Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

SiteKey to Prevent Phishing 377

Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."
This discussion has been archived. No new comments can be posted.

SiteKey to Prevent Phishing

Comments Filter:
  • by A Dafa Disciple ( 876967 ) * on Wednesday July 20, 2005 @05:54AM (#13111946) Homepage
    When I'm on the web, even when looking at my bank account, I'm not trying to be held up by extraneous questions.

    Keep the password.
    Keep the button (which seems like a great idea by the way).
    Ditch the three questions.
    • by LiquidCoooled ( 634315 ) on Wednesday July 20, 2005 @06:07AM (#13111994) Homepage Journal
      (dunno why your marked as troll, but anyway)

      Phishing sites will include a big button as well
      clicking it will say:
      Of course your on the real bank website

      it does no good - i prefer the way my bank currently does it - I told them (in person when setting this up) a pass code, when logging in, they ask me for random sections of it (ie 1st, third and last digits).

      The scammers must manage to fool me multiple times to gain complete access to my account details.
      • by iamdrscience ( 541136 ) on Wednesday July 20, 2005 @06:10AM (#13112005) Homepage
        Phishing sites will include a big button as well clicking it will say: Of course your on the real bank website
        RTFA. Clicking the button shows a picture to the user that they have picked. A phisher would not be able to easily defeat this.
        • by DingerX ( 847589 ) on Wednesday July 20, 2005 @06:14AM (#13112032) Journal
          Nonsense. "We're sorry. Our personal image and passphrase server is offline for routine maintenance. Please continue about your transaction."
          • Nonsense. "We're sorry. Our personal image and passphrase server is offline for routine maintenance. Please continue about your transaction."

            The thing about that is it's just one more thing to tip a user off that something's not right. You might catch some people with that, maybe even the vast majority, but suppose it only stops 5% of users from continuing. That's a 5% reduction in phished account passwords, and that's not too bad. Sure this scheme isn't going to solve the whole problem, but any little bi

            • This will work even better for emails - include this button in any emails from the company, or better yet include the actual image. (Including the image itself in the email is a security risk, though smaller and of a different type, but it could be an <img src="http://my.bank.com/verify?user=foo"> image in the (ugh) HTML email.)

              Combined with some improvements in browsers that are being worked on, this is not bad. Though the answer 3 questions part has problems and isn't in theory any better than a
        • But at this point, it is TOO LATE!!

          You have typed in your password, and the phisher already has it . . .

          Anyway, how difficult is it for the phisher to fetch the picture from the eral site, and show it to you . . .

          I still reckon the NetCraft toolbar (or similar) is one of the best solutions available. Show the history of the site, for the user to check.

          Now, I've heard that it is trivial to fake by framing the untrusted site, but that is an implementation detail, which can be fixed. The concept is still g
          • But at this point, it is TOO LATE!!

            You have typed in your password, and the phisher already has it . . .

            Not necessarily. The system probably works as such:

            1. You enter your username and password
            2. You verify your bank
            3. You enter the answers to your personal questions
            4. You gain access to your account

            If someone tried to phish you they'd get your username and password, yes, but you'd then see that the image your bank sent you was not authentic, so you would then not enter your personal answers. You'd have to

            • Nice in theory.

              But the phisher probably works as such:

              1. You enter your username and password
              2. The phisher uses a botnet[1] to fetch the picture from the real bank site
              3. You verify the picture
              4. You enter the answers to your personal questions
              5 The phisher gains access to your account.

              Game over. Thanks for playing.

              [1] Use of a botnet prevents the bank from spotting lots of requests from a single location.
              • The phisher can't get the image from the bank's site without logging in as you first. The image could even be generated using hash visualisation [cmu.edu] so there wouldn't be a library of standard images for the phisher to try.
                • by CaymanIslandCarpedie ( 868408 ) on Wednesday July 20, 2005 @07:34AM (#13112377) Journal
                  I think the point the parent is making is if the bank gives you the image based on username/password, then it is quite possible to get around this.

                  1) You enter your username/password on the phishing site.
                  2) The phishing site then uses this username/password to retrieve the image from the bank site
                  3) You verify image ......

                  So when he is talking about botnet, he is talking about logging on to the bank site as you using the username/password you just gave them and then showing you the image returned from the bank site.

                  One more little hurdle for them to overcome which is good, but certainly not fullproof.
                  • No, the bank uses your username to get you the image and your own personal sitekey text. You only enter the password once you're happy with the sitekey. If your machine is recognized (cookie) you only need to enter your username to get the sitekey. If not, you are asked to answer the 3 personal questions.

                    For a phisher to break this he would either need to know the 3 questions or he would have to read your BofA-site-only cookies (don't know if such an exploit is possible) and use your username and cookie to

        • Clicking the button shows a picture to the user that they have picked. A phisher would not be able to easily defeat this.

          So do they show it before you log in? If so, what's to stop me going to the site and asking for your picture?

          After? Then it's too late.

          And yes, I did RTFA - my favourite quote was Although SiteKey wouldn't have prevented recent high-profile security breaches, it shows how seriously the bank considers security.

          So basically it's another hoop to jump through, that won't help. Great work
      • by Anonymous Coward
        But then it's be easy to spot the scammer:
        Of course your on the real bank website
        The real website however would say:
        Of course you're on the real bank website

    • When I'm on the web, even when looking at my bank account, I'm not trying to be held up by extraneous questions.

      Keep the password. Keep the button (which seems like a great idea by the way). Ditch the three questions.

      You need a second level of authentication. The password verifies you initially to make sure that you're very very likely you, so that they can show you your secret image (if people that aren't you can see your bank verification picture, then the picture ceases to verify the bank), then the

  • Useless. (Score:5, Insightful)

    by Seumas ( 6865 ) * on Wednesday July 20, 2005 @05:55AM (#13111948)
    And those three personal questions will be:

    What is your credit card number?

    What is your credit card's expiration date?

    What is your credit card's three-digit CCV number?

    Seriously though, I don't care if you require users to use ten pieces of personal information. They'll still choose to use the same information at 90% of the sites they deal with. And there will still be people with access to that information - whether they're administrators and customer service persons or crackers who steal their database full of customer data. The only difference is that instead of having your password and maybe credit card stolen, you'll also have thieves who have three or more pieces of personal information about you.

    Thanks, but I'll keep using the ambiguous password. It's easy to find out where a person was born or when or what their maiden name is. It's a lot more difficult to guess that their password is aPh1l@m8.

    Besides, I never give those "personal question" fields real information. Then I end up not only having to remember a password for each site, but a fake maiden name, birthplace, favorite team, first pet and so on. Screw that noise.

    And if you're dumb enough to think that PayPal really is sending you two dozen queries about the validity of your account per day, you should just give your money away and shoot yourself in the head anyway.
    • Re:Useless. (Score:5, Funny)

      by IDontAgreeWithYou ( 829067 ) on Wednesday July 20, 2005 @05:57AM (#13111956)
      What is your name?
      What is your quest?
      What is your favorite color?
    • I'm sorry, but a button? Here, take this for an example:

      JavaScript:alert("Congratulations, you are a fish!")
    • Re:Useless. (Score:4, Informative)

      by blatantdog ( 829922 ) on Wednesday July 20, 2005 @06:30AM (#13112100)
      I have a BoA account with SiteKey and here is how it works:

      - Three questions are one time only and are NOT credit card or account related
      - You also choose a tacky photo
      - Once the questions are set then it will ask you only one time from the machine you are at to answer one of the three questions
      - Once you have answered you are presented with the tacky photo and a request for your password
      - You have to reauthenitcate at each machine you are at and let BoA know if you want that machine added to the list of "safe" machines, meaning you don't have to answer the question again and are presented with only the photo and request for password.

      whew!
      • - Three questions are one time only and are NOT credit card or account related
        - You also choose a tacky photo
        - Once the questions are set then it will ask you only one time from the machine you are at to answer one of the three questions
        - Once you have answered you are presented with the tacky photo and a request for your password
        - You have to reauthenitcate at each machine you are at and let BoA know if you want that machine added to the list of "safe" machines, meaning you don't have to answer the quest

  • by MikeDX ( 560598 ) * on Wednesday July 20, 2005 @06:00AM (#13111964) Journal
    "My" online bank http://www.cahoot.com/ [cahoot.com] (which is the online arm of the abbey national) has had this type of authentication for ages. everytime I login, I am asked different questions, each login is different and has worked exteremly well. Of course if you are phished you can still be tricked into giving away to the answers to the questions you gave and used during the signup process. Instead of providing your complete password, you give certain characters from the password, for example the 2nd and 6th characters, selected from a drop down box, so keyloggers are effectively rendered useless.

    There are always going to be people who are too careless with their information, and there will always be other people who are very willing to take all of your personal information to clean out your bank accounts..
    • I've always thought UK bank security useless. How hard is it to find someones mothers maiden name, etc?

      A friend of mine when he accessed his bank in sweden had a one time password generated on part from the web page and from part generated via a little calculator device they gave out free.

      This combination seemed to me much more secure and also since the passkey was a one time only useless to anyone monitoring his computer.
    • everytime I login, I am asked different questions, each login is different and has worked exteremly well

      Halifax do the same, but cahoots system is flawed in a different way than all multi-question systems are flawed.

      Firstly, cahoots flaw, because it's funny.
      I've had a cahoot account for a long time, long before they changed to asking for 2 letters from an answer, entered from drop down boxes. The first time I tried to login with this new system, I could not, because the answer to the question they kept a
    • by RMH101 ( 636144 ) on Wednesday July 20, 2005 @06:38AM (#13112126)
      speaking as someone who's SO has just lost 4,000 UKP through a compromised work PC via a keylogger and natwest online banking, you're not as safe as you think you are.
      the latest PW_Glieder trojans will keylog and report back over a period of time: if you access your online banking a few times and are asked for characters X and Y from your password, chances are quite high that after a few logged sessions, the hacker will have enough info to build your complete password.
      this is very common indeed: current SOP is for them to move your money to another account at the same bank to which they've already stolen a matching debit card. move cash, then confederate will go into a branch and withdraw the money in cash and vanish...
      • I won't use the Natwest online banking because it requires the use of Java and Javascript (at least it did less than a year ago)

        Any bank reasonably worried about security should not require either of these (and would recommend that they be switched off)

        Barclays don't require Java or Javascript and their online banking isn't that hard to use so there really isn't any excuse.

        Tim.
      • MikeDX said: "for example the 2nd and 6th characters, selected from a drop down box".

        The important bit being the dropdown box. Sure, some browser plugin might still be able to get in the middle, but a keylogger is useless.

        You say you lost money, did NatWest pony up the cash, or were you personaly responisble?
  • Monkey in the middle (Score:2, Interesting)

    by DaveCar ( 189300 )
    Difficult to tell seeing as TFA is is almost completely content free, but if I was a scammer couldn't I just act as MITM with the SiteKey button to get the 'secret' image containing their magic phrase?
    • You do realize that when you look at your bank account, the data is encrypted between you and them, right? Apparently, they use this brand new thing called HTTPS. Looks like a winning piece of technology!
  • From TFA:
    "Customers can also verify they are indeed at Bank of America's Web site by clicking on a SiteKey button. If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam."

    So... once the person has given his account id, password, and answers to 3 personal questions, only then can he verify BofA's site identity?

    What kind of idiot came up with that idea?
    • by iamdrscience ( 541136 ) on Wednesday July 20, 2005 @06:28AM (#13112093) Homepage
      From TFA: "Customers can also verify they are indeed at Bank of America's Web site by clicking on a SiteKey button. If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam."

      So... once the person has given his account id, password, and answers to 3 personal questions, only then can he verify BofA's site identity?

      What kind of idiot came up with that idea?
      The idea works with two levels of verification. For instance, you might have to enter a username and password and then be allowed to see your secret image, then after that, you enter another username and password. This way, nobody can see your picture unless they already have your username and password, and if you get phished for those, you know it because the picture isn't right, but they don't have your second username and password required to actually access your account. I suspect that this system will work similar to that, but instead of a second username and password, you enter the answers to your personal questions.

      Still though, it seems like a potential flaw would be that you have to click on something to verify you're on the banks site. Why not just show you your picture by default? It seems like a lot of people just wouldn't bother verifying the site and they would get phished the same as they would be now.
      • "This way, nobody can see your picture unless they already have your username and password, and if you get phished for those, you know it because the picture isn't right, but they don't have your second username and password required to actually access your account."

        So, if I were a phisher, I'd work it like this:
        User: *enter u/p on phishing site*
        Phishing site: *slurp*
        Phishing site: *log in to bank site with new u/p and retrieve image*
        Phishing site: Look! We're really the bank, see??
        User: *phew!* *enters ot
    • I have BoA with SiteKey, and I think it's a great idea, first you give you login id (which is not your bank account id), then it asks you a random question (assuming your not on a trusted machine), THEN it shows you your picture, and only after that do you enter your password. So the worst a phishing scam can get from you is your login id. I guess it can also get you to answer a question, but I remember which questions i originally set, so that's another level of protection.

      Of course I think a smart phis
  • There's nothing more secure in asking three "passwords" instead of one. It's just text, people will use the same everyplace, not many will be willing to keep in mind 3 times more sh*t. And anyways, asking more text won't make phishings' job any less hard. And that button thing ? Oh come on, how many browser exploits [on many different browsers] do you wish us to list here which could be used to trick whatever button you place ?

    Just use a password over https and hope for the best, until something more usefu
  • by Uukrul ( 835197 ) on Wednesday July 20, 2005 @06:05AM (#13111978)
    Patriot Act Enhanced Questions

    1. Religion?
    2. Who you voted last election?
    3. Are you a terrorist?
    • That reminds me of the questions I had to answer when I wanted to travel to America in 1995 - Are you a communist? - Do you have connections to the mafia? - Do you know how to build your own handgun? And many more like that...
  • by Max Romantschuk ( 132276 ) <max@romantschuk.fi> on Wednesday July 20, 2005 @06:06AM (#13111985) Homepage
    I have a username and password which logs into my bank account. If it were compromised whoever has the password can see my transactions, that's it.

    In order to actually do stuff the bank (and all Finnish bank sites I know of) use a challenge/response system: I have a card which has a bunch of randon number passwords on it, around a 100, in number: password -pairs. The site asks for "password number X" (one number per session) and I give it. These passwords are unique to my own account, and the card has no identification, so if my wallet gets stolen it's useless without knowing which bank and account it's for, as well as the username and password for logging in.

    If I were fooled by a phishing site they'd get one of the hundred passwords required for a transaction, and the bank would notice pretty quick if they tried logging in and out for hours trying to get the correct challenge assigned to the session.

    Simple, yet very effective.
  • by smchris ( 464899 ) on Wednesday July 20, 2005 @06:07AM (#13111992)

    With the HTML they'll have to keep churning out, pretty soon phishing is going to seem like a real job.
  • by ack154 ( 591432 ) * on Wednesday July 20, 2005 @06:08AM (#13111999)
    If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam.
    I don't understand how this is going to stop stupid people from entering their info on some other website that the phishers have setup. It's not like the fake website is going to say "hey, there's no sitekey button here, we're not real."

    I just don't think changing the login procedure for the actual site has anything to do with stupid people clicking fake links and entering their info into a phishing site... If I'm missing a piece of this, please, do tell.
  • by toshidan ( 788700 )
    Nationwide Building Society in England implement a system that still uses a PIN but each time you login you are asked for three random digits from your PIN.

    When it comes to cash, I'm more concerned with security than spending less time logging in. I think asking for randomized data sets at each login is a good move.

    While its not the perfect solution (if the machine is compromised it would only take a matter of time before the phisher got the info) having a rotating login is slightly more comforting.
  • Bad rip-off (Score:3, Interesting)

    by Eivind ( 15695 ) <eivindorama@gmail.com> on Wednesday July 20, 2005 @06:10AM (#13112007) Homepage
    This seems like a combination of the typical insecure, stupid "personal question" with an actually good idea: the personal image.

    The first, using a "personal question" as a means of making easily guessable passwords more secure is dumb. It is true that people often choose easily guessable passwords. But people *even* more often choose easily guessable "personal questions". "Mothers maiden name" for example. That's how Paris Hiltons adress-book got cracked: She'd used the hugely difficult "personal question" about the name of her dog. It takes only 10 seconds of googling to find the answer to that...

    The personally selected secret image on the other hand is a good idea: phishers rely on the fact that they can easily create a fake website that looks like the real one.

    If the real one has some element that is unique to you, they won't be able to copy that, simply because they don't know what it is.

    This *ain't* the system common in Scandinavia (and other countries) by the way. What we have is generally a one-time "tan" to authorise transactions, provided either as a paper-list where you cancel out those you used, or from a small cryptographic device that generates them using the current time, your account-number and a secret embedded key.

    It is, however, just a weaker version of the proposed "security skins", which is an excellent idea to prevent or reduce phishing.

    My bank, Skandiabanken does this, sort of, already. (though they underpublizise it). There each user has a private security-certificate used to authenticate the user, in addition to the pin.

    This helps in two ways:

    First, even if you knew my customer-id and my pin, you still could not log in on my account, you wouldn't have the certificate.

    Secondly, it enables the bank to identify me even before I log in, thus giving me a personal greeting not easily copied by phishers: on the login page, before I've entered anything the bank says: "Hello Eivind Kjørstad."

    Phishers have no easy way of doing that, they generally don't have a clue which user is sitting behind which ip.

  • Other people have tackled the obvious problems with these measures. All of these problems are a result of the fact they're attempting to secure against pishing by using the SAME medium as the pishers.

    The way to secure against pishing is to use media the pishers don't have access to. The best way to do this is with a physical token. The best example is something like RSA's SecureID. There is no way for the pisher to know what that value is so it makes pishing harder. They may be able to get the value once,
  • Geezz ... (Score:2, Interesting)

    by Elgreco1 ( 714955 )
    This is not about "phishing" other than the button. Press the button and you verify it is your bank. The questions are to verify users, because users seem to use the same password for hotmail and blogg sites as with banks. I would suspect soon we will all cary a USB key coupled with a password to identify us. As for the button, all they should have is a picture of our selfs when we log in. If it is not there ... hey !!! Bingo, I am in Crusty Bank of Nigeria. Giorgis
  • by thogard ( 43403 ) on Wednesday July 20, 2005 @06:11AM (#13112016) Homepage
    The button might help. But the button on the phishing site might go off to a bot network that pulls a real picture off the main site and there is no way to tell if thats happening from the bank side of things.

    There are a few questions I'm not going answer online and I'm guessing most of them will suggested questions.

    The last issue is why the high security when its not needed? My credit card balance is public knowledge at least to anyone that can do a credit check which limits it to about 10 million people.
    A better system is typical lame password security access for read access to balances and transaction lists but an extra layer when I want to do something like move money to a different account and maybe an extra layer if I want to do something like move money to a foreign country.
  • by canavan ( 14778 )
    How will this work? When will the personal questions be shown? Even if they will be shown only after login and password have been entered, the phishers will just relay those to the real bank's site, and grab the questions or images from there - and then the phishers will already have the login information. I've seen this with ebay login phishing attempts, where they would acutally use ebay's servers to verify the credentials you have entered on the phisher's server.
  • Obligatory (Score:5, Funny)

    by value_added ( 719364 ) on Wednesday July 20, 2005 @06:13AM (#13112027)
    BofA: What is your name?
    Sir Lancelot: My name is Sir Lancelot of Camelot.
    BofA: What is your quest?
    Sir Lancelot: To seek the Holy Grail.
    BofA: What is your favorite color?
    Sir Lancelot: Blue.
    BofA: Right, off you go.
  • Not very effective.. (Score:4, Interesting)

    by riflemann ( 190895 ) <riflemann&bb,cactii,net> on Wednesday July 20, 2005 @06:14AM (#13112031)
    It's about time more banks started implementing true security online. In Europe, the majority of banks give a device which gives at least the same level of security as a normal cash machine/ POS transaction.

    You put your bank card in the device, enter your PIN, and then enter a number given on the site. Hit OK and put into the site a number returned by the device. The algorithm requires the pin number and specific card to calculate the number, so dictionary attacks are thwarted.

    Having these 3 personal questions is of limited effectiveness - until the scammers simply make a phishing site which asks the same questions.

    Why can't US (and Australian) banks just issue these card reader/token devices? It satisfies the requirements of user authentication.

    - Something you know (your PIN)
    - Something you have (card + device)

    I guess they're too cheap to do it and rely on fraud insurance to compensate for lost money.
    • These [bendigobank.com.au] guys do. I'm told Westpac do as well. I asked St George and they thanked me for my email, said they do not currently have plans for hardware tokens, but would look into it. Mmkay.

      But... these tokens don't stop a man in the middle attack if the user isn't paying attention to the SSL certificate.
    • The worst solution is the most widely used one. You get a digital certificate from the bank, which is read by some Java applet on the website after you enter a password. So it is not imported into the browser keystore. The security is thus both a file on the harddrive, and a password. Works only with IE.

      The 2nd best is a keycard, with 80 one-time 4-character passwords on. To logon you need your SSN, card identity and a 4-digit password from the card. To verify transactrions you need to enter another 4-digi
    • Why can't US (and Australian) banks just issue these card reader/token devices? It satisfies the requirements of user authentication. - Something you know (your PIN) - Something you have (card + device)

      Australian banks have started sending one-time passwords via SMS to your mobile phone. You must type the 8 digit code from the SMS into a text field before the transaction is completed.

  • It seems that those who don't understand security are destined to mess it up.

    Their "solution":

    Three challenge questions
    The year and model of my first car is public information. It is very hard to think of a question which only I could answer, which I could answer reliably. The best solution I have found to this "challenge question" problem is to choose a totally random "answer", and then it doesn't matter what the question is, I merely supply the random word which I supplied in the first instance.
    Sec
  • Once you've entered your screenname or account # the bank then displays their password to you before you enter your password. Verifying to you that it is the actual bank web site.
  • by bigattichouse ( 527527 ) on Wednesday July 20, 2005 @06:21AM (#13112061) Homepage
    The bank site needs to tell *YOU* something secret first.

    Me (arriving at site): zooble my gooble?
    Bank Site: flooble
    Me (ok I trust you)

    Instead of the site asking me for a password, I give the bank a challenge word or phrase, and I expect a certain response.
  • keyloggers will still be able to log what the user types in. After logging for some time they will have enough information to get into the banks web pages still.
  • by Anonymous Coward on Wednesday July 20, 2005 @06:23AM (#13112072)
    I'm a BOA user and use Site Key. For those that have no clue - CNN's interpretation of this "feature" is off. That should not surprise you.

    At any rate - when you sign-up for site key, you have 3 questions you can pick and give the answer to. You also select YOUR "siteKey" image.

    From that point forward, when you go to the BOA site, you enter your Login ID, click "Login with siteKey" and it will display your sitekey image. This verifies that it is a BOA website because it displayed you the correct image.

    That's all the image is for- verify this is a real BOA website. That is the purpose anyway.

    You are then asked to enter your normal password and are directed to your account information.

    Now, for the secret questions. Those come into play when you are accessing your account via a PC that was not the original PC you setup siteKey on. If the PC is not recognized (via a cookie I am sure), you are displayed 1 of your 3 questions rather than the sitekey image.

    When you answer the question, you are displayed the sitekey for verification and login as normal.

    Anyway, that is how it actually works. It isnt asking you 3 questions AND your password every time you login.
    • So -- how does this prevent a man in the middle type attack?
    • by argent ( 18001 )
      You pick your "sitekey" image from their website?

      Presumably they only have a limited number of images. The phisher can display one of the possible sitekey images at random. They will only catch at most 1/N victims, but they will have a better chance of catching the 1/N that they do match because that person will have seen the right sitekey.
  • Swedish banks use amongst others a system with both pin code and onetime codes. The onetime codes are delivered by either a kind of scratch card or an electronic code generator. Theese kinds of security mesures atleast makes it impossible to sniff your codes since one of the login credentials is always changing. Without your scratch card or code generator a hacker cant gain access to your account even if they have your pin code.

    The bank identifying its really them is something we dont have in Sweden. It re
  • An identifier, used by several Dutch banks, as one time authentication. Even if you are on a phish site, you can use this and still not get scammed: Insert your bankcard, type your pincode, type the code provided by the site, press OK, type the return code into the website.

    For a scam site to be able to crack this they need to live interface with the real bank, so they login at the bank site once you enter your code on their site. Grab the codes of the banksite, show them to you etc etc..
  • But what is wrong with SSL ? If people are fooled into ignoring ssl warnings and certificates, there's absolutelty no point in adding extra gizmos. They will still be tricked. They'd rather educate people on SSL, signed certificates etc... Imagine the conversation at the bank: - Hi, I am willing to connect to my online account - Sure sir, here's a leaflet designed for retarded lusers that will guide you to do that. - Ur no actually, I don't trust the authority that signed the SSL certificate and would like
  • please click here to activate your
    new Bank of America SiteKey.
  • by clef ( 139775 ) on Wednesday July 20, 2005 @06:32AM (#13112109)
    The National Australia Bank launched SMS authentication earlier this year.

    Whenever you transfer money or pay a bill (ie. anything risky), it sends a unique code via SMS to your phone. You then type that number into the system before it does the transaction.

    It's free too.

    It's highly unlikely someon has both stolen your mobile phone AND phished your details.
  • by Vo0k ( 760020 ) on Wednesday July 20, 2005 @06:38AM (#13112125) Journal
    - Hello, this is the Visa card center calling. A I talking with mr. John Doe?
    - Yes, that's me. What's the matter?
    - We'd like to confirm. Are you trying to make a big purchase in a shop in New York?
    - No! I'm in Washington, DC! Oh my god! My wallet is missing! My card has been stolen!
    - Would you like to cancel the transaction and block your credit card?
    - Yes, please! Right now!
    - In order to do so, we need to confirm that you are indeed John Doe, the owner of the card and not that mr Doe's phone has been stolen.
    - Please! How do we do it?
    - Please give me the number of the credit card in question.
    - I don't remember!
    - Expiration date?
    - Next year, july or june, or maybe august...
    - sorry, I can't take that for an answer. Any other info? Maybe the account number associated with the card? Or maybe the PIN number?
    - The PIN is 8352
    - Thanks, sucker!
  • Due to a recent technical glitch with our SiteKey systems, your account information is at risk. Please click here [1.2.3.4] to login and confirm your information, and re-enable SiteKey.

    Sincerely,
    Bank of America Security Department
  • Why make it so that users have to click on something to see their secret image verifying the bank? It seems like a lot of people wouldn't bother. Shouldn't the page just show the user their image by default so that they can see the site's authenticity whether they want to or not?
  • by maxwell demon ( 590494 ) on Wednesday July 20, 2005 @06:43AM (#13112146) Journal
    ... to digitally sign the web page, and give a key fingerprint on paper to the customers (so they can check they are really installing the correct public key and not a fake). Signing the page would not only ensure that the page comes truly from the bank, but also that there's no malicious change in it (as might be done through a man-in-the-middle attack, e.g. to send the data to another than the bank's server).

    Does HTTP support signed web pages (as opposed to just encrypted transmission)?

    Note that the authenticity verification would not depend on some third-party certificate (where you have to trust some certification agency possibly unknown to you), but on a paper sent to you on paper by the bank itself. Thus you have only to trust your bank (if you don't trust that, you'd better change it anyway), and fraud would need to intercept both the bank web site and the postal delivery. Which I think will be beyond the ability of the typical phisher.
  • Professionals in the field of authentication already know that it's a much stronger method of authentication to require two out of three of something you know, something you are, and something you have.

    http://www.unix.org.ua/orelly/networking/firewall / ch10_02.htm [unix.org.ua]

    But BoA's new system is just something you know, something else you know, another something you know, and yet another something you know. Unfortunately, teh Intarweb combined with the hardware that home users normally have isn't really suited
  • Site key uses 3 questions if you need to verify your identity, however it simply shows a picture of your choosing when you sign in allowing you to verify that the site is actually the BoA site that already has your information.

    Personally I hate SiteKey, it causes me to go to an extra screen when I sign in to my online banking site. I wish that there was a way to deactivate it, or at least a way to eliminate the need to type my password in twice. Eh, I guess that it might get better.

  • I think it would be fairly simple to duplicate said buttons functionality.
  • Maybe banks should start issuing their customers with USB tokens [matrixlock.de]? Tokens are like smart cards - they can perform public key operations to verify the user's identity without leaking any private information to phishers.
  • I guess I must be in a test-area (Atlanta, GA) because I got the option to set this up a couple of weeks ago.

    It works like this

    • When you activate it you select a personal image (from hundreds offered) and a text (that you enter) to be your personal sitekey.
    • When entering the BofA site you enter your username as usual, then click the "Log in via sitekey".
    • Based on your username they check if they recognize the computer you're on. If they do, they display your personal sitekey (image and test), if not th
  • How will this help? So a phishing site makes a button that resembles the bank of america one... then asks some questions.. yeah this will work.
  • Phishers (or whatever you want to call them) don't want your credit card number so that they can long into your card issuer's site as you. They want it so that they can buy stuff using the card. Your site can ask for your fingerprints, a sample of your DNA, and a photograph of your bathroom, and it won't help a bit with the phishing problem as long as vendors, the people who accept credit cards in exchange for merchandise, are willing to make do with the kind of information phishers can get most easily.
  • Comment removed (Score:3, Informative)

    by account_deleted ( 4530225 ) on Wednesday July 20, 2005 @07:45AM (#13112457)
    Comment removed based on user account deletion
  • by gelfling ( 6534 ) on Wednesday July 20, 2005 @07:54AM (#13112507) Homepage Journal
    This is absolute nonsense. I can't tell you how many websites I've stopped doing business with because of their insane registration and logon requirements. This will just make that worse.
  • Banks are Dumb. (Score:3, Interesting)

    by pyite ( 140350 ) on Wednesday July 20, 2005 @08:17AM (#13112679)
    So while Wachovia spent the last year or so moving AWAY from using a SSN to login to their site, Bank of America recently switched TO using SSNs. You'd think banks would have some sort of consensus on what sort of system to adopt, but obviously not. Oh, then there's ING Direct who, for some reason unbeknownst to me decides to not use usernames, not use SSN numbers, but use arbitrarily assigned "customer numbers" to login. When I sent them a long letter on why they should use something easy to remember to login, they never gave me a reply. So, people end up writing down their customer number or, in my case, calling up ING almost everytime I want to login to my account. Just give me a SecureID or Safeword password token and the problem is simply solved. I'll even pay for it!
  • by rnelsonee ( 98732 ) on Wednesday July 20, 2005 @08:49AM (#13112946)
    I use Bank of America in Maryland, one of the test areas for SiteKey. As of now, the three challenge questions aren't used, although they did ask me to give them 3 challenge/response pairs. What Sitekey does do is after you sign in traditionally (Firefox stores this for me already, so I just click on 'Log in using Sitekey'), and then it shows you an image and phrase of your choosing. The important thing is that the image is stored (and encrypted) on BoA's server. So a phisher wouldn't have access to it, and would have to guess what your image is. It's the same tech discussed previously on Slashdot [slashdot.org].
  • by Moosifer ( 168884 ) on Wednesday July 20, 2005 @11:10AM (#13114125)
    Why do we keep trying to invent new (and fairly interruptive) methods of proving the identity of web-site when we have a perfect, yet sadly under-leveraged, method for this already available: SSL.

    The certificate system underlying SSL is already largely in-place, particularly for trusted/confidential sites, and it provides relatively assured proof of identity. The problem is that there's no way we can expect users to click on the little lock icon, and examine or understand certification paths, issuers, subjectAltNames, etc.

    Why don't browsers simply make this more plain and prominent? Why not just interpret this information and present it clearly to the user? Just an integrated toolbar that says in plain english/french/german/japanese/etc. "You and your browser know and trust the certifying authority of Verisign, and according to Verisign, this site [your bank name here] is who they claim to be. Chances are you're safe."

    And if something is off, instead of a pop-up box with three relatively cryptic security alerts to which everyone has been trained to say "yes" regardless of understanding, try simply "The identity of this site cannot be confirmed. Click for details, proceed with caution." Different discrepancies can provide commensurate levels of warning to try to avoid cry-wolf syndrome.

    This, combined with existing (and also underutilized) techniques to mitigate URL obfuscation won't be perfect, but they will go a long way, and it only requires a little effort from the browser folk.

Parts that positively cannot be assembled in improper order will be.

Working...