Slashdot Mirror

← Back to Stories (view on slashdot.org)

SiteKey to Prevent Phishing

Posted by timothy on from the yeah-right dept.

Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."

10 of 377 comments (clear)

  1. Simpler solution: password cards by Max+Romantschuk · · Score: 4, Informative

    I have a username and password which logs into my bank account. If it were compromised whoever has the password can see my transactions, that's it.

    In order to actually do stuff the bank (and all Finnish bank sites I know of) use a challenge/response system: I have a card which has a bunch of randon number passwords on it, around a 100, in number: password -pairs. The site asks for "password number X" (one number per session) and I give it. These passwords are unique to my own account, and the card has no identification, so if my wallet gets stolen it's useless without knowing which bank and account it's for, as well as the username and password for logging in.

    If I were fooled by a phishing site they'd get one of the hundred passwords required for a transaction, and the bank would notice pretty quick if they tried logging in and out for hours trying to get the correct challenge assigned to the session.

    Simple, yet very effective.

    --
    .: Max Romantschuk :: http://max.romantschuk.fi/
  2. Re:I don't have time for that junk by iamdrscience · · Score: 3, Informative
    Phishing sites will include a big button as well clicking it will say: Of course your on the real bank website
    RTFA. Clicking the button shows a picture to the user that they have picked. A phisher would not be able to easily defeat this.
  3. Re:A button? by R.D.Olivaw · · Score: 2, Informative
    how exactly does a button make this not a phishing site? are u telling me bank of america has coders which can create buttons that have a greater level of power than the boys over in the ukraine or russia? cmon now...

    from TFA: "Customers can also verify they are indeed at Bank of America's Web site by clicking on a SiteKey button. If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam."

  4. How this actually works... by Anonymous Coward · · Score: 4, Informative

    I'm a BOA user and use Site Key. For those that have no clue - CNN's interpretation of this "feature" is off. That should not surprise you.

    At any rate - when you sign-up for site key, you have 3 questions you can pick and give the answer to. You also select YOUR "siteKey" image.

    From that point forward, when you go to the BOA site, you enter your Login ID, click "Login with siteKey" and it will display your sitekey image. This verifies that it is a BOA website because it displayed you the correct image.

    That's all the image is for- verify this is a real BOA website. That is the purpose anyway.

    You are then asked to enter your normal password and are directed to your account information.

    Now, for the secret questions. Those come into play when you are accessing your account via a PC that was not the original PC you setup siteKey on. If the PC is not recognized (via a cookie I am sure), you are displayed 1 of your 3 questions rather than the sitekey image.

    When you answer the question, you are displayed the sitekey for verification and login as normal.

    Anyway, that is how it actually works. It isnt asking you 3 questions AND your password every time you login.

  5. Re:Useless. by blatantdog · · Score: 4, Informative

    I have a BoA account with SiteKey and here is how it works:

    - Three questions are one time only and are NOT credit card or account related
    - You also choose a tacky photo
    - Once the questions are set then it will ask you only one time from the machine you are at to answer one of the three questions
    - Once you have answered you are presented with the tacky photo and a request for your password
    - You have to reauthenitcate at each machine you are at and let BoA know if you want that machine added to the list of "safe" machines, meaning you don't have to answer the question again and are presented with only the photo and request for password.

    whew!

  6. keyloggers aren't useless by RMH101 · · Score: 3, Informative

    speaking as someone who's SO has just lost 4,000 UKP through a compromised work PC via a keylogger and natwest online banking, you're not as safe as you think you are.
    the latest PW_Glieder trojans will keylog and report back over a period of time: if you access your online banking a few times and are asked for characters X and Y from your password, chances are quite high that after a few logged sessions, the hacker will have enough info to build your complete password.
    this is very common indeed: current SOP is for them to move your money to another account at the same bank to which they've already stolen a matching debit card. move cash, then confederate will go into a branch and withdraw the money in cash and vanish...

  7. Re:I don't have time for that junk by CaymanIslandCarpedie · · Score: 3, Informative

    I think the point the parent is making is if the bank gives you the image based on username/password, then it is quite possible to get around this.

    1) You enter your username/password on the phishing site.
    2) The phishing site then uses this username/password to retrieve the image from the bank site
    3) You verify image ......

    So when he is talking about botnet, he is talking about logging on to the bank site as you using the username/password you just gave them and then showing you the image returned from the bank site.

    One more little hurdle for them to overcome which is good, but certainly not fullproof.

    --
    "reality has a well-known liberal bias" - Steven Colbert
  8. A Quick Anti-Phishing Tutorial by pandrijeczko · · Score: 2, Informative
    This is a header from a mail I received claiming to be from Ebay inviting me to become a Power Seller:

    Received: from ebay.com (84-22-184-100.iomart.com [84.22.184.100]

    It already tells me it's not from Ebay but let's pretend we just have the IP address to work to only. A quick reverse DNS check:

    aragorn ~ # hostx 84.22.184.100
    Name: niciis1.iomart.com
    Address: 84.22.184.100

    The above was done on a Linux box but a Windows user with Outlook can just bring up the email, select View/Options and look at the last "Received:" line in the email. Pull the IP address out of that line and use "nslookup" in place of "hostx" above in the CMD prompt.

    Yes, this one's definitely not from Ebay but from someone on the iomart.com domain. Email is fake, phishing scam failed. Just do the same test with any suspect email and see if the domain name is what you expect it should be. It's that simple!

    It's nothing flash and helluva lot of people on Slashdot already know how to do this, be they Linux, Windows, Other OS users.

    In fact, an automated script on my mail server already did this for me and SpamAssassin had already captured this as a Spam email.

    So to the less experienced people out there, this is just a quick demonstration to show you how easy it is to detect a phished email. All it needs is a little investigation and a little knowledge...

    So let's hear no more about phishing because we are now all responsible enough to do it ourselves.

    Move along, nothing more to see here.

    --
    Gentoo Linux - another day, another USE flag.
  9. Sitekey is better than article states by rnelsonee · · Score: 2, Informative

    I use Bank of America in Maryland, one of the test areas for SiteKey. As of now, the three challenge questions aren't used, although they did ask me to give them 3 challenge/response pairs. What Sitekey does do is after you sign in traditionally (Firefox stores this for me already, so I just click on 'Log in using Sitekey'), and then it shows you an image and phrase of your choosing. The important thing is that the image is stored (and encrypted) on BoA's server. So a phisher wouldn't have access to it, and would have to guess what your image is. It's the same tech discussed previously on Slashdot.

  10. Sitekey does not solve phishing by ttul · · Score: 2, Informative

    Sitekey is a pseudo-two-factor authentication system (pseudo because both factors of authentication are provided within the framework of the same bug-ridden PC). It absolutely does not resolve the phishing problem for Bank of America customers. It is also vulnerable to a trivial man in the middle attack.

    Here's why it doesn't solve phishing: Phishers have and will continue to phish BoA customers for their personal information such as their Social Security Numbers, bank account numbers, mother's maiden name, etc.. by crafting email messages that appear to come from BoA.

    The man in the middle attack works as follows:

    1. Create a phishing web site.

    2. Ask the user for their username in exactly the same way as the BoA site does with SiteKey.

    3. When you have their username, contact the BoA site and download the list of authenticity questions the site wants to ask the end user.

    4. Ask these questions of the phished user.

    5. Pass the answers on to the real BoA site.

    6. Voila. Not only do you now have access to the BoA site, you have successfully obtained further private information of the end user, such as the user's mother's maiden name.

    I wrote about SiteKey on my blog, which for whatever reason is now viewed by Google as one of the leading authorities on SiteKey: http://mailchannels.blogspot.com./ Enjoy!