Slashdot Mirror

← Back to Stories (view on slashdot.org)

SiteKey to Prevent Phishing

Posted by timothy on from the yeah-right dept.

Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."

6 of 377 comments (clear)

  1. Simpler solution: password cards by Max+Romantschuk · · Score: 4, Informative

    I have a username and password which logs into my bank account. If it were compromised whoever has the password can see my transactions, that's it.

    In order to actually do stuff the bank (and all Finnish bank sites I know of) use a challenge/response system: I have a card which has a bunch of randon number passwords on it, around a 100, in number: password -pairs. The site asks for "password number X" (one number per session) and I give it. These passwords are unique to my own account, and the card has no identification, so if my wallet gets stolen it's useless without knowing which bank and account it's for, as well as the username and password for logging in.

    If I were fooled by a phishing site they'd get one of the hundred passwords required for a transaction, and the bank would notice pretty quick if they tried logging in and out for hours trying to get the correct challenge assigned to the session.

    Simple, yet very effective.

    --
    .: Max Romantschuk :: http://max.romantschuk.fi/
  2. Re:I don't have time for that junk by iamdrscience · · Score: 3, Informative
    Phishing sites will include a big button as well clicking it will say: Of course your on the real bank website
    RTFA. Clicking the button shows a picture to the user that they have picked. A phisher would not be able to easily defeat this.
  3. How this actually works... by Anonymous Coward · · Score: 4, Informative

    I'm a BOA user and use Site Key. For those that have no clue - CNN's interpretation of this "feature" is off. That should not surprise you.

    At any rate - when you sign-up for site key, you have 3 questions you can pick and give the answer to. You also select YOUR "siteKey" image.

    From that point forward, when you go to the BOA site, you enter your Login ID, click "Login with siteKey" and it will display your sitekey image. This verifies that it is a BOA website because it displayed you the correct image.

    That's all the image is for- verify this is a real BOA website. That is the purpose anyway.

    You are then asked to enter your normal password and are directed to your account information.

    Now, for the secret questions. Those come into play when you are accessing your account via a PC that was not the original PC you setup siteKey on. If the PC is not recognized (via a cookie I am sure), you are displayed 1 of your 3 questions rather than the sitekey image.

    When you answer the question, you are displayed the sitekey for verification and login as normal.

    Anyway, that is how it actually works. It isnt asking you 3 questions AND your password every time you login.

  4. Re:Useless. by blatantdog · · Score: 4, Informative

    I have a BoA account with SiteKey and here is how it works:

    - Three questions are one time only and are NOT credit card or account related
    - You also choose a tacky photo
    - Once the questions are set then it will ask you only one time from the machine you are at to answer one of the three questions
    - Once you have answered you are presented with the tacky photo and a request for your password
    - You have to reauthenitcate at each machine you are at and let BoA know if you want that machine added to the list of "safe" machines, meaning you don't have to answer the question again and are presented with only the photo and request for password.

    whew!

  5. keyloggers aren't useless by RMH101 · · Score: 3, Informative

    speaking as someone who's SO has just lost 4,000 UKP through a compromised work PC via a keylogger and natwest online banking, you're not as safe as you think you are.
    the latest PW_Glieder trojans will keylog and report back over a period of time: if you access your online banking a few times and are asked for characters X and Y from your password, chances are quite high that after a few logged sessions, the hacker will have enough info to build your complete password.
    this is very common indeed: current SOP is for them to move your money to another account at the same bank to which they've already stolen a matching debit card. move cash, then confederate will go into a branch and withdraw the money in cash and vanish...

  6. Re:I don't have time for that junk by CaymanIslandCarpedie · · Score: 3, Informative

    I think the point the parent is making is if the bank gives you the image based on username/password, then it is quite possible to get around this.

    1) You enter your username/password on the phishing site.
    2) The phishing site then uses this username/password to retrieve the image from the bank site
    3) You verify image ......

    So when he is talking about botnet, he is talking about logging on to the bank site as you using the username/password you just gave them and then showing you the image returned from the bank site.

    One more little hurdle for them to overcome which is good, but certainly not fullproof.

    --
    "reality has a well-known liberal bias" - Steven Colbert