Will BofA's SiteKey thwart phishing attempts?

Will BofA's SiteKey thwart phishing attempts?

Summary: If they haven't noticed already, customers of Bank of America's online banking services will start getting prompted to enter what the financial institution is referring to as "sitekey" information.  The last time I wrote about BofA (see BofA TV ad explains why IT matters), it took over a week for me get answers from the company's PR department.

TOPICS: Collaboration

If they haven't noticed already, customers of Bank of America's online banking services will start getting prompted to enter what the financial institution is referring to as "sitekey" information.  The last time I wrote about BofA (see BofA TV ad explains why IT matters), it took over a week for me get answers from the company's PR department.  So, take what you're about to read with a grain of salt.  I'm pretty sure it's true but I'm not going to hold the story for a week to verify.

As best as I can tell, BofA's sitekey implementation is designed to thwart phishing attempts.  Phishing, for those of you that don't recognize the term, is what happens when crooks distribute emails en masse that pose as an official email from a financial institution like BoA or, more commonly, PayPal. The emails look very real, often retrieving their graphics from real Web site of the financial institution they pretend to be from. Usually, the email includes a terse warning that you'd better log into your account before it gets cancelled or to rectify a potential security risk to your funds.  They include links to login with your ID and password and if you click on the links, you're taken to a page that looks like the real deal.  If you enter your ID and password, you're doing so on the crooks' systems and they can take those stolen credentials and use them to wipe out your real accounts.  Most of these emails show up in the inboxes of people who don't even do business with the financial insititution in question.   The crooks simply blast these emails to millions of people hoping that some small percentage of the recipients actually do do business with financial institution in question and fall for the ruse.  Thus, the crooks are fishing for information.

Although phishing is part computer hack (in the way the emails look so real and sometimes hide the true identity of the phisher), it is mostly a form of social engineering.  It tricks people into doing something that they've probably been told dozens of times not to do.  As all social engineers do, phishers prey on trust. Phishing has taken its toll on financial institutions.  Not only have millions of dollars been lost (or spent) due to the problem, it undermines the potential for email to serve as a way for financial institutions to stay in touch with their customers.  Today, in the course of being safe than sorry, I routinely delete all email that comes from any financial institution.  As long as I do that, I know I won't be successfully phished.  This causes a serious problem for banks because what if they really had to warn customers about a security breach or a sudden change in policy?  If untrusting customers like me are routinely tuning out all email from all banks, there's a 100 percent chance of me not getting the message (at least via email).   If banks could issue me a personal secure RSS feed, that would probably due the trick.  But, so few people as a percentage of all Internet users use RSS today that its a solution that is ahead of its time for most banks and their customers.

maplesyrup.jpgWhat's the next best thing to a personal RSS feed? How about a personal Web page on the bank's Web site; one that has elements on it that only you know are there so that when you visit your financial institution's Web site, you know you're in the right place.  This is essentially what BoA has done with its sitekeys.  The last time I logged into my BoA account, it forced me to do two things.  First, I had to pick an image from a large library of images.  For example, you can pick the image of a dog or the image of a can of pure maple syrup (see example, above left).  Second, I had to name the image.  Even though it wasn't clear to me why I was going through this, I went along with the Web site's insistance that I do it anyway (after ignoring the request a couple of times, BofA's site forces you to go through the process). Then, the next time I logged in, not only did my login page have a copy of the image I selected, but the name I assigned to it as well. 

Since only BofA and I know what image I selected and how I named it, only BofA could give me a login page with this information on it.  There was no mistake that I was on BofA's Web site.  In other words, when email comes to me that says its from BofA, I can click it's links and visually confirm the email's authenticity.  If it takes me to a login page with the image I selected (and the name I gave to the image), the email is authentic.  If the page is missing that information, then I could very well be on an imposter site that's hoping to trick me into giving it my credentials.

But now comes the big question: could solutions like these put an end to phishing and restore trust in the email system as a way for financial institutions to stay in touch with their customers.  Personally, I like the idea.  It appeals to me as a power user and it's sure to foil some phishing attempts which is ultimately in everybody's best interest (OK, not the phishers').   But I also think it's very hi-tech.  Perhaps so much so to the point that it won't be effective with the same people -- the not-so-tech-saavy -- that are such easy prey for social engineers.  That's because social engineering works independently of technology.  No matter how good a security technology is, most technological countermeausures are no match for a decent social engineer.

Topic: Collaboration

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I love this idea!

    Now, the next work/virus/whatever that attacks someone's system and goes rooting through their email can also "click" the links in your emails, and report to a central server part of your authentication process with the bank. Brilliant.

    I'm just waiting for the day when someone starts a free website that lets you make a username and password, and then tries those emails/usernames/passwords on Amazon, eBay, PayPal, etc. knowing full well that almost everyone uses the same passwords for everything...

    Justin James
    • easier to do than it sounds

      thanks to how many sites like Amazon, Paypal, etc. are all about convenience, many of them would have a method for someone to set up a little login form on any webpage, which would log you into your account at their site... this means that any web program would be able to just use those provided forms to run the tests... it would just need to prevent new windows, and verify whether the sing-ins were successful.
  • So easy to Hack

    I just tried this for a lark. I copied over my cookie.txt file from C:\Documents and Settings\jroberts\Application Data\Mozilla\Firefox\Profiles\a5hznw3c.default\cookies.txt to my friends computer at his house and tried to login and sitekey seemed to recognize his computer as an autheticated device. This means that all a hackers has to do is steal my userid and password and this file and thats it. Seems like if a hacker downloaded a trojan on my computer this should be easy to do. I am a liitle peeved that all the advertizing makes me feel secure but it is not so.
    • Also need to ID site

      While the BofA site will recognize the computer with the imported cookie, the website will still require the user to ID that the site has the correct picture and title.

      Unfortunately for BofA that is the week link. If people are falling for the phising scheme, are they going to remember the picture and title they selected?
      • It's like any security precaution

        Two points:
        1. Good point, some people will always be careless...until they get burned, but since it is their money, they should be careful. In addition if people check their accounts regularly (which everyone should do) they will get used to seeing the picture and title. There wilkl always be a small percentage of people who are careless enough to get phished. If you know any...remind them of the consequences.
    • Designed against phishing, not hacking

      Your point is well taken, but site key is designed to protect against getting phished, not getting hacked. Protection against hackers is by using firewalls, anti-virus, anti-spyware, intrusion prevention/detection systems and using a bit of good old horse sense and surfing caution.
    • Might be easy to replicate

      In theory, isn't the picture description stored in a cookie, and the image url (or ID) also stored in a cookie? If this is the case, it shouldn't be difficult for a Phisher to access the same cookie, and build the picture into their own site.

      I also feel the same as others, in so far as, "if a person is non-computer savy, they are still as likely to get caught by a phishing website."

      Solutions like this one, and a recent one launched by www.westpac.com.au seem to be very short-sighted. Personally I like the 2-factor authentication (such as random token generation), or NatWest.com idea of using only partial pins.
      • exactly

        I can safely say that is as easy as knowing the specific cookies name if you want to get that information out.

        BofA's mistake is not encrypting the information in the cookie. Most SSO solutions do exactly that, for example Passport.

        That said, all BoA has to do is encrypt the data on store, decrypt it on request, and bang... their done.

        Of course, if the IT manager that slipped this one through the cracks would have listened to his engineers instead of speedily getting a solution on the net, this discussion would probably not be taking place.
  • David Berlind about phishing-prevention

    David,I do suggest to use your applications from asp?s (application service provider) and login with fault-proof biometrics (like heartbeat-id), even for your email application. Then you can forget about
    phishing, or any other security-related issue!
  • Might be easy to replicate

    I am not sure, but the picture is probably stored on their secure computers, rather than in the cookie. The cookie probably tells the bank's computer where to look to display it.
  • Keyloggers = 1 SiteKey = 0

    The advanced keylogger programs are capable of taking a screen snap shot of your online banking login page. If a Phisher needs to know your secret SiteKey picture, he will simply take a snap shot of it.

    With today's organized crime involved in hacking for bucks, only a hardware type of solution will offer you the proper security to access your online bank account. They are about as simple to use as your front door key.
    • not feasible

      Unfortunately, hardware solutions are not very feasible.

      Every tried to figure out your Intel Processor's processor ID? That's one that has a nice lid on it.
      • hardware solutions

        Why do you think that, "hardware solutions are not very feasible"?

        What is really unfortunate are systems sold to the end user's that; ask prearranged questions, provide bingo cards, and/or use pictures stating that your online bank account is secure, when it is NOT! End users need to demand proper security from their FI or find one that does.