] was only recently redirected to a https server. In fact, until recently if you even typed https://www.bankofamerica.com/ [bankofamerica.com] you got an error message. Before doing the basic thing like moving the http server to a https server, they introduced this site key junk.
OK, here are the problems. How am I supposed to trust a website to be the site I am intending to go to when a) its not on a https site, and its asking for my username/password, and I cannot verify via the certificate or anything that I did not type http://bankfoamerica.com/ [bankfoamerica.com] by accident? b) how am I supposed to trust a website that is different almost every time I interface with it.
When I go to a supposedly real BOA branch on say Main Street in YourTown, USA, there are a number of things that makes me believe its real. There are other people in there, many of which are wearing BOA nametags, and the BOA logos and stuff are all over the outside and inside of the place. Also, its expensive and difficult to put up a fake BOA storefront, and the liklihood that a fake one will generate any profit w/o getting caught is about zero (otherwise they would exist!)
Now, how much would it cost me to put up a bankfoamerica.com site? How about 15-20 of them with different typos? How much easier is it being that they can exist anywhere in the world or even outside of the world on a sattelite in space even? How hard is it to generate all of these things that look exactly like the real site w/o a secure certificate behind them to boot? Now, being that BOA changes the website all the time, AND its not on a secure server, how am I supposed to know that I'm even dealing with the same people each time?
My problem is not with BOA identifying me, its with me identifying them. So, they add site-key and all of this crap, which puts the burdon of identifying them on me, which is backwards, especially when they keep changing the rules.
When I worked in a hospital, they talked repeatedly about "universal precautions" with respect to things like AIDS and whatnot. There needs to be a set of universal precautions for doing secure transactions on the internet, and there are none.
Re:Crux (Score:2, Insightful)
>OK, here are the problems. How am I supposed to trust a website to be the site I am intending to go to when a) its not on a https site, and its
>asking for my username/password, and I cannot verify via the certificate or anything that I did not type http://bankfoamerica.com/ [bankfoamerica.com]
>[bankfoamerica.com] by accident? b) how am I supposed to trust a website that is different almost every time I interface with it.
You are not supposed to! You should change banks. I would, (and have). Now I use a credit union whose IT is managed by a Math/CS professor who is well known in cryptography circles. I also use USAA, which I highly recommend to people who are eligible. (It bothers me that people leave the military and don't bother to get grandfathered into USAA; it's one of the best perks they offer.)
Stupid online banking security problems (Score:5, Insightful)
Looking at what banks can do to improve security:
- Stop putting the "lock" icon on your login form. Users should look for the lock on the toolbar or part of browser frame. (chase.com, others)
- Stop using non secure login pages (not where the login form is being submitted to) (chase.com, usbank.com, wachovia.com)
- Stop using marketing emails from strange marketing addresses. This just gets people used to bank emails from weird places.
- Make a secure bookmarkable banking page. (my bank does not do this, I get an error screen if going to bookmark)
- Simplify navigation and operation and unify systems. (my bank does not do this, if I log out on one part of the site, I'm not logged out from the "very secure" part)
Bank sites driven by marketers [washingtonpost.com]
BoA = smarter than this blogger (Score:4, Insightful)
I agree. In fact, I would go further and say that the author of this blog should actually be quite embarassed and ashamed of this post. His "amazing discovery" is actually the whole point of sitekey. Yes, you can be a man in the middle and get the sitekey images yourself. Congratulations. You and everyone else already thought of that.
And guess what, your man-in-the-middle now has to make a sitekey request to bank of american for *every potential victim* and as a result, BoA will easily identify your IP block as running a MITM scheme.
So in other words, this blogger is an idiot. He hasn't defeated sitekey at all. Set up a MITM site, make ten requests, and now you're out of business and the ten accounts that you phished are locked.