SiteKey phish demonstrated against BofA

SiteKey phish demonstrated against BofA

Summary: The use of images to assure a user that they are not being phished has started to become common. Yahoo!

TOPICS: Security

The use of images to assure a user that they are not being phished has started to become common. Yahoo! uses them. And BankofAmerica has been using Passmark's (RSA) technology in their SiteKey scheme to protect their online banking customers from being phished.  The idea is that a cookie in your browser alerts the BofA server that it is you returning and you see an image that you selected when you first signed up for online banking. If you were at a fake site you would be suspicious because you would not see the familiar image. 

The scheme falls down because there has to be a way to accommodate someone logging in from a different computer when they are on the road, at a conference kiosk, etc.  So Bank of America asks a "secret question" and then installs the cookie on the new machine. This is where an attacker can interject a Man in the Middle attack.  The phishing site gets the secret question from the BofA server, passes it to the user, and passes the answer back to the bank.

Christopher Soghoian, a grad student at Indiana University  school of informatics, has posted some movies of his clever attack on his site as well as the php script for attacking BofA's servers. He points out that RSA also sells activity monitoring solutions (from Cyota) that BofA probably uses so an actual exploitation of a compromised account will probably not work. Until they figure out a way around it, that is. 

Its a war of escalation and banks have to stay ahead.   



Security blog 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Thoughts from a long-term RSA consultant:

    1. RSA only sells the Passmark image-based two-way authentication module as part of its Adaptive Authentication package, which -- as Richard noted -- includes a risk-analysis engine which would likely identify this type of transaction as worthy of further scrutiny, perhaps including an out-of-band contact with the customer. See:

    2. RSA's Adaptive Authentication package can be upgraded to include token-based RSA SecurID authentication, or even USB or smartcard-based authentication and crypto services, and may include specialized anti-trojan defense services. Current implementations at prominent US and international banks likely include new IETF-issued security protocols, CT-KIP and EAP-POTP, developed by RSA to provide additional security against MitM attacks for token-based two-factor authentication. See:

    3. The classical layered IT security paradigm acknowledges that there is no perfectly secure InfoSec mechanism, something many young security mavens often overlook in their eagerness to document one or another flaw in any single security layer. (The Indiana researchers handle this far more responsibly than most.) The concept of a layered defense adapts the security architecture to acknowledge imperfect security at any one security layer, but seeks to protect against exploitation of those specific weaknesses with additional, and complementary, security mechanisms.

    4. In neo-classical economics, a Pareto Optimization refers to a movement from one allocation to another -- given a set of alternative allocations and a set of individual beneficiaries -- that can make at least one individual better off, without making any other individual worse off.

    BofA, and many other financial institutions, seem to follow this rule-of-thumb guideline when they adopted image-based host authentication, a defense mechanism which (although not perfect) does give their customers an opportunity to block many conventional phishing attacks. Image-based host authentication is also something that can be quickly implemented for all customers at the bank's server -- which means a bank can avoid the long campaign for user buy-in, typically required for consumer security apps (where an irritated customer can just bounce to another bank if he doesn't think he needs an additional hassle.)

    When you come down to it, there are very few alternative security mechanisms that a financial institution can quickly implement, at the bank's servers, to provide some significant measure of security for all customers, everywhere -- while customer education campaigns build awareness of the threat and a willingness, among customers, to accept the ease-of-user burden of additional security mechanisms.
  • No -- way!!!

    Uh -- geez... I always follow security practices...

    No matter how hard you try phishers, you won't get me to open e-mails and click in the links...
    Grayson Peddie