Study Finds Bank of America SiteKey is Flawed

An anonymous reader writes "The NYT reports on a Harvard and MIT study, which finds that the SiteKey authentication system employed by Bank of America is ineffective at prevent phishing attacks. SiteKey requires users to preselect an image and to recognize this image before they login, but users don't comply. 'The idea is that if customers do not see their image, they could be at a fraudulent Web site, dummied up to look like their bank's, and should not enter their passwords. The Harvard and M.I.T. researchers tested that hypothesis. In October, they brought 67 Bank of America customers in the Boston area into a controlled environment and asked them to conduct routine online banking activities, like looking up account balances. But the researchers had secretly withdrawn the images. Of 60 participants who got that far into the study and whose results could be verified, 58 entered passwords anyway. Only two chose not to log on, citing security concerns.' The study, aptly entitled "The Emperor's New Security Indicators", is available online."

Flawed system or flawed usage?

[stillachild]

Seems to me like the system itself is not flawed, but the way the users choose to operate on it. This could be due to a lack of clear explanation by the BOA website.

Re:

[jsnipy]

Agree. This could be said about anything where users do not pay attention or bother understanding.

Re:

[pyite]

In my experience with the technology, websites do not adequately explain what it is you're doing and why. I have what is probably an above average information security background and I found myself confused at points. It's a stupid idea only further hampered by the fact that it's not explained well, all because the banks are too cheap to give people one time password tokens. While OTP tokens don't eliminate problems, they are a lot more useful than random images displaying. In addition, in the case of Secur

Re:Flawed system or flawed usage?

[russ1337]

>>>"In my experience with the technology, websites do not adequately explain what it is you're doing and why"

I'm a B of A customer, and I thought it was made pretty clear about how the sitekey worked - so did my wife (as non-technical as she is). If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)

Also, I don't think I'd be logging into my BofA account on someones strange computer that was 'set-up' for me... fear of keyloggers and all that.

Re:Flawed system or flawed usage?

[monkeydo]

If people are not seeing their site-key and continuing with the 'experiment', perhaps the experiment was flawed. (The people may have felt they should continue even though the sitekey was not present, as they wanted the experiment to succeed.)

Did you read the paper? The study attempted to control for this by telling one of the three groups that the purpose of the study was to test security awareness. This group did just as badly as the others.

Re:Flawed system or flawed usage?

[russ1337]

"Did you read the paper?" -- Yes.

"The study attempted to control for this by telling one of the three groups that the purpose of the study was to test security awareness."

Exactly. That is my point, the people knew_they_were_part_of_a_study, and may have reacted differently to how they would normally.

I recall reading about a study (here on /. I think) where people were required to inflict pain on another person whom they could hear in the other room, when that person did not achieve what was required. It was determined that because the person knew they were part of a study/experiment, they would inflict far more pain than they would normally - especially when told 'continue' by the program supervisor. Even after the 'actor' in the other room was in extreme pain, and exhibiting the audible characteristics of dying.

Re:

[Anthracks]

FYI, the study you're referring to was the Milgram Experiment [wikipedia.org] and it raises all sorts of interesting ethical questions for researchers.

I agree

[metamatic]

It seems likely to me that most people thought "Hmm, this page is suspicious", but that the obedience to authority (OTA) principles Milgram demonstrated made them go ahead and log in anyway.

It's not clear to me how you could fix the experiment to avoid OTA behavior overriding and destroying your actual data.

Re:

[Ungrounded Lightning]

They conducted a study in which people were asked to access their own bank accounts on computers and networks controlled by the experimenters (where they could then hack the site presentation and record the subjects' actions).

Nobody with a CLUE about online security would participate in such a study.

As for the two groups who were not using accounts set up for the purpose: They would be unfamiliar with the account settings, have no personal stake in the results, and could be expected to try to bull through

Re:

[delinear]

In my experience with the technology, websites do not adequately explain what it is you're doing and why.

The fault here doesn't lie just with the websites. As someone involved in implementing e-commerce websites, numerous user focus groups and usability analysis sessions indicate that people just wouldn't read the information even if you did bother to provide it, and moreoever they'd see it as off-putting and a detriment to using the site (I'm talking about the majority of users here, by the way, but it

Re:

[tha_mink]

As someone involved in implementing e-commerce websites, numerous user focus groups and usability analysis sessions indicate that people just wouldn't read the information even if you did bother to provide it, and moreoever they'd see it as off-putting and a detriment to using the site

I couldn't agree more. People don't read. After our focus groups preceeding a recent launch, it was explained to me by a marketing fellow that we needed to explain a process and provide instructions for something that was

Re:

[ColdWetDog]

In other words - life.

Re:

[SNR monkey]

The website seemed pretty clear to me. Right under the login section is a line that says "Where do I enter my passcode?" Clicking on it reveals the text:

We are changing the way you sign in to Online Banking to better safeguard the privacy and security of your personal information. Previously, you signed in to Online Banking using your Online ID and Passcode. From now on, you'll also use your SiteKey. Here's how this new service will work:
You'll enter your Online ID and click the Sign In button.
On the nex

Re:Flawed system or flawed usage?

[Znork]

"If you don't read this..."

Actually, I'd suggest 'if you read this and believe this in any way makes you safe from phising you should take your banking offline'.

This scheme is worthless. Once the user enters his username the bank discloses the picture. There's nothing stopping a phishing site or trojan from immediately using the username to obtain the correct picture and displaying it to the user. IE, the explaining text should say 'if you recognize your SiteKey you still have no idea wether or not it's safe to enter your passcode'.

Whoever thought this up obviously missed a few computer security classes.

Re:Flawed system or flawed usage?

[thebigbluecheez]

As a Bank of America customer, I have to tell you that you're not entirely correct here.

If I log in from a new computer (or clear cookies on my own), I have to add that computer to the safe list. That is, I have to get a new cookie.

In order to authorize a new computer, I have to answer one of three preselected security questions. These questions include:
What is your maternal grandmother's first name?
What is your maternal grandfather's first name?
In what city where you born?
What was the name of your first pet?
  and 5 more that I don't care to take the time to count.

After this authorization takes place, my sitekey is displayed, allowing me to verify the authenticity of the site.

That's not to say it's foolproof, but it isn't quite as simple as you make it out to be.

What really makes it fun is when my mom's cookies get cleared, and she can't recall the answers to her questions. /missed the aforementioned security classes //not an expert, just a user.

Re:

[diamondsw]

This scheme is worthless. Once the user enters his username the bank discloses the picture. There's nothing stopping a phishing site or trojan from immediately using the username to obtain the correct picture and displaying it to the user. IE, the explaining text should say 'if you recognize your SiteKey you still have no idea wether or not it's safe to enter your passcode'.

Wrong. If you have not saved your userid (and thus have to enter it, as you would at a phishing site) then BofA will ask your security questions before allowing you to log in with the SiteKey. If you go to a phishing site, you would not only miss your security questions, but it would then have to get the sitekey picture.

So a phishing site, even with your userid, will have to try to retrieve your security questions and present them, long before it would ever get to the SiteKey.

If you can come up with someth

Re:

[Anonymous Coward]

I hope you realize that all those security questions don't make anything more secure either. In fact, I am of the opinion that they make things LESS secure, and they certainly make things less convenient for me.
Think about it. If I answer the questions truthfully, then a determined attacker would most likely be able to find out the answer to them through some means or another. If i answer the questions untruthfully then I now have to essentially remember 5 different passwords. Doable for one site, but th

Re:

[Znork]

"If you have not saved your userid (and thus have to enter it, as you would at a phishing site)"

Unfortunately, that still doesnt help much; a trojan would have access to the cookie, and the phishing site could forward the security questions, faking lost or expired cookies (if it didnt just use cross-site scripting exploits to get it).

"If you can come up with something better, I'm all ears."

Well, it isnt easy to make the system foolproof, that's for sure. In a worst-case scenario (which is altogether far too

Re:

[smclean]

It needs to be a flash animation with 3d rendered anime dragons and magic small furry creatures, superimposed over videos of skateboarders bashing their nuts on rails.

The sad thing is it would probably improve security..

Re:Flawed system or flawed usage?

[UnknowingFool]

Nope, it's clear, but I fear users are oblivious. That's why Vista's annoying security notifications will not be as effective MS would like them to be.

Allow TakeControlComputer.exe to run?

"Yes, quit bothering me. How do I turn that off? Let me google it."

Re:

[dfn5]

Seems to me like the system itself is not flawed, but the way the users choose to operate on it. This could be due to a lack of clear explanation by the BOA website.

You give users too much credit. The fact of the matter is that people are idiots. It's one thing for people not to recognize <a href="http://200.200.200.200/accountbalance">http: //www.bankofamerica.com/accountbalance</a> in their email. But for someone to go through the trouble of picking out a picture and then summarily dismiss

Re:

[TechnoLust]

"67 BoA customers...of the 60 that got that far" So 7 people couldn't even get to the sitekey? (I'm a BoA customer, the site key is the second step of the login process, after entering your username or SSN on the main page.

Re:Flawed system or flawed usage?

[bjourne]

It was not to hard to guess that that would be the very first response to this article. It is very typical for techies to expect users to use the system as the system was designed. That is not what happens in the real world. The usage of the system is equivalent to the system itself. If the usage of it is flawed, then the system, too, is flawed.

Many systems require you to change your password once a month or more often. Of course, the password must not be based on an English word and must contain both uppercase and lowercase letters and digits. Is it then a user failure when every other user forgets their password? No! It is the system that is faulty.

Therefore Bank of Americas system is faulty, most password based systems are infact faulty. It is not an acceptable excuse to put the burden on the user. It is a cop out. We are techies, we should make stuff work. It is our job.

Re:

[the phantom]

It was not to hard to guess that that would be the very first response to this article. It is very typical for doctors to expect patients to use medicines as medicines were designed. That is not what happens in the real world. The usage of the system is equivalent to the medicine itself. If the usage of it is flawed, then the medicine, too, is flawed.

Many medicines require you to refill your prescription once a month or more often. Of course, the prescription must be refilled by a trained and licensed ph

Re:

[diamondsw]

At some point you MUST assume some basic level of competence from the user. Or do you expect that their system should work and magically do their work and taxes when they bang their fists on the keyboard?

There are certainly many security systems that fail to take into account human behavior - mostly draconian corporate ones. The BofA one is one of the friendliest I've seen; I know if I didn't see my SiteKey it would set off warning bells. What would be even better is if it allowed you to upload your own ima

Lack of explanation, and technically poor.

[raehl]

My bank started doing this. They way I was introduced to it is when I logged in they asked me to select a picture and then pick a label for it. There was no explanation whatsoever.

Now, like most Slashdot readers, I'm a tech guy, but I didn't know what they were trying to do. My GUESS was that they were going to have me enter in the caption each time I logged in as a sort of separate password. It wasn't until I read some news article about it much later that I understood what the point of it was. I can'

Re:

[jafiwam]

There's a hidden improvement in the ability to detect phishing when you force the phisher to make a live connection. A few of them in fact;

The phisher now has to have a live connection and has one step closer to them tracked in the log file. Sure, it's probably a compromised machine, but now the phisher NEEDS a compromised machine. Not all of them go to that trouble yet.

This raises the bar a bit on the phishers. (Ruling out the inept 14 year old ones with free web site hosts in Lichtenstein.)

Every bit

Re:Flawed system or flawed usage?

[Tom]

Rule #1 of user interface design: The user is always right. If he does something wrong, thank him for pointing out a flaw in your interface.

Re:

[FuzzyDaddy]

I use BOA to do my online banking. The problem is, users expect to see instructions when they call up the website. So it's great when the page loads up, shows the sitekey, and then says "always make sure the site key is there". However, a phishing site could say "use of the site key has been discontinued", or simply omit the sitekey, and the user would then proceed anyway. It's part of the "don't read the manual" mentality, whereby we all expect to figure things out from the context. Hence, we have no

Re:

[Khuffie]

Wait...that's why my bank (INGDirect) made me select an image and shows it to me whenever I login? I had no idea, and their explanation of their 'new security features' was virtually non-existant.

Re:

[CastrTroy]

I immediately thought of the Milgram experiment [wikipedia.org] when I was reading the summary. People just typed in their password, because they were aware they were participating in a scientific study, and hence thought that they wouldn't be going to any phishing sites.

This could be solved...

[Gnissem]

If BofA periodically did not show the image and then warned the user they had made a mistake by entering their password, users would soon be trained to look for the image. Setting up a security system once and then not reinforcing it periodically so that users take it seriously is the probelm.

Re:

[aadvancedGIR]

In theory, I could agree, but I don't think it will actually work.
People want to access your site now and one in a while, you tell them "don't login now because we are doing an exercise, but if you login anyway, we will simply tell you it is bad before providing you the service", many people will simply chose to knowingly login because they trust their bookmark to link to the valid URL.

Re:

[Deathlizard]

you could train this until the cows come home and people will still do it.

At this point, Computer exploitation has been in the news for almost a generation now, and people to this day still don't protect themselves against malware or inform themselves about scams. Hell, Windows screams at you if you don't have protection and still people run unprotected, Although it doesn't help much when MS scares people away from updating their OS with their Genuine Advantage program.

I'm a staunch believer of the 1% rule,

Newflash!

[SNR monkey]

Enhanced security measures thwarted by stupid users. More at 11!

It seems like most security systems based on users not being idiots are doomed to fail. Phishing attacks work because people don't follow normal security procedures, making the authentication process longer/more involved for the user seems to be an inherently flawed idea because it trusts the user to know what is best for him/her.

Re:

[UbuntuDupe]

Right, but they didn't simulate a phishing attack in the experiment. Rather, the customer initiated the visit. To simulate a phishing attack, they should have had the users check their email, rather than initiate a visit to their bank's website.

Re:

[morgan_greywolf]

E-mails are not necessarily the sole source of phishing attacks. I seem to remember an attack that involved a piece of malware that changed the user's proxy settings to a proxy that could serve up phishing pages for certain sites. And if I'm not remembering it and it's just an idea I had, then it isn't long before someone does it for real.

Re:Newflash!

[gsslay]

The point is that people turn off their brain once told what to do by someone or something that appears to be a source of authority. Here it was the people who led them into the room and stood about with clipboards. People are used to being told what to do by other officious looking people.

On a website all it needs is an official looking statement at the top of the phishing page that says "We are sorry, but our image security is broken just now, please log in as normal while we fix it, thank you." People are used to being told that computer systems are down and they should manage as best they can while they're repaired.

You simply can't regulate for people not willing to think for themselves.

Re:Newflash!

[Tom]

The point is that people turn off their brain once told what to do by someone or something that appears to be a source of authority.

Nonsense. We ask people to do things we can't expect them to - understand networking security. What we instead should do - and have been failing to for years - is build systems that are actually useable by human beings with little or no special computer knowledge. Or, if that is impossible (and the proof for that is still out!), insist on basic training as a prerequisite for letting people go online, much like a driving license.

Why is SSL accepted and widespread and PGP isn't? Because PGP requires people to deal with things they don't understand like fingerprints, keylengths and all that other technical stuff. SSL doesn't. If there's a yellow lock icon in the status bar, everything is good, otherwise something is wrong. That's the level that normal people deal with and it's not a fault of them.

You and I are the same, in areas we didn't study. What would you think if your doctor required you to understand every medical detail of that operation you need before he does it? You trust him to know his shit, that's what you pay him for, right?

It's time we earn our pay.

And I speak as a professional security guy. "User education" has failed because we tried to bring users to a high level of technical knowledge, instead of bringing the technical knowledge required down to their level.

Re:

[Bozdune]

You missed his point completely. Check out the "Milgram Experiments" (http://en.wikipedia.org/wiki/Milgram_experiment).

Re:

[Tom]

I know that experiment. I also know how well-known it is and I expect a study done by two respectable universities to take its effects into account.

Re:

[Tom]

Phishing attacks work because "security procedures" aren't.

You have formal and informal security. Formal security is long, complicated and tedious. I've yet to see it being used anywhere outside the military. Informal security works for normal people, but it is inherently flawed.

The problem isn't the user. The user is entirely himself. The problem is that we have no way to verify remotely that indeed he is he. All the additional bells and whistles are simply to cover up that simple fact. It's just another l

Sensationalist headline...

[spicyjeff]

The SiteKey isn't flawed, the people are.

Re:Sensationalist headline...

[jalefkowit]

The SiteKey isn't flawed, the people are.

People are, by definition, flawed. Any security system that is predicated on this changing sometime soon is broken.

Re:

[hey]

"People are, by definition, flawed...".
Er, where can I lookup the definition of people?

(Yes, I know people are flawed -- but isn't by "definition".)

Re:

[gsslay]

People are an integral part of the SiteKey system, it's pointless without them. If their flaws are not removed by the total functionality of the system, then the system is flawed.

Not that I think anything will ever be able to claim 100% success in this. But arguing it's not a problem with SiteKey, but with people, is kind of like making a powertool for three hands then arguing it's a people problem that no-one can use it correctly. You knew before you started people's limitations.

Re:

[Tom]

The system expects people to do things that people do not usually do. How is that not a flaw in design?

The main failure of these "image recognition" systems is that they require the user to react to the absence of information. The lack of something, and especially something familiar, is very rarely even consciously registered, unless you are specifically trained to expect it and react to any change of presence.

Here's an experiment to try at home: Tell your spouse, kids, whoever, to choose one of the decorat

meh - controlled environment?

[hashmap]

1. go to an unusual place,

2. sign an agreement form,

3. follow instructions that say: "Log into your account"

4. you're aware that people are watching you and will analyze what you did

whatever results they get do not prove anything other than:

People placed in a unfamiliar, controlled environment with Harvard scientists ogling at them will not check the security image.

h

Re:

[seanadams.com]

Indeed, but what is surprising is not that they didn't notice the missing image, but that they agreed to participate at all.

Biased sample?

[ArsenneLupin]

Indeed, but what is surprising is not that they didn't notice the missing image, but that they agreed to participate at all.

You may be on to something here. Maybe most people who they did ask refused to participate... phearing that the entire experiment might be a setup trying to get at their banking passwords.

The few that did participate where either excessively trusting or clueless, making them more likely to not worry about the missing image either.

In a word, they used a biased sample.

Re:

[inviolet]

In a word, they used a biased sample.

:golf clap:

Damnit, where are my mod points when I need them?

Re:

[aadvancedGIR]

He! I din't realized it until I saw your post, but this is a great physing technique, using less target but with a exceptionaly big hit ratio: just preted to be a scientist making reserches on security and ask all the participants to enter their passwords.
It may not work in the long run, but it could definitely work.

Re:

[UbuntuDupe]

You know, that made me think about another way the results are biased:

Scientist: Hi, I'm a stranger, will you participate in an experiment where you enter your account information on my computer?
Person 1: What? Are you insane? No way!
Scientist: Hi, I'm a stranger, will you participate in an experiment where you enter your account information on my computer?
Person 2: Um ... no?
Scientist: Hi, I'm a stranger, will you participate in an experiment where you enter your account information on my computer?
Person

Re:

[dcavanaugh]

Ah yes, the good old "Help us with a security study" scam. Perhaps you even get a free iPod for participating. All it takes is a fancy domain name, like nationalcenterforbankingsecurity.org It would probably work much better than the unimaginative phishing tactics that are commonly used today.

For as long as I can remember, the concept of spelling and grammar remains a central weak point of spammers. I sometimes wonder how much of the spam and phishing problem could be defeated by automated spelling/gram

It works for me...

[John.P.Jones]

You can lead a horse to water but you can't make them pay attention to security concerns...

The BofA login is helpful to me, I fully expect to see my login token when I login to my account and would not login if I didn't see it. Some people won't pay attention and there isn't ANYTHING that BofA could do to prevent that (that isn't outrageously inconvinient for me.)

Re:

[NtroP]

I fully expect to see my login token when I login to my account and would not login if I didn't see it.

I agree. I also like the images being there when I log in. That being said, I have a dozen other accounts that do NOT have this - instead just have either the normal username/password pair or sometimes just username, with password being prompted for on another page, but no pictures (I have no Idea why).

Although I take security very seriously and almost never go to my banking sites when I'm not on my

SiteKey is not to protect customers

[sexyrexy]

It's to protect Bank of America from liability. If someone's account integrity is compromised due to phishing, the bank's ass is covered - they implemented a two-way authentication, the user just chose to ignore it (after indicating they read and understood the terms and function of the SiteKey)

Re:

[edunbar93]

You underestimate the power of stupidity. This study only proves two things that those in the security biz already knew: 1) users don't give two shits about security, and 2) users are the weakest link in the security chain.

Re:

[sholden]

Except there's a bunch of places on the bankofamerica.com web site that ask or your passcode without showing you the site key - just normal username/password boxes on a form. So I doubt their ass is covered.

Re:

[diamondsw]

That may be true, but isn't it better than banks that have NOT implemented such additional security? To rephrase that a bit, several years back you could have said the following:

"It's to protect Bank of America from liability. If someone's account integrity is compromised due to packet sniffing, the bank's ass is covered - they implemented 128-bit SSL encryption, the user just chose to ignore the lack of the little key icon (after indicating they read and understood the terms and function of encryption)"

People are not "Flawed"

[jmagar.com]

Those of you stating that the problem is with the users are somewhat mistaken. At some point we as an industry are going to have to get more professional and stop blaming the users for all of the system problems. Let's take a new approach: include this requirement in your designs: A user may not understand the whole system, much in the way that you don't understand all the inner working of your automobile. A user of the system is not required nor expected to understand how it works.

Now, go forth and design systems that work, instead of blaming your design failure on the user.

Re:

[Aladrin]

I can see both sides of this. Providing the pics enables customers to guarantee their security. But the very kind of attach this is meant to prevent can very easily get around it by simply not displaying the 'if you don't see the picture' text and picture at all.

So the challenge is to come up with a solution that requires the user to react properly and cannot be faked by a man-in-the-middle attack.

This solution obviously doesn't work. A captcha obviously doesn't work, as criminals can simply decode those

Re:

[jmagar.com]

If you care to ensure that the system is secure then you should really use best practices: Key Fob [wired.com]

RSA login fobs have been around for many, many years, and I am not aware of a better system.

Policy is "Flawed"

[Orne]

Here's another wrinkle for you... one of my banks (ING Direct) has become so adamant about these security features that it seems like every 3 months they're implementing another personal identification system.... It's hard to keep up with what the current system is.

I'm a more tech savvy user, but even I get very annoyed by the layers I have to go through:

1. Account Number / Password: Ok, I get this, pretty standard.
2. Can't type the password anymore, you have to use a little graphical PIN Pad to click your code

pick a hole in my method please....

[way2trivial]

If I go to log on, I see a grid of 12 boxes. This grid changes every time (minor pain)

in each box is 2-3 letters & 1-2 #'s that are randomly distributed on each page load.
I have to hunt for my password each time.

I click the individual box that represents the password characters 1 by 1, and something in that box gets added to the password box on screen.

look at a us keypad phone- if that PRECISE result popped up in the randomizer and my password is stick5tome
it would transmit 7842558663 to the website..

Re:

[chinton]

Yes they are. Right below my SiteKey is the following instruction:

If you don't recognize your personalized SiteKey, don't enter your Passcode.

What they heck else is BofA supposed to do if their users cannot follow the most basic instruction. This has nothing to do with knowing the inner workings of your automobile or BofA's system. They don't have to. They need to be able to read and follow a simple instruction (which was explained fully when they set up their SiteKey to begin with).

Re:

[Daemonstar]

The problem isn't that that users "don't understand all the inner workings" of the site (because they probably shouldn't), it's that they can't follow security (or operational) procedures.

People are expected (and required) to pass a test given by the State to see if they can safely operate a vehicle. They're not required to change oil, swap out spark plugs, or install a sound system. They're supposed to already know how to get in, start the vechicle, put on safety belts, and operate the vehicle accordi

Re:

[Jennifer York]

If you think you know all the inner workings of your car, you must not be an experienced engineer. Do you understand your EFI? The timings, failure modes, economy vs performance... What about your airbag system? At what G does it deploy? Your ABS... what sample rate does it have?, latency for actions?... Dual zone Climate controls? Even something as simple as lights and turn indicators: what controls the rate of the turn signal blink?

My point is that I doubt very much that you understand the inner

BoA ppor implementation

[redelm]

BoA relies upon persistant cookies to determine whether to send the sitekey image. If you don't have that cookie (clear or other machine), you have to enter your passwd to get the sitekey. Rather rediculous, but they don't want to be trolled for keys.

Fishy?

[gEvil (beta)]

The error message also had a conspicuous spelling mistake, further suggesting something fishy,.

I'm beginning to wonder if this article actually appears on the NYTimes website...

As a BOA customer...

[porkThreeWays]

I can say sitekey is the most useless piece of junk meant to make my life harder. It's one of those pieces of security that sound good to PHB's but is retarded in practice. Other banking notables? Linking your ip address to your bank account and activex controls that won't let you in until it's verified you have antivirus software installed. Get with the program guys. Half baked schemes to make online banking "safer" rarely do so and in many cases make it less safe.

Give me an online banking system with a

Re:

[WhiteKnight07]

"Give me an online banking system with a good old fashioned username and password and I'm set."

In that case give Washington Mutual a try. I'm been using their online banking for several years now. All it asks for is a user name and password. Although if you get your password wrong 3 times it locks your account and you have to physically go to the bank to unlock it. Rather annoying but at least I know my account won't be brute forced. Their site even plays nice in Seamonkey/Firefox on Linux.

Re:

[Rodness]

I wholeheartedly agree. I am also a BofA customer, and while I have enjoyed a great banking experience with them, the SiteKey thing managed to piss me off. A year ago when they rolled out this crap and I was forced to sign up for it, I ranted on my blog about it. Here's an excerpt:

Bank of America has unrolled this stupid SiteKey thing, which just doesn't benefit the consumer much. It seems to be a way for them to have more plausible deniability without actually taking on any responsibility.

The idea is th

And don't get me started about those pictures.

[NotQuiteReal]

I get so sick of looking at cute fuzzy animals and bright cheery flowers.

I can't tell one image from another after a while.

I have accounts at several of those "pick-a-picture" type places and not a single one of them offers memorable porn images with which to motivate your security instincts!

Just once, I'd like to make phishers look at goatse man for a long time, before they even get a chance to rip some one off. Might make them think about prison too!

The Real Question is...

[Expertus]

when will these 'researches' be arrested for pointing out flaws in a security system.

you have succeffully logged out!

[IceFox]

This coming from a bank who's website frequently goes down and when clicking links within my accounts page will suddenly (and randomly) tell its users how they have "successfully logged out" without a link to the main page to re-login and continue. And lets not forget the determination to automagically remove bank statements after six months and yet at the same time keeps pestering its users to cancel their paper copies. I would have to say that Bank Of America is the perfect example of how not to run a banking website. Every time I call their tech support I am costing THEM money.

Poorly designed populace

[analog_line]

Basically, this method of security fails when people don't care about their security. This is a problem?

Security requires active checking to make sure a security measure is in effect. If you don't check to see if your padlock was secured, it's not the lock maker's fault if someone unhooked the unlocked padlocked and stole your stuff.

Actually this is worse. The lock maker damn well isn't at fault IF YOU DIDN'T CHECK THAT IT WAS YOUR PADLOCK.

The system is actually technically flawed

[jyoull]

Discussion and links to papers here:

http://bbaadd.com/blog/2006/08/security-why-siteke y-cant-save-you.html [bbaadd.com]

This overview of "Fraud Vulnerabilities in SiteKey Security at Bank of America" is written for a non-technical audience. Some details have been greatly simplified, and some new material is presented. Readers seeking more depth of coverage should consult the original paper, available at the above URL.

Although this report discusses SiteKey at Bank of America Corporation, the general risks discussed here apply to all SiteKey sites including ING Direct and Vanguard.com, and they apply even more generally to any security method that relies solely on server-side interventions to detect and stop online fraud.

Re:

[richg74]

Just for clarification, the last two paragraphs in the parent (from "This overview ..." through "... stop online fraud.") are quoted from the abstract at 'bbaad.com'. The "original paper" referred to is available here, as a PDF. [cr-labs.com]

One point bears repeating. The articles refer to Bank of America, but this applies to all sites that use similar mechanisms, such as Vanguard (mentioned above) and Yahoo!.

It's also worth noting that the large majority of users in the experiment ignored the absence of the SSL "p

Re:The system is actually technically (correction)

[richg74]

Aargh. I copied the wrong URL. The link in my post above is to a PDF version of the Web page for a non-technical audience. The original paper [PDF] is here. [cr-labs.com]

Sorry about that.

SiteKey Explanation insufficient.

[Marc_Hawke]

The problem is that it wasn't introduced well.

If someone is already familiar with the concept, then it makes sense. However, for most people, the explanation was an annoyance and a confusion one time when they logged in, and the rest of the time it's just an extra click before they can enter their password.

I have two banks that use that scheme for authentication. On both of them, one day they just popped up a picture and said, "what is this picture?" So you make a guess as to what is shown in the picture, and hope you guessed right.

On subsequent logins, they fill in your guess for you, so it seems ridiculous that they are asking what that picture every time.

Since the explanation was lost on most users, it's not surprising that they don't care that it's different.

Infact...if you just make a site that popped up a random picture and asked them to name it, I'd expect everyone would fall for it.

This isn't about customers being lazy or stupid, (well not always.) It's about the SiteKey deployment being inadequate and there being insufficient explanation for something that customers have never heard of before.

"It's the users, not the system!" syndrome

[Brown]

There're a number of comments saying things along the lines of:

..the system itself is not flawed, but the way the users choose to operate on it

Enhanced security measures thwarted by stupid users. More at 11!

The SiteKey isn't flawed, the people are.

It's a common error to ascribe problems with usability to 'idiot users'. The real problem is software that's designed for the wrong target group (experts, where it should be everyman) or just badly designed, confusing or poorly explained interfaces. The fact is, this system *has* to be designed to cope with clueless users. If it's only safe for use by people with an IQ over 100, then half the population will be at risk!

Can lead a horse to water...

[shoptroll]

If users don't know how to properly use the security features provided to them, is that a system failure or a user failure? That's like blaming Linksys for someone hijacking your router because you didn't change the default router password nor did you setup any form of encryption on your 802.11.

This reminds me of a training day for my workstudy job where one of the higher ups in the IT department talked about a survey done where they offered people a cookie for their password. At least 50% of the people i

Browser data

[kebes]

Totally tangential to the actual topic of the study, but I noticed that in the details of the study [usablesecurity.org] they interviewed the people about their normal computer habits. They state:

28 participants (42%) reported using Microsoft Internet Explorer as their primary browser, 30 participants (45%) use Mozilla Firefox, 7 participants (10%) use Apple Safari, 1 participant (2%) uses Opera, and 1 participant (2%) uses an unspecified browser. Of the 39 participants who did not use Internet Explorer as their primary browse

The site key is not in itself flawed...

[angelwalkwithme]

The site key is not a bad idea for those users who actually use it, but yes most people aren't paying attention. But I think it really ignores the more obvious solution. This is to frequently remind users to NEVER CLICK A LINK THROUGH E-MAIL. Type the website into your browser every time and you will never have this problem. I would put this scam in the same category as phone fraud phishing; most people know that you're not supposed to give your SSN or Bank Numbers when somebody calls you. This should

isn't this more network monitoring protection?

[blanks]

I remember when this idea was brought up as another step in the login and authenication protection when users login. It was mainly an attempt to keep automated data harvesters from collecting infromation from thousands of users at one time (collecting data from a large list of stolen user infromation) as well as protecting users from having their username and password sniffed over a network. If the user had their user/pass stolen the theif would still need to know what image they had pre-selected.

Hold on...

[John Whorfin]

If you're brought into a "study" (in a "controlled environment") and asked to "conduct routine online banking activities" wouldn't you have a resonable expectation of security?

I mean where do you think they got these 67 BofA customers? They probably asked at a branch. They the folks know that this whole thing is at least done with the blessing of BofA.

Plus, I can't imagine the study administrators said things like, "and be sure to mind all the normal security practices" for fear that might bias the group.

Re:

[Todd Knarr]

If you received an e-mail you believed was from BofA and followed the link to their Web site, you'd similarly believe you were secure. That's one of the main goals of a phishing attempt, to lull you into that false sense of security. Hence the whole point of the study: to determine how well SiteKey does at cluing users in to the fact that there's a problem when they aren't expecting problems.

This is timely for me at work

[your_mother_sews_soc]

I am currently doing contract work at a financial institution where we are evaluating several security measures from different vendors in order to comply with the FFEIC guidelines. One feature we are considering is a passmark.

At first the passmark seemed like a great idea until I tried to remember which of the borkerage accounts I had recently required me to set one up. At that poit I realized how virtually useless it really was, because if I couldn't remember if it was Fidelity or Vanguard (it was Vangu

Phishers Fool the Fools

[BoRegardless]

So when are we going to get an independent "call back" from the secure site where an RSA key is validated, to tell you that both parties are validated, possibly using an iris scan for the end user/customer?

News flash...

[fahrbot-bot]

This just in, "People are stupid." Film at 11.

The screw is up anyway

[sholden]

I you go to http://www.bankofamerica.com/creditcards/ [bankofamerica.com] pages and click "View all cards", click one of the cards, click "Apply now", click "Sign in".

It then gives you a page asking for your passcode without bothering with the site key junk.

So not only do the customers not pay any attention to it, the bank itself doesn't bother with it either.

I would have to agree with the study

[kalislashdot]

In my experiences. I hate the SiteKey. I called and tried to opt out. I told them I was smart enough not to get duped by a phishing site. they refused, said it was part of it now.

My other experience was with my 70 year old father. He had no idea why he had blueberries, of how the picture got there even. He would not have cared what picture is there. He does not read the fine print, he just clicks and clicks to get in. I told him. You don't see blueberries, don't put in your password.

Overall I think it is a

Re:

[OldeTimeGeek]

Um, no they don't. Maybe one of the banks that NationsBank acquired before BofA had used one and they've chosen to retain it, but my long-standing BofA account's login isn't a SSN and never has been.

Re:

[chrismcdirty]

When I signed up for my BofA credit card online banking maybe 4 years ago, using SSN was the only option for a username. And the password at that time was 4-6 digits, numeric-only.

Re:

[Liselle]

How can bank of america know the phishing site from the user?

I hate to defend SiteKey, because it's a piece of shit, but BoA knows the user from the phishing site because any time a new IP address tries to access the image, the authentication does not include the SiteKey picture and instead asks the usual security questions.

Of course, BoA may have screwed the pooch on this one as well, so you never know.

Re:

[tomstdenis]

... yeah replying to flamebait ...

Anyone who thinks social welfare is a complete waste of effort has obviously never had been given a pink slip, or still lives with mommy and daddy. When you got bills to pay and your employer decides to give you the boot it's nice to know that you're not facing the street at the end of the week.

Granted it gets abused, but that's why you enforce policy not cut people who need it off.

Though yea, generally if you don't take reasonable steps to ensure your safety, you're kinda

Re:

[99BottlesOfBeerInMyF]

If I setup a "lemonade-stand" labeled "B of A Deposits" in my neighborhood and tell people they can make deposits with me instead of going to the bank, should the bank be held responsible if some people actually do it? At some point, people have to take responsibility.

It's not just that people aren't taking it seriously, it is that the system was designed without taking the human element into account. You say "what if I set up a lemonade stand" but that is exactly the same issue. That scam wouldn't work

Mod parent up!

[Skadet]

Well done, sir. I was about to reply since I, like you, have seen the unemployment line in my day through no fault of my own. But it looks like you beat me to it. I tip my hat.

Re:

[kebes]

If you read the original study paper [usablesecurity.org] (warning: PDF), in the ethical guidelines section they state:

Ethical guidelines are of particular concern in this study, because we ask participants to perform tasks using their own account information.

Despite the fact that they were asking the participants to "role-play", they were told to use their own login credentials. Apparently, many of them were easily induced into handing out this information.