Slashdot Mirror
SiteKey to Prevent Phishing
Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."
When I'm on the web, even when looking at my bank account, I'm not trying to be held up by extraneous questions.
Keep the password.
Keep the button (which seems like a great idea by the way).
Ditch the three questions.
Falun Dafa is good!
And those three personal questions will be:
What is your credit card number?
What is your credit card's expiration date?
What is your credit card's three-digit CCV number?
Seriously though, I don't care if you require users to use ten pieces of personal information. They'll still choose to use the same information at 90% of the sites they deal with. And there will still be people with access to that information - whether they're administrators and customer service persons or crackers who steal their database full of customer data. The only difference is that instead of having your password and maybe credit card stolen, you'll also have thieves who have three or more pieces of personal information about you.
Thanks, but I'll keep using the ambiguous password. It's easy to find out where a person was born or when or what their maiden name is. It's a lot more difficult to guess that their password is aPh1l@m8.
Besides, I never give those "personal question" fields real information. Then I end up not only having to remember a password for each site, but a fake maiden name, birthplace, favorite team, first pet and so on. Screw that noise.
And if you're dumb enough to think that PayPal really is sending you two dozen queries about the validity of your account per day, you should just give your money away and shoot yourself in the head anyway.
People can't even remember their passwords let alone the answer to three questions and their password.
Perfect, now it will take ONLY 5 minutes of question answering to log-in to my bank's website and check my balance for 5 seconds.
"My" online bank http://www.cahoot.com/ (which is the online arm of the abbey national) has had this type of authentication for ages. everytime I login, I am asked different questions, each login is different and has worked exteremly well. Of course if you are phished you can still be tricked into giving away to the answers to the questions you gave and used during the signup process. Instead of providing your complete password, you give certain characters from the password, for example the 2nd and 6th characters, selected from a drop down box, so keyloggers are effectively rendered useless.
There are always going to be people who are too careless with their information, and there will always be other people who are very willing to take all of your personal information to clean out your bank accounts..
Difficult to tell seeing as TFA is is almost completely content free, but if I was a scammer couldn't I just act as MITM with the SiteKey button to get the 'secret' image containing their magic phrase?
Maybe they already know some of that personal info, and it would be easy to make a button on a scammer site that looks like it's confirming the site.
This is a typical corporate CEO decision on security, get a clue you corporate types. Is it really that hard to think a little more or maybe listen to your security people?
From TFA:
"Customers can also verify they are indeed at Bank of America's Web site by clicking on a SiteKey button. If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam."
So... once the person has given his account id, password, and answers to 3 personal questions, only then can he verify BofA's site identity?
What kind of idiot came up with that idea?
... man-in-the-middle attack?
If there's a phishing site between you and your bank, you could exchange anything (passwords, answers, pictures, what have you), and the phisher will still succeed.
Yes, I read the article. So far, nothing they list will stop a MITM-attack. I hope they handle this as well.
Great, but why so complicated? And, is this even safe with many other services requiring you to give them pseudo-personal answer/question combos? (mother's maiden name comes to mind)
Why not simply use the safest process I know of to date, that being a small calculator-style device that you use to login, where it generates a password for you that can only be used for 60 seconds?
(and to all the people that think this is a hassle or would be too expensive, I'm using one myself, and it's neither a hassle nor did the bank charge me anything)
There's nothing more secure in asking three "passwords" instead of one. It's just text, people will use the same everyplace, not many will be willing to keep in mind 3 times more sh*t. And anyways, asking more text won't make phishings' job any less hard. And that button thing ? Oh come on, how many browser exploits [on many different browsers] do you wish us to list here which could be used to trick whatever button you place ?
Just use a password over https and hope for the best, until something more useful and usable comes around. This above ain't smelling like any of those.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Patriot Act Enhanced Questions
1. Religion?
2. Who you voted last election?
3. Are you a terrorist?
My city: Barcelona.
Incorrect colour
I have a username and password which logs into my bank account. If it were compromised whoever has the password can see my transactions, that's it.
In order to actually do stuff the bank (and all Finnish bank sites I know of) use a challenge/response system: I have a card which has a bunch of randon number passwords on it, around a 100, in number: password -pairs. The site asks for "password number X" (one number per session) and I give it. These passwords are unique to my own account, and the card has no identification, so if my wallet gets stolen it's useless without knowing which bank and account it's for, as well as the username and password for logging in.
If I were fooled by a phishing site they'd get one of the hundred passwords required for a transaction, and the bank would notice pretty quick if they tried logging in and out for hours trying to get the correct challenge assigned to the session.
Simple, yet very effective.
.: Max Romantschuk
ohhhh...a button (a la little green guys from toy story)...
how exactly does a button make this not a phishing site? are u telling me bank of america has coders which can create buttons that have a greater level of power than the boys over in the ukraine or russia? cmon now...
PUSH MY BUTTON BABY!!
Mad, adj : Affected with a high degree of intellectual independence. Ambrose Bierce - The Deveil's Dictionsary
With the HTML they'll have to keep churning out, pretty soon phishing is going to seem like a real job.
the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."
Brilliant idea, not. If the phisher don't make a similar feature, they are rather incompetent I'd say. Something like: Click here -> Oh yes, it's us don't worry. Just give us your banking data, we are not some scammer's.
yet my inbox is still rather UPS1ZED and 3NLARGED for my tastes, especially with all that Cial:is ...
I just don't think changing the login procedure for the actual site has anything to do with stupid people clicking fake links and entering their info into a phishing site... If I'm missing a piece of this, please, do tell.
Ridiculous...Why should IT have to cover the short commings of idiots that cant tell the diference between a scam and the real thing???
Which one of you has ever got a 'Security Details Update' request from YOUR bank by phone or letter let alone by email...
Nationwide Building Society in England implement a system that still uses a PIN but each time you login you are asked for three random digits from your PIN.
When it comes to cash, I'm more concerned with security than spending less time logging in. I think asking for randomized data sets at each login is a good move.
While its not the perfect solution (if the machine is compromised it would only take a matter of time before the phisher got the info) having a rotating login is slightly more comforting.
What banks should really implement for online access is the use of a key fob, such as RSA's SecurID. ETRADE recently started offering a limited number of them free to customers and I was lucky to get one. It's basically an LCD screen with a six digit number that changes every 60 seconds. You need to enter your username and password + that six digit number every time you log in. It then takes your password and that six digit number and authenticates it against a RADIUS server.
I used to support SecurID's for Deutsche Bank, and they work really well. Adding extra personal information requirements to the login screen (as INGDirect currently does) isn't helpful when the person logging into your account probably already has all that information anyway!
The first, using a "personal question" as a means of making easily guessable passwords more secure is dumb. It is true that people often choose easily guessable passwords. But people *even* more often choose easily guessable "personal questions". "Mothers maiden name" for example. That's how Paris Hiltons adress-book got cracked: She'd used the hugely difficult "personal question" about the name of her dog. It takes only 10 seconds of googling to find the answer to that...
The personally selected secret image on the other hand is a good idea: phishers rely on the fact that they can easily create a fake website that looks like the real one.
If the real one has some element that is unique to you, they won't be able to copy that, simply because they don't know what it is.
This *ain't* the system common in Scandinavia (and other countries) by the way. What we have is generally a one-time "tan" to authorise transactions, provided either as a paper-list where you cancel out those you used, or from a small cryptographic device that generates them using the current time, your account-number and a secret embedded key.
It is, however, just a weaker version of the proposed "security skins", which is an excellent idea to prevent or reduce phishing.
My bank, Skandiabanken does this, sort of, already. (though they underpublizise it). There each user has a private security-certificate used to authenticate the user, in addition to the pin.
This helps in two ways:
First, even if you knew my customer-id and my pin, you still could not log in on my account, you wouldn't have the certificate.
Secondly, it enables the bank to identify me even before I log in, thus giving me a personal greeting not easily copied by phishers: on the login page, before I've entered anything the bank says: "Hello Eivind Kjørstad."
Phishers have no easy way of doing that, they generally don't have a clue which user is sitting behind which ip.
Other people have tackled the obvious problems with these measures. All of these problems are a result of the fact they're attempting to secure against pishing by using the SAME medium as the pishers.
The way to secure against pishing is to use media the pishers don't have access to. The best way to do this is with a physical token. The best example is something like RSA's SecureID. There is no way for the pisher to know what that value is so it makes pishing harder. They may be able to get the value once, but that won't help them next time.
Once these schemes become more widespread, we'll see Pishers performing a man in the middle attack; that is, they'll make their site in to a proxy that connects to the real bank and passes your details to the actual bank. They'll then insert their own commands to steal your money.
Pishing isn't all that easy to stop and the attacks are only going to get more ingenious.
Simon.
This is not about "phishing" other than the button. Press the button and you verify it is your bank. The questions are to verify users, because users seem to use the same password for hotmail and blogg sites as with banks. I would suspect soon we will all cary a USB key coupled with a password to identify us. As for the button, all they should have is a picture of our selfs when we log in. If it is not there ... hey !!! Bingo, I am in Crusty Bank of Nigeria.
Giorgis
The button might help. But the button on the phishing site might go off to a bot network that pulls a real picture off the main site and there is no way to tell if thats happening from the bank side of things.
There are a few questions I'm not going answer online and I'm guessing most of them will suggested questions.
The last issue is why the high security when its not needed? My credit card balance is public knowledge at least to anyone that can do a credit check which limits it to about 10 million people.
A better system is typical lame password security access for read access to balances and transaction lists but an extra layer when I want to do something like move money to a different account and maybe an extra layer if I want to do something like move money to a foreign country.
SuperUser: Three questions. He who answers the five questions-- User: Three questions. S. User: Three questions may access the system. User: What if you get a question wrong? SuperUser: Then you are cast into the Gorge of Eternal Peril. ...
Computer: What is your favourite colour?
User: Blue. No- AHHHHHH!!!
What we have here is something that will give customers confidence that they are on the right web site and not some phishing hole.
If a phisher can put up a fake web site and actually attract customers there, the phisher can find a way to make it seem legitimate.
Call me a luddite but I do my banking at a real bank with a real cashier and with real pieces of paper. We still don't have an electronic system that's as good as a paper trail for settling disputes.
How will this work? When will the personal questions be shown? Even if they will be shown only after login and password have been entered, the phishers will just relay those to the real bank's site, and grab the questions or images from there - and then the phishers will already have the login information. I've seen this with ebay login phishing attempts, where they would acutally use ebay's servers to verify the credentials you have entered on the phisher's server.
BofA: What is your name?
Sir Lancelot: My name is Sir Lancelot of Camelot.
BofA: What is your quest?
Sir Lancelot: To seek the Holy Grail.
BofA: What is your favorite color?
Sir Lancelot: Blue.
BofA: Right, off you go.
An almost Longhorn-like level of innovation.
It's about time more banks started implementing true security online. In Europe, the majority of banks give a device which gives at least the same level of security as a normal cash machine/ POS transaction.
You put your bank card in the device, enter your PIN, and then enter a number given on the site. Hit OK and put into the site a number returned by the device. The algorithm requires the pin number and specific card to calculate the number, so dictionary attacks are thwarted.
Having these 3 personal questions is of limited effectiveness - until the scammers simply make a phishing site which asks the same questions.
Why can't US (and Australian) banks just issue these card reader/token devices? It satisfies the requirements of user authentication.
- Something you know (your PIN)
- Something you have (card + device)
I guess they're too cheap to do it and rely on fraud insurance to compensate for lost money.
Sparks:Gadget:Beer Maker
"More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."
Brilliant idea. I'm sure that said scammer's fake sites will look exactly the same, except they will lack that button.
Karma: Positive (probably because of superiour intellect)
Their "solution":
Three challenge questions The year and model of my first car is public information. It is very hard to think of a question which only I could answer, which I could answer reliably. The best solution I have found to this "challenge question" problem is to choose a totally random "answer", and then it doesn't matter what the question is, I merely supply the random word which I supplied in the first instance. Secret image and phrase I need to provide the website with all my secret details and only after I have authenticated I can find out if their site is legitimate?It's really difficult to protect against keyloggers and man-in-the-middle attacks. The bank should be using client-side certificates as a minimum. What they announced sounds like "feelgood security" - it's absent all the technical mumbo-jumbo like certificates and SSL and keys (which will just alienate grandma) and it has a feelgood button which you can press to prove to yourself that the site is real - even grandma can grasp that concept.
I was about to say that the only way to stop phishing is to use RSA style hardware tokens.
;-)
(I mean a button that verifies the site?!... I can see all the phishing sites now... click this button and we will REALLY REALLY promise that we REALLY are your bank.. now please anwser these questions so we can rape your account... oops I mean check your identity...)
But then I thought why does it have to be hardware? Why cant a user just download a piece of software from their bank that syncs to their PC clock and generates token ID numbers the same as the physical RSA token? I mean most people leave their tokens next to their PC so if someone can get to your PC they can get to your token right?
I mean the phishers may get one or maybe even 2 token ID's, but with a good hash algorithm it wont be any use.
Even better idea... make it a browser plugin that handles it for the user automatically?!!
Man... I should patent this
Here in Sweden the SEB http://www.seb.se/ issues each Internet Bank customer a little keypad (digipass) which gives a time limited code in response to two 6 digit numbers requested by the website at login time.
To use the digipass you need a PIN.
So you can phish all you want, the only way to break in is to steal the digipass, and know the PIN. I've had my digipass for years now, I can't remember when this system started!
Other banks here have used other methods, but many are moving over to similar systems.
Furthermore the SEB Internet banking is miles ahead of the HSBC which I also have in England. They ask for certain digits out of a ten digit number that you have to have given them in setting up the system.
Sorry, nothing profound to put here! (http://www.abacus4.com/
Once you've entered your screenname or account # the bank then displays their password to you before you enter your password. Verifying to you that it is the actual bank web site.
You can legislate morally you can't legislate morality
The bank site needs to tell *YOU* something secret first.
Me (arriving at site): zooble my gooble?
Bank Site: flooble
Me (ok I trust you)
Instead of the site asking me for a password, I give the bank a challenge word or phrase, and I expect a certain response.
meh
Bad bank! When I go online to view my information or make changes, I want the quickest way in and out. A simple username, password, and possibly PIN is all you need. Just like shopping - Get in, get your stuff, get the hell out. If you aren't comfortable with the security of online banking, do it the old fashioned way and only get information every 30 days.
http://www.rit.edu/~smo4215/monty.htm#Scene%2023
keyloggers will still be able to log what the user types in. After logging for some time they will have enough information to get into the banks web pages still.
I'm a BOA user and use Site Key. For those that have no clue - CNN's interpretation of this "feature" is off. That should not surprise you.
At any rate - when you sign-up for site key, you have 3 questions you can pick and give the answer to. You also select YOUR "siteKey" image.
From that point forward, when you go to the BOA site, you enter your Login ID, click "Login with siteKey" and it will display your sitekey image. This verifies that it is a BOA website because it displayed you the correct image.
That's all the image is for- verify this is a real BOA website. That is the purpose anyway.
You are then asked to enter your normal password and are directed to your account information.
Now, for the secret questions. Those come into play when you are accessing your account via a PC that was not the original PC you setup siteKey on. If the PC is not recognized (via a cookie I am sure), you are displayed 1 of your 3 questions rather than the sitekey image.
When you answer the question, you are displayed the sitekey for verification and login as normal.
Anyway, that is how it actually works. It isnt asking you 3 questions AND your password every time you login.
Swedish banks use amongst others a system with both pin code and onetime codes. The onetime codes are delivered by either a kind of scratch card or an electronic code generator. Theese kinds of security mesures atleast makes it impossible to sniff your codes since one of the login credentials is always changing. Without your scratch card or code generator a hacker cant gain access to your account even if they have your pin code.
The bank identifying its really them is something we dont have in Sweden. It really sounds like a good idea to implement for all traders on the internet. A common framework should be built around this in my opinion.
HTTP/1.1 400
An identifier, used by several Dutch banks, as one time authentication. Even if you are on a phish site, you can use this and still not get scammed: Insert your bankcard, type your pincode, type the code provided by the site, press OK, type the return code into the website.
For a scam site to be able to crack this they need to live interface with the real bank, so they login at the bank site once you enter your code on their site. Grab the codes of the banksite, show them to you etc etc..
My wife's sketchblog Blob[p]: Gastrono-me
I would like a credit card were I pay for the transaction at any site using my web credit card. When the transaction is recieved it is then approved in the normal way with one extra step.
I the customer is involved in the authorisation process, so the cridit card company authorises it as per normal and then I the customer have to authorise it.
This could be dont by replying to a SMS message sent to my mobile phone or via numerous other methords, even a phone call.
The extra costs involved would be more than offset in that crime would be reduced pretty much to just those who defraud there own cards, or attempt to.
Nothing is perfect but a system like this would be more useful from a consumer level then just burying the issue with another layer of the same type of paper they already cover it in.
They are anti-phishing, but... pro junk mail? I get at least 3 credit card offers from them EVERY week.
But, I'm not complaining. Don't get me wrong. I find their junk mail extremely useful. Those fake credit cards have so many uses: coasters, ceiling light string "grips", scrappers for dirty pots and pans, and who doesn't step in dog poo and need something handy to pick it out with? I think that's what they mean when they say, "Higher Standards". I mean, it's second best to wiping your butt with $20 bills.
The letters/envelopes themselves make great campfire starting fuel.
I8-D
Site-verification button good; extra password crap bad.
I have a debit card that gets me into my bank account when used with a PIN; the bank likes this arrangement. On-line equivalent is a smart-card or USB key or similar containing an X.509 ID certificate and private key with the key protected by a password. Why don't banks issue those to their account holders?
Do the browser-makers need to make it simpler to use a key-pair on an external medium?
But what is wrong with SSL ? If people are fooled into ignoring ssl warnings and certificates, there's absolutelty no point in adding extra gizmos. They will still be tricked. They'd rather educate people on SSL, signed certificates etc... Imagine the conversation at the bank: - Hi, I am willing to connect to my online account - Sure sir, here's a leaflet designed for retarded lusers that will guide you to do that. - Ur no actually, I don't trust the authority that signed the SSL certificate and would like you to confirm direclty the public key of the bank - ?? I beg your pardon ?? It's a shame ! Well it's true that SSL is too cryptic (laugh) for average users. But if they'de replace key hexadecimal representation by an associated sequence of word that could do it. Hey look, this site has certificate weasel-weasel-badger-kangaroo-cow-marten-... but at the bank they said it was cow-sheep-weasel...
\u262D = \u5350
AAAAAAAARrrrrrrggghhh!!!!
When i log into my ABN AMRO account the first thing the site asks me todo is type in a key into a key generator that they gave me when i opened the account.
Before i can enter the key from the webpage into the key generator i must enter my ATM pin code into the key generator. The key generator then gives me a number and i type that number into the ABN website and then presto im logged in.
not the easiest method but i imagine it is secure esp when i compare it to my american bank accounts .
-best
-greg
please click here to activate your
new Bank of America SiteKey.
The National Australia Bank launched SMS authentication earlier this year.
Whenever you transfer money or pay a bill (ie. anything risky), it sends a unique code via SMS to your phone. You then type that number into the system before it does the transaction.
It's free too.
It's highly unlikely someon has both stolen your mobile phone AND phished your details.
Give them all a USB bootable drive or CD with a basic OS and functionality for jdoing just what is needed, ie visit the site display the page and not leak any of that data. Less OS means less holes, less services means less holes, Less of the rest means less holes and also a easier experience for customers.
IE - pop in CD - boot PC , ew look a bank web login page, nothing more nothing less. ANy user data will be lost once system closed and we are running of a bootable CD here so not like anything goona be phised of that let alone be able to sneak in.
Anyhow thats a basic, cimple solution and I'm sure a few linux distro's with the right mentality will see that there is a market for them and a positive one that will get them into the doors of many homes.
Or even have a CPU that runs encypted code only and have keyed discs, dedicated hardware when you factor the mass production costs and loss due to fruad also start to become viable. SMS based mobile phone and wap anybody running on leased moile networks, certainly raises the anti.
Anyhow I like cash, thifs can photocopy it all they like but its still mine and aint lost any yet.
If I was a phisher I would have an identical button do the same (looking) thing. No one would know. The three questions are even more worthless because all you'd have to do is code pages to look the same and ACCEPT ANY RESPONSE. That way not only do you have bank information of the person but you also have the answer to 3 PERSONAL QUESTIONS OF YOUR CHOICE. Like what is your SSN, Drivers License #, and Credit Card #.
This won't stop scammers, it may even help them with identity theft.
- Hello, this is the Visa card center calling. A I talking with mr. John Doe?
- Yes, that's me. What's the matter?
- We'd like to confirm. Are you trying to make a big purchase in a shop in New York?
- No! I'm in Washington, DC! Oh my god! My wallet is missing! My card has been stolen!
- Would you like to cancel the transaction and block your credit card?
- Yes, please! Right now!
- In order to do so, we need to confirm that you are indeed John Doe, the owner of the card and not that mr Doe's phone has been stolen.
- Please! How do we do it?
- Please give me the number of the credit card in question.
- I don't remember!
- Expiration date?
- Next year, july or june, or maybe august...
- sorry, I can't take that for an answer. Any other info? Maybe the account number associated with the card? Or maybe the PIN number?
- The PIN is 8352
- Thanks, sucker!
Anagram("United States of America") == "Dine out, taste a Mac, fries"
speaking as someone who's SO has just lost 4,000 UKP through a compromised work PC via a keylogger and natwest online banking, you're not as safe as you think you are.
the latest PW_Glieder trojans will keylog and report back over a period of time: if you access your online banking a few times and are asked for characters X and Y from your password, chances are quite high that after a few logged sessions, the hacker will have enough info to build your complete password.
this is very common indeed: current SOP is for them to move your money to another account at the same bank to which they've already stolen a matching debit card. move cash, then confederate will go into a branch and withdraw the money in cash and vanish...
Due to customer dissatisfaction, Bank of America is discontinuing the personal questions required to log in to our website. To go back to the old way of logging in, you must reconfirm your login information with this easy form below. Please enter your old password, your new password, your account number, and your Social Security number. Thank you.
Due to a recent technical glitch with our SiteKey systems, your account information is at risk. Please click here to login and confirm your information, and re-enable SiteKey.
Sincerely,
Bank of America Security Department
..There's a-dooin's a-transpirin'
Why make it so that users have to click on something to see their secret image verifying the bank? It seems like a lot of people wouldn't bother. Shouldn't the page just show the user their image by default so that they can see the site's authenticity whether they want to or not?
it does help with phishing, but if you have a compromised machine with a keylogger and screenshotting, you're hosed. SSL won't help in this case.
... to digitally sign the web page, and give a key fingerprint on paper to the customers (so they can check they are really installing the correct public key and not a fake). Signing the page would not only ensure that the page comes truly from the bank, but also that there's no malicious change in it (as might be done through a man-in-the-middle attack, e.g. to send the data to another than the bank's server).
Does HTTP support signed web pages (as opposed to just encrypted transmission)?
Note that the authenticity verification would not depend on some third-party certificate (where you have to trust some certification agency possibly unknown to you), but on a paper sent to you on paper by the bank itself. Thus you have only to trust your bank (if you don't trust that, you'd better change it anyway), and fraud would need to intercept both the bank web site and the postal delivery. Which I think will be beyond the ability of the typical phisher.
The Tao of math: The numbers you can count are not the real numbers.
Professionals in the field of authentication already know that it's a much stronger method of authentication to require two out of three of something you know, something you are, and something you have.
/ ch10_02.htm
http://www.unix.org.ua/orelly/networking/firewall
But BoA's new system is just something you know, something else you know, another something you know, and yet another something you know. Unfortunately, teh Intarweb combined with the hardware that home users normally have isn't really suited for doing anything more than this, and even if you did have (say) a smart card reader to use with a bank-issued smart card, there's nothing saying that phishers couldn't haxor your smart card reader and make a copy of it.
I shudder at the thought, but this might actually be a benefit of Trusted Computing - preventing phishers from gaining access to a smart card reader included in a computer.
Maybe
See, I thought so.
To log in to my Dutch bank (Rabobank as seen in the Tour de France) I must put my bank card in a number generator and exchange log in codes between the generator and the site.
You can't even steel them as the generator itself must first be unlocked by a four number PIN to generate legit codes.
Try Maylr.com,
http://maylr.com/
When you signup it gives you a keycard to print out, its a fairly large grid of codes.
When you login to the site, you have to enter a random cell from the keycard, so even if a phisher site convinces you to give up your login and password, the keycard cell to enter will be different on the next login.
Also if you fail to login 3 times, it will block your login for a day, and finally on the next successful login it will warn you of people who have tried to login to your account so you can change your password or keycard or both.
It has the same advantages as additional questions without the privacy problem.
Personally I hate SiteKey, it causes me to go to an extra screen when I sign in to my online banking site. I wish that there was a way to deactivate it, or at least a way to eliminate the need to type my password in twice. Eh, I guess that it might get better.
Those who know, do not speak. Those who speak, do not know. ~Lao Tzu
Good someone mention SSL. To me it seems that the bank is working around accessibility problems, but as a result create an inferiour solution.
The bank could easily tell a geek never to type in their password unless the page secure by the bank's SSL key. How do we make that work for the rest of the population?
As for customers tendency to use bad passwords, why don't the bank install a password checker on the server? That would make all the difference, since they close access after a few tries (at least my bank), thus making it impossible to brute-force the account, anyway.
The worst solution is the most widely used one. You get a digital certificate from the bank, which is read by some Java applet on the website after you enter a password. So it is not imported into the browser keystore. The security is thus both a file on the harddrive, and a password. Works only with IE.
The 2nd best is a keycard, with 80 one-time 4-character passwords on. To logon you need your SSN, card identity and a 4-digit password from the card. To verify transactrions you need to enter another 4-digit password from the card. Works with any browser, any platform.
The best solution is the one I use. It is based on a tokencard. To log on I need a username + a 6 digit numeric one-time password I get from my tokencard (after entering my pin). To confirm any transaction, I will be presented with a challenge I have to enter on the keypad of my token card, and gets a response back I enter on the website. Works on all platforms.
It is totally unacceptable that US banks to dot care about security, and will use a username/password only.
Isn't a RSA key just a much better way of doing this - can be on your keyring, and each user has a different (random) preamble - a much better way of doing it?
When a fool gets phished, the bank will disclaim liability if the fool did not click the button and verify the sitekey. Of course the fools out there will never click the button and hence the bank gets to disclaim its liability in phishing attacks. Sensible people will of course click the button, but they would be extremely unlikely to get phished anyway.
Art is the mathematics of emotion
I would have to say BoA's biggest flaw right now is that when my bank (Fleet) became BoA, they MADE you choose a new username to get into the site --- which, of course, couldn't be chosen, and had to be your SSN.
Once you have the credentials, the phishing webserver and make a call to the real site and return what the site presented.
You can't rely on a webpage for security. Period. Other authentication methods are needed.
This will work even better for emails - include this button in any emails from the company, or better yet include the actual image. (Including the image itself in the email is a security risk, though smaller and of a different type, but it could be an image in the (ugh) HTML email.)
Combined with some improvements in browsers that are being worked on, this is not bad. Though the answer 3 questions part has problems and isn't in theory any better than a password, it does get around the "I use the same password everywhere" problem.
I think it would be fairly simple to duplicate said buttons functionality.
I can't believe such a silly solution is been suggested. 3 questions? What's this? Jeopardy? It's already hard to believe that someone had the lack of intelligence to have a login/passord access to a banking website. But why come up with such silliness? Haven't this people ever heard of scratch-lists? ID thiefs will just adapt their social engineering to get the answer to thos questions and are free to continue their way. It's basically just like asking 4 passwords that never change to login: 1 is the normal password and the 3 others in form of question/answer.
"You superiour intellect is no match for our puny weapons" - The Simpsons
http://www.entrust.com/identityguard/index.htm
But I do like the button feature
Who says your maiden name or mothers maiden name is the same? I often give different answers to that question depending on who I'm dealing with.
As for favourite colour, use your imagination.
Maybe banks should start issuing their customers with USB tokens? Tokens are like smart cards - they can perform public key operations to verify the user's identity without leaking any private information to phishers.
It works like this
Really works great and I don't see any way a phisher can get around it. Of course they could try a "sorry, our site key authentication system is down at the moment, do you want to log in without sitekey" and some may fall for this, but you can only protect people so much.
Here in finland the bank I use (Nordea) uses one time pads to authenticate sessions. The onetime pad is snailmailed to you and contains two set of keys. The first set is a true one time pad, and these keyes are used with your PIN when you start your session. There's also keys (A-Z) which are used midsession when you confirm certain actions (money transfers etc).
When you have used most of the keys one the pad, they simply snailmail you a new one. This system seems relatively secure and easy to use and implement: Even if the attacker gets the next OTP key, he won't actually be able to steal your money unless he has sniffed your previous sessions.
How will this help? So a phishing site makes a button that resembles the bank of america one... then asks some questions.. yeah this will work.
A lot of people seem to be confused about how this is going to work, which isn't surprising because the article didn't go a very good job of explaining it. I signed up with SiteKey at BoA a few weeks ago, and the concept is actually decent. It's got some problems, but it's a fairly simple solution that will make the simplest phishing scams a lot harder and/or more traceable.
Here's how it works:
The three personal questions are chosen by the bank. There's actually three sets of possible questions, and each set has different questions. You choose one question from each set, and none of them are dumb things like "what's your password?" or "what's your CCV code?". Some of them are pretty easy to find out, but most phishers don't have time to figure it out.
This does make phishing a lot more difficult. Now, to phish, you have to be set up to ask the user for his account ID, send it to the bank to get the correct challenge question, ask the victim the question, supply the answer to the bank, get the image and message and then finally get the password. That's a lot tougher than a screen that asks for user names and passwords and then displays a login error and redirects to the bank website. It's also more traceable, because you have to interact with the bank website, meaning that they have a bit more to go on to track you down. Finally, the user will be tipped off that something's going wrong, because they know they shouldn't be asked those questions from their home computer. That's why the "personal questions" are so important. It stops the phisher from completely automating things and just taking the account number and grabbing the image and message from the bank's website, because they won't have the cookie needed to get the proper image. Obviously there are holes in the scheme and phishing will still possible, but this is a simple solution that raises the bar a lot.
This is what site certificates are intended to be. The problem is that (some of) the root certificate authorities will issue a certificate to anyone with sufficient cash in hand. To make the certificate system useful again requires two changes to the way things are done.
.pk7 or something, I can't remember) and have the browser ask for a friendly name for it (e.g. "My bank"). While it's fine to keep using the root CAs installed in the browsers out there; sites signed by the root CAs, however, should not be presented as authentic; the user should have the option of identifying a site's certificate with a friendly name, perhaps, but until the user has identified it it must remain at least partly suspect.
First, the user must have the secure site's public certificate installed in his/her browser. This can be achieved by providing it to the user on physical media (e.g. a CD or USB key). Furthermore, each user can be issued his/her own certificate for use as part of the authentication process. This is both cheaper and easier than the RSA SecurID that some banks are providing to some (their biggest and best) customers. That's the easy part.
The second and much harder part is providing a user interface such that whenever the user opens an URL from a mail client (or IM client, or any other non-browser I suppose) the user is either told "This is your bank" or "This is an insecure site" or "This is a secure site but not one you know." This message should be prominently visible in the browser window, not merely a dialog that can be trivially dismissed.
Both parts require changes to all browsers (including and especially IE6/7), particularly if there is any hope of making it cross-platform. Right now, installing a certificate in a browser is a task that requires more user sophistication, if only to discern when one should or should not install a certificate, than can be expected of your average user.
A user should be able to double-click on a file with the right extension (.pks or
Oh, and incidentally, the "thus and such is wrong with the site's certificate. Proceed?" dialogs are completely useless.
What's the advantage of using this over an SSL certificate? Besides, of course, the laxity with which some CAs are becoming prone? What we need is better CA policies, and public trust in better performing CAs.
I've thought that SSL Certs should be issued by the various authorities of corporate registration, i.e. State of Delaware, and for individuals, the passport office. CA info would include the legal identifiers of the entity involved, including corporate registration number, so there can be little question of who is being dealt with. Some part of the browser can then link that corporate registration number to the various corporate registration authorities online information systems and provide ownership, address, etc. for the corporation, and these database should also have a field for the official corporate web site (which may or may not be the same as the site being authenticated).
No problem, I'll just modify my scripts! I bank with Smile and their login screen asks for a different piece of information each time. Annoyed with having to recall this information (I'm usually tense anyway if I have to deal with banking), I designed a script that pulls password stuff out of my Mac Keychain and does a quick screen scrape of the login page to put the right piece of information in the right field. And then it presses the login button for me. The best bit is that with my quicksilver trigger key (a kind of hotkey) I now have one handed banking which is a godsend when you have a phone in one hand. Ok for safety I do have to type my keychain password but I can do that one handed. I use this approach to log on to everything, even slashdot. Did anybody say Automator action? ;)
You pick your "sitekey" image from their website?
Presumably they only have a limited number of images. The phisher can display one of the possible sitekey images at random. They will only catch at most 1/N victims, but they will have a better chance of catching the 1/N that they do match because that person will have seen the right sitekey.
People who fall for phishing almost deserve to be robbed. This will only increase the overhead of my bank, which is bad for me.
Phishing is all about collecting valid data, for use or sale to other felons. So establish a place where individuals can forward any phishing e-mails they receive. They in turn, would answer the e-mail. Millions of times. With bogus data. Who is going to try to use millions of credit card numbers to find out if one of them is valid? Who is going to buy a haystack just to get one needle?
European banks use them almost exclusively, first pad must be personally fetched from the bank; new ones are mailed when 2/3 of the old keys are used.
To make an online transaction one needs to have: user number, PIN and a key from the one-time pad.
I can't believe how these scams work so well outside Europe.
Imagine how stupid an average person is. By definition, 50% of people must be even dumber than him/her.
Capitalization is the difference between "Helping your uncle jack off a horse" and "Helping your uncle Jack off a horse"
You know, ever since I switched to the Mac (Mail) I turned on the Spam filter. After it learned what was spam and what wasn't, I made the spam go to it's own folder.
Viola, no more spam (or phishing for that matter) to worry about. I haven't seen a phishing email or a spam email in months (Now granted I have over 2000 unread emails in my spam folder) But who cares?
These things are cool. The have random numbers on them that change once a minute. These are sync'd with software that runs on the banks servers. I've worked with them before for access to VPNs and such. Great tools.
My blog
...not only enter a password but also answer three personal questions...
This escalation of YOUR exchanged personal information as a way to authenticate YOUR access does nothing to authenticate the site you are connecting to. Whats worse, even if the site is legit, the news is full of companies, even banks, who are too sloppy with this data. Thus while I may, at first, be reducing the chance that my ID could be stolen, I am also giving out more and more information which a person bent on fraud could eventually gather and use to imitate me.
In cooperation with a few merchants [Tiger Direct e.g.] my bank has recently begun to ask for 2 or 3 extra pieces of identifying data [some of the ssn digits for example]...it got to the point they were asking more about me than I could remember and the transaction was rejected. No Sale. No money to merchant, no goods to me. And if BOA can't keep customer data under wraps, why should I trust a discount electronics mart?
I think all this extra info is not really the answer.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
My bank uses one-time pad combined with a secret number. Each time (or actually before) I run out of one-time passwords they send me another by mail. I can continue to use my old pad as long as I haven't started the next one or ran out of passwords. The information is SSL encrypted and I can use SSH to log in if I wish to do so in case I don't have a HTTPS capable browser on my hands.
When I transfer money outside my own personal accounts I'm also asked a randomly chosen certification password from the list. Therefore peeking my secret number and my next in sequence number isn't enough to steal my money.
Works great, never had a single problem. I use SSH mostly since that feels most safe and I get an alert if I mistype the address or the keyfile has been changed. I trust SSH more than I trust HTTPS since the majority will be using HTTPS anyway.
?SYNTAX ERROR
Why not just make phishing and stealing money illegal?
Phishers (or whatever you want to call them) don't want your credit card number so that they can long into your card issuer's site as you. They want it so that they can buy stuff using the card. Your site can ask for your fingerprints, a sample of your DNA, and a photograph of your bathroom, and it won't help a bit with the phishing problem as long as vendors, the people who accept credit cards in exchange for merchandise, are willing to make do with the kind of information phishers can get most easily.
Received: from ebay.com (84-22-184-100.iomart.com [84.22.184.100]
It already tells me it's not from Ebay but let's pretend we just have the IP address to work to only. A quick reverse DNS check:
aragorn ~ # hostx 84.22.184.100
Name: niciis1.iomart.com
Address: 84.22.184.100
The above was done on a Linux box but a Windows user with Outlook can just bring up the email, select View/Options and look at the last "Received:" line in the email. Pull the IP address out of that line and use "nslookup" in place of "hostx" above in the CMD prompt.
Yes, this one's definitely not from Ebay but from someone on the iomart.com domain. Email is fake, phishing scam failed. Just do the same test with any suspect email and see if the domain name is what you expect it should be. It's that simple!
It's nothing flash and helluva lot of people on Slashdot already know how to do this, be they Linux, Windows, Other OS users.
In fact, an automated script on my mail server already did this for me and SpamAssassin had already captured this as a Spam email.
So to the less experienced people out there, this is just a quick demonstration to show you how easy it is to detect a phished email. All it needs is a little investigation and a little knowledge...
So let's hear no more about phishing because we are now all responsible enough to do it ourselves.
Move along, nothing more to see here.
Gentoo Linux - another day, another USE flag.
How is SiteKey preventing me from having my Ben & Jerry's ?
This is absolute nonsense. I can't tell you how many websites I've stopped doing business with because of their insane registration and logon requirements. This will just make that worse.
Because if it's in software, the phishing site simply needs to retrieve the software from your machine. The hardware system works because it's out of band data, which cannot be easily intercepted by the phishers.
Another out-of-band system someone here suggested is SMS messages from the bank... when you attempt a login, the bank sends you an SMS (text message) with a number in it and you type that number into the website.
To be secure, it needs to have information which is not communicated in easily extracted form in the same medium as the original attack.
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
It will work because I doubt phishers are up for a challenge. They will just target websites that don't have extra security precautions.
If all banks do this, it's a different story. They will find a way to exploit the system. It should work for a while though.
Yeah, yeah, yeah. The story is a dupe, the topic is boring, the facts weren't checked. WE GET IT!!
The problem is that most computer users are STUPID STUPID STUPID!!! My firm is currently doing research on phishing and prevention and we have successfully aquired usernames, passwords, and other vital info from 94% of the test users... Like taking candy from a baby... so as long as people are stupid enough to give out their passwords and socials and such phishing will be a problem.
This just in! 3 out of 4 people make up 75% of the population.
Bank of America are using SSL so the little key icon will appear to show users the page is *really* from Bank of America.
The trouble with doing the sort of thing that SiteKey does is that it detracts from the homogenity of the web experience, thus making it even more difficult to explain to users how it all works.
All these strange security systems are so much marketing fluff, to try to convince users that their money is totally safe. Which it isn't. Even with SSL there are still risks (someone can spoof the entire certificate architecture for example).
My own bank use a totally lame "enter the third fourth and seventh characters from your password" system which drives me mad.
So I wrote some Greasemonkey to hack it: Read about it here.
So while Wachovia spent the last year or so moving AWAY from using a SSN to login to their site, Bank of America recently switched TO using SSNs. You'd think banks would have some sort of consensus on what sort of system to adopt, but obviously not. Oh, then there's ING Direct who, for some reason unbeknownst to me decides to not use usernames, not use SSN numbers, but use arbitrarily assigned "customer numbers" to login. When I sent them a long letter on why they should use something easy to remember to login, they never gave me a reply. So, people end up writing down their customer number or, in my case, calling up ING almost everytime I want to login to my account. Just give me a SecureID or Safeword password token and the problem is simply solved. I'll even pay for it!
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
1.You go to the bank website.
2.The login form has a username and password field plus a randomly generated number and a field for a hash.
3.You input the randomly generated number into a little calculator containing a unique-to-you number which uses a hash algorithim and spits out another number.
If the calculator and bank details are stolen or lost, you can get a new calculator with a different unique-to-you number. (well the number might not be unique-to-you but it would be random enough to not be something one could figure out)
Assume that the number inside the secret calculator is N and the number you key into it is K, the output is o = f(n,k). The hash algorithim should be designed so that the value of k that would produce o = n is different for each value of n.
4.You then input your username and password plus the output from the calculator. The bank generates the same hash as the calculator does using the same number as stored in the calculator.
5.Then if they match, it lets you into the bank site.
and 6.When you want to do a funds transfer to someone, you have to plug another number into the calculator and get another hash.
This system would stop phishers since the first number returned (i.e. when you first see the login screen) is only valid for a very short time (e.g. 5 minutes or even less) and is linked to the IP address of the machine that sent the http request.
This means that even if the phishers are able to get you to input the number into the little calculator and then the result into their login form, the number is useless because the number they capture is linked to the IP address of the machine making the http request to get the number and also only valid for a limited time.
Also, the second hash that is generated would be specifically linked to the specific set of transaction numbers (destination account and amount). Lets say they steal the first set of numbers and manage to log in from the correct machine at the correct time, they would still then need to prompt you for a second password in order to actually do funds transfer.
To prevent phishers doing a trick like "Your password is invalid, please enter it again" to get the second login, the hash algorithim used for the calculator should take as input for the second hash, the unique number AND the amount. If you enter an amount thats different to what the bank thinks you want to transfer, the hashes wont match up.
What this would mean is that people would need to type the actual amount the phishers are going to transfer from their account into the little calculator and anyone who is stupid enough to blindly press "Funds Transfer" "1000.00" "OK" "" "OK" into the little calculator (assuming of course that they arent actually legitimatly transfering $1000.00) probobly shouldnt be using a computer, let alone online banking.
So that this would be easier on the customer (especially if you transfer money to the same account all the time), there would be an "approved payee" list. To add an account to the white list you would visit the page and get another random hash. You then press "Add Approved Payee" "" "OK" "" "OK".
It might take a little bit more effort but it would be resistant to all attacks (even a man-in-the-middle attack wouldnt work since no-one except the user has the right little calculator to input "Funds Transfer" "1000.00" "OK" "" "OK" into).
This has an advantage over the "one time use password" type systems since with those systems the phishing scam can just ask you to input enough of the codes so that they get one they can then use.
Its certainly more secure than the simple "username + password" login my bank uses (you do need to enter the password again in order to do a funds transfer though)
The Site Key system has already been rolled out to Bank of America employees. It works as follows: 1. Type in your user name only (no password) 2. If this is the 1st time visiting the site with your current computer or you have emptied your cookies, you'll be asked to answer three questions. The questions will be chosen at random from a list of questions and answers that you have set up in advance. If your cookies indicate that you've been to the site before, no questions will be asked. 3. A picture that you've chosen from a list and a welcome greeting that you've created will be shown to you and you will be promted for you password. 4. If the picture and greeting are the ones you've chosen then enter your password; you're at the correct site.
My bank issues a scratch-card which contain 100 or so 4 digit numbers. Each number can only be used once. A new scratch-card is sent to you before the card has been fully used up. You need to save at least two numbers on your old scratch card to be able to activate a new scratch card; here's why:
You log in using your accountnumber + PIN code + scratch code. With that login you can only browse your account, not doing anything else. If you need to do any type of action you will have to confirm the transaction with a new scratch code.
If someone stole your wallet with your scratchcard in it there is no way he/she can log into your account without the PIN number. Since any of the scratch-codes only can be used once there is no way to fake a transaction or to trick you into telling the confirmation codes even if a keylogger has caught your real PIN code.
...chances are quite high that after a few logged sessions, the hacker will have enough info to build your complete password.
...goddamn it! Cracker, phisher, but not hacker
seems a lot of this phishing nonsense could be avoided if the banks just gave their customers the actual IP number to the site instead of a domain name. Judging by my spam it's the look alike names that they use to try and fool people.
I use Bank of America in Maryland, one of the test areas for SiteKey. As of now, the three challenge questions aren't used, although they did ask me to give them 3 challenge/response pairs. What Sitekey does do is after you sign in traditionally (Firefox stores this for me already, so I just click on 'Log in using Sitekey'), and then it shows you an image and phrase of your choosing. The important thing is that the image is stored (and encrypted) on BoA's server. So a phisher wouldn't have access to it, and would have to guess what your image is. It's the same tech discussed previously on Slashdot.
Do you know how many databases have your personal details captured? Can you remember all the places you provided...
- Your date for birth
- Your postcode
- Your home phone number
Ever registered on a site running vBulletin (http://www.vbulletin.com/), just for starters?
And how hard would it be to determine...
- The model of car you drive
- Your mothers maiden name
- What type of pet you own
How many bloggers would find that information already shows up on Google?
The Itau bank around here is doing two different things:
for persons, they just delivered a card with a table with about 200 pairs of number-keys. At login time, the bank the site spill a number, and you have to answer back the same number from your personall table.
For corporate accounts the same banck delivered a small keyring device with an LCD. You press a button in it before you login, and the bank sends you wirelessly a secret number that you will have to type in at login. I guess the device uses the cel phone network.
-><- no
What... is your name?
What... is your quest?
What... is the air-speed velocity of an unladen swallow?
i'm talking in my case about a trojaned machine, not a social engineering/phishing scam. hence "hacked", not "phished".
I opened a bank account in Canada last year and was shocked at the poor security with the online banking.
My UK account requires a 12 digit internet banking number, my DOB and 3 of a possible 10 digits of a security number. None of which are related to the account number.
My Canada account (Scotiabank - name and shame) requires the number from my card and a password. There is even a "remember this card" link. Unbelievable.
Starts up keylogger/trojan/etc on public computer and walks away... this should be easier than pie!
-M
when you see the word 'Linux', drink!
i don't see how so many people are tricked into phishing scams. it's pretty obvious that when i'm sent a fake email asking to fill out my personal info when my bank's privacy policy says they'll never ask for that in an email.
not only that, but i think it's pretty obvious when the phishing email talks about my visa card expiring when i don't even have a visa card.
All a scammer has to do is put an iFrame or otherwise inline where the button would appear on the real site that is exactly the same dimensions as the button, then use DHTML to "scroll" the button into view. So what you have is the scammer's site with a floating layer that only shows the real button on the real site. People will click it and it will say "this is the real thing" and they will fill out all the secret questions and everything. Wow. I hope they thought of this already.
--- Nothing is secure.
In your scheme, can distinguish 3. from 4. because number of questions asked is different.
I have extensively researched SiteKey on behalf of a competitor bank, and can say with certainty; SiteKey is NOT an anti-phishing solution. How it Works: SiteKey is essentially a collection of functions that integrate with a merchant's existing login system and customer database to enhance the login process. It is designed to retrieve data from, and write data to, a user's computer, then compare this retrieved information with data contained in the merchant's customer database. As such, it is not actually performing website authentication. It is enhancing the merchant's existing login process by including additional image/message data, as well as a retrieved "device ID" that identifies the customer's computer. SiteKey stores this data with merchant's customer database and presents this stored information to the customer after they enter their normal Login ID and before they enter their Password. SiteKey uses the merchant's existing customer Login IDs and integrates with the merchant's existing login system and customer database. Since one customer's login ID at one merchant may be already be in use by a different customer at a different merchant, SiteKey users will find themselves being required to (a) register for a login ID at every merchant they wished to authenticate, and (b) create different login IDs for different merchants if their desired login IDs were found to be already in use by someone else. Also, merchants who do not presently use a login system would be unable to implement SiteKey without first installing some form of a login system with an underlying customer database to store the login IDs and corresponding SiteKey data. Security Issues: Storing this image/message data within the merchant's customer database presents huge security issues since the secret image/message information is directly tied to the merchant's customer records. In the event of a data theft from ANY SiteKey-equipped merchant, ALL SiteKey-equipped merchants who use this solution would find themselves at risk because the customers of the victimized merchant may have registered with them as well. If they have, they would likely have registered the same SiteKey images and messages. Even if the customer's images and messages were different between merchants, the stored Device ID would be the same since it is the unique identifier for the customer's computer. This creates a common data thread between otherwise isolated and dissimilar merchant database records which a phisher could exploit. As a solution to the problem of phishing, this type of site-by-site, data-driven approach is fundamentally flawed. The FDIC has determined that the problem of phishing results from a fundamental inability of website owners to authenticate themselves to their customers in such a way that cannot be replicated by phishers. The SiteKey approach can be replicated in its entirety by a phisher, targeting the common customers of all merchants who use SiteKey, using data stolen from just one careless SiteKey equipped merchant. The purpose for the 3 challenge questions has to do with the fundamental structural problem of the SiteKey approach. SiteKey is dependent on retrieving a "Device ID" from, and writing it to, a user's computer. When Bank of America's customers enter their Login ID, the SiteKey functions attempt to retrieve this "Device ID" from, or write it to, the customer's computer. If successful, the bank then locates the customer record in their database and compares the retrieved Device ID with the Device ID stored in the customer database record. If they match, the bank proceeds to display the image data from the customer record to the customer and waits for their password. If, however, a customer is logging in to their bank account from a different computer, or sitting behind a firewall that prohibits such interaction with their computer, or have turned off the ability to accept cookies, certificates, etc., then no Device ID will be retrieved by the bank website. In this case, the bank prompts the customer with one or more of the 3 chall
It's great that they've come up with a new authentication scheme because there old one was horrible. First of all, I wasn't allowed to chose a username, I had to use my SSN. Second, your password could only be 5 or 6 charecters long (my memory's a little fuzzy, but I know I couldn't use a longer one). How many people just used their birthday or pet's name? So, if someone got a hold of your SSN (which isn't hard to do) and took a few educated guesses at your short password, they'd be pretty likely to gain access to your account.
I don't know if this new scheme will work out, but it's 10x better then it has been
..that people will rememeber that they have picked a 'personal picture' to secure a site, when they cant even remember 'Will will NEVER email you to reverify your password or billing information.' when they signed up?
Until Banks provide good security - the kind that common people understand (ie an out of order message for some stuff will have the guy doing it again), online fraud will keep happening. Especially with things like credit card numbers which are printed on the card, but is supposed to be a secret.
Quidquid latine dictum sit, altum videtur
"We have recieved a request to transfer $x to account number Y in Nigeria. If you did not request this please click here to connect to our fraud prevention dept., and confirm your account details and passwords..."
my password really is 'stinkypants'
"STOP! He who approaches the Online Banking Website of Death must answer me these questions three, 'ere the other side he see."
"What...is your name?"
"What...is your quest?"
"What...is the airspeed velocity of an unladen swallow?"
For your security, this post has been encrypted with ROT-13, twice.
This isn't a new thing; it's been going on for a while. And a lot of times the "personal information" they ask, you don't even know. One credit reporting company asked me what my student loan payments were on a loan I got in august of 2003. I have no friggin clue! Another one asked me for my credit card account numbers, except they misinterpreted another student loan as a credit card (?!) I had no idea what the 'card number' was, but I guessed my social security number, and that was it.
Stupid.
If they're asking you questions you provide, well, that might be a little better. Just as a way to 'prove' to you that the site is actually the site you originally provided the answers too, but that's hardly innovative.
autopr0n is like, down and stuff.
Sitekey is a pseudo-two-factor authentication system (pseudo because both factors of authentication are provided within the framework of the same bug-ridden PC). It absolutely does not resolve the phishing problem for Bank of America customers. It is also vulnerable to a trivial man in the middle attack.
Here's why it doesn't solve phishing: Phishers have and will continue to phish BoA customers for their personal information such as their Social Security Numbers, bank account numbers, mother's maiden name, etc.. by crafting email messages that appear to come from BoA.
The man in the middle attack works as follows:
1. Create a phishing web site.
2. Ask the user for their username in exactly the same way as the BoA site does with SiteKey.
3. When you have their username, contact the BoA site and download the list of authenticity questions the site wants to ask the end user.
4. Ask these questions of the phished user.
5. Pass the answers on to the real BoA site.
6. Voila. Not only do you now have access to the BoA site, you have successfully obtained further private information of the end user, such as the user's mother's maiden name.
I wrote about SiteKey on my blog, which for whatever reason is now viewed by Google as one of the leading authorities on SiteKey: http://mailchannels.blogspot.com./ Enjoy!
After getting very close to being 0wned(the person did log into one of my credit card accounts and changed the password, but we got in and reset it before they did anything), my wife and I decided we needed to go to some real password security. We started using a password manager program. So now, our passwords are like 15 or 20+ characters and full of symbols, numbers and junk. We store the password file on a USB flash drive at home(and backed up on a CD in a safe), so it is not kept on that computer. And since the passwords are put in with Copy and Paste, there is no keylogger weakness.
There are lots of password manager programs for any operating system, so try a few until you find one you like. A good feature to have is a password generator built into it. We use Whisper32, and it has a good simple interface. For generating, you tell it the conditions like number of characters and what types of numbers or symbols are allowed and then hit the "Generate" button. If you like what it comes up with, just save it as the password for that account.
It also has a notes field where you can enter stuff like phone numbers or payment addresses for each account.
We may experience some slight turbulence and then...explode. -Capt. Mal Reynolds
Yes. No.
My bank(s) have security cameras, so your visit would be filmed. Then they have withdrawal limits if you want cash and you haven't given them 24 hours notice. And then there is the 10K transaction notification - all transactions (in Australia) over 10 grand have to be notified to the government in case you are paying your builder but he's not paying tax. Blow gun running, they don't care as long as the tax is paid.
So you can get a large bank cheque for the amount required but you can't get cash without giving notice. And if you don't have a pin you have to produce some additional photo id like a driver's licence.
-- it must be true, it's on the internet.
You are assuming that the clock on end user pc's will be accurate to within a given tolerance. Good luck with that.
Whenever you login to the REAL bank's website, you should get a popup saying:
"Important! Remember there are scammers out there. If you get an email allegedly from us, don't login from the mail! Open a browser window on your own and login from there."
Has anyone actually used this before complaining that it won't work?
I have a Bank of America account and I have already signed up and I'm using site key. I chose a picture and entered a phrase... along with the three questions. Now, when I login, I have to see the image I chose and the phrase I chose before I enter my password.
A phisher would have to come up with my particular image AND phrase on their fake web site to entice me to enter my password. This is highly unlikely.
This is simply a way for me to verify that I am actually at the BofA site before I enter my password. It is very simple and it seems workable to me.
i've always thought ingdirect had a weak security since all it needed was an account #, 4 digit pin, and a secret question usually the first or last 3 or 4 digits of your ssn, your zip code, etc.
with only a 4 digit pin and maybe a 5 digit zip code, that's only 9 #s, not even alphabets! but the funny thing is, you've never heard of any ingdirect account being hacked into. maybe there is merit behind these type of secret questions.
HD Trailers
Bottom line: If a credit card of mine gets stolen tomorrow its a major pain in the rear end but I get all my money back. If someone ever breaks into my BoA account all my assets in the US vanish the same day and don't come back.
Help poke pirates in the eyepatch, arr.
Why do we keep trying to invent new (and fairly interruptive) methods of proving the identity of web-site when we have a perfect, yet sadly under-leveraged, method for this already available: SSL.
The certificate system underlying SSL is already largely in-place, particularly for trusted/confidential sites, and it provides relatively assured proof of identity. The problem is that there's no way we can expect users to click on the little lock icon, and examine or understand certification paths, issuers, subjectAltNames, etc.
Why don't browsers simply make this more plain and prominent? Why not just interpret this information and present it clearly to the user? Just an integrated toolbar that says in plain english/french/german/japanese/etc. "You and your browser know and trust the certifying authority of Verisign, and according to Verisign, this site [your bank name here] is who they claim to be. Chances are you're safe."
And if something is off, instead of a pop-up box with three relatively cryptic security alerts to which everyone has been trained to say "yes" regardless of understanding, try simply "The identity of this site cannot be confirmed. Click for details, proceed with caution." Different discrepancies can provide commensurate levels of warning to try to avoid cry-wolf syndrome.
This, combined with existing (and also underutilized) techniques to mitigate URL obfuscation won't be perfect, but they will go a long way, and it only requires a little effort from the browser folk.
Comment removed based on user account deletion
Yes, this will work perfectly, because everybody knows that the populace loves giving out MORE personal information ONLINE.
Yeah, they love it all right...
Come on, really, who thinks of this shit? Why can't they just be three questions? I hate that about websites that mandate that you have some kind of "secret question" and it's from a drop-down list of "what was your mother's maiden name?" and "what is your favorite pet's name?" and so on. Why can't you just give me a field to type in my own question(s) and its (their) respective answer(s)? Then they can be totally nonsensical and ultimately more secure. "What color is a turnip?" "Bicycle!"
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
Comment removed based on user account deletion
Comment removed based on user account deletion
But, if the site must display the picture before the password, that means a phisher can get your image before getting your password as well.
From someone else's comment it sounded like they may need to use one of your three questions in order to first get to the image from a system where you have not previously logged in, but it probably isn't that hard to crack or to phish you for the answer(s) to those question(s).
After all, if you went to BoA right now and they asked you for one of your three questions, would you think something was phishy, or would you just assume they couldn't read your cookies or were just doing a security check? Anyone who believes a phishing email is valid is unlikely to detect fraud if it's pretty easy to guess that one of your questions is "Mother's maiden name".
Did I say overlords? I meant protectors.
Color me pessimistic, but something tells me that this thing will only work in IE (or maybe only in Windows).
I bank with Bank of America. If they change to some funkadelic system that requires Windows, I won't be banking with them for long.
With spending like this, exactly what are "conservatives" conserving?
Looking at SiteKey, it seems to miss the problem. It tries to address authenticating the user to the site in a more secure, less prone to theft, way. The problem is, that's not usually the problem. The more common problem is how to authenticate the site itself to the user before the user presents any information (username, password, account number and such). SiteKey seems to treat this almost as an afterthought, and certainly not the main problem to be solved.
One solution I thought of involves SSL certificates. When I sign up for a web site, why can't I simply create an entity in my browser for the site and say "The current SSL certificate belongs to entity X.". Then later, if I want to visit entity X's site and be sure I'm really talking to them, I select "Entity X" from a pull-down menu or something. When I do that, from then on that window is limited to only SSL connections using certificates I've said belong to entity X. Non-SSL connections, or SSL connections that present any other certificates, are either rejected outright or show me an error with details. Now anyone wanting to spoof a site doesn't just have to spoof the site, they've got to crack the SSL handshake sequence as well or my browser's just going to go "That isn't who you think it is.". The nice thing is that the SSL protocol already has bi-directional authentication built in, it simply needs to be used.
This doesn't even require any sort of absolute identity, either. I'm not so much interested in knowing that it's really any particular entity, just knowing that it's the same entity as when I signed up would be sufficient for most purposes. A self-signed certificate from a site would suffice as long as I was sure I was really talking to them when I signed up and associated the certificate with my idea of who they were. You could do absolute identities, though, just by using the same process but get the certificates directly from the CA, ie. instead of signing up on Bank X's site and associating there, I go to Bank X's CA's site, get the certificates from there and associate them even before I sign up. This isn't neccesary to stop most phishing schemes, but it'd be a nice addition that lets you be sure when you sign up that you're signing up with who you think you are.
Why won't Phishers just implement Man In the Middle Attacks?
spoofed site: Enter your username and password
Clueless user: foo, bar
[spoofed site uses username and password to contact real site and fetch challenge question using anonymous proxy]
spoofed site: What is your pet's name?
clueless user: Rover
[spoofed site uses answer to contact real site and fetch challenge question using anonymous proxy]
spoofed site: What is your birthday?
clueless user: 1/1/1901
[spoofed site uses answer to contact real site and fetch challenge question using anonymous proxy]
spoofed site: What is your pet's name?
clueless user: Rover
[spoofed site uses answer to contact real site and fetch "secret" image using anonymous proxy]
Now, if a second login is required to actually access account data, the user is more than willing to enter it at this point, since the web site has correctly verified that it is authentic.
Randy.Flood@RHCE2B.COM
Are they serious?
That will just be three more randomly generated data bits that I'll have to add to my alternate identity generation script because phishers will merely start adding those same questions to their forms.
The ONLY way phishing will stop is when it no longer yields a return, and that is likely to never happen. At the very least, we can lessen the damage by populating the sites in my known phishing sites RSS feed with bogus, but real-looking data. Feel free to send me any phishing sites you receive.
I'd actually like to put together a Firefox plugin to make this more automated. If anyone is willing to help, feel free to contact me.
Yes, this is a bit of vigilanteism, but show me one GOOD alternative (and don't say laws or enforcement) that works and I'll gladly take the feed and script down
As long as Bank of America is harder to phish than say Wells Fargo, then they will probably reduce their phising rate (at the expense of their users convenience).
You don't need to be able to run faster than a bear, just faster than the person you are hiking with.
Why the hell don't banks just issue Safeword cards to generate one time passwords. They are still vulnerable to realtime MITM attacks, but it'd make a hell of a difference.
Of course, many users will start to panic when confronted with something like this - "Oh my God, how did the First Bank of the Cayman Islands get my information? What am I going to do now?" rather than do the rational thing - calling the bank and confirming. In a panic, the user may immediately enter their personal information. While they may realize later that they've been phished, it may be too late; additionally, many users may simply be glad that "their bank's fraud protection," worked.
The upshot of all this, of course, is that anything that causes the user to stop and think "that's funny," rather than panic, will help to stop phishing and fraud.
That's it. I'm no longer part of Team Sanity.
To be able to see your site key and phrase, a phisher would first have to know your login name and password to login so that the phishers computer would be authorized to view the site key and phrase. Otherwise, the phisher would need to know your user name to try to login to get asked one of the three questions.
One of my questions is not my mothers maiden name. There are about 10 different questions and you have to choose and answer three of them during setup. So, the phisher would also have to know one of the correct three questions to ask.
An important point no one is making is that even with the best security, it doesn't mean much if users don't take advantage of it. Obviously everyone on here has a clue and don't really fall for the phishing trips. But what about the everyday casual user? They don't pay attention and these anti-phishing systems are too cumbersome for them. They just want to put in their username and password and gain access. There's something called the address bar that I find especially useful and it has a high level of security. When I'm trying to access my bank's website and the address bar says "http://iamtryingtostealyourlogininfo.com"(sarcasm ), I know I'm not at the place where I want to be. Like a chain, it's only as strong as its weakest link.
"Customers can also verify they are indeed at Bank of America's Web site by clicking on a SiteKey button. If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam."
So the phishing site will already have thier user name and password and secret question answers before they can click on the image, right?
Comment removed based on user account deletion
As you maybe know, there is such thing in Internet as using digital certificates. And I am wondering why this technology is not discussed in this topic on such honorable site like /.
In my little european country almost all banks are using them for online banking.
So I wonder for what you are talking about - more secure passwords, tokens, what else?
Also in my country we have Digital signature act, which allows transactions to be accepted with digital signature.
This is technological, but also legal question. How can the customer trust to the bank, if he/she has received a piece of paper with one time passwords?
In fact, there is no more secure way for the customer other than to generate his keys itself.