Slashdot Mirror

← Back to Stories (view on slashdot.org)

SiteKey to Prevent Phishing

Posted by timothy on from the yeah-right dept.

Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."

3 of 377 comments (clear)

  1. Simpler solution: password cards by Max+Romantschuk · · Score: 4, Informative

    I have a username and password which logs into my bank account. If it were compromised whoever has the password can see my transactions, that's it.

    In order to actually do stuff the bank (and all Finnish bank sites I know of) use a challenge/response system: I have a card which has a bunch of randon number passwords on it, around a 100, in number: password -pairs. The site asks for "password number X" (one number per session) and I give it. These passwords are unique to my own account, and the card has no identification, so if my wallet gets stolen it's useless without knowing which bank and account it's for, as well as the username and password for logging in.

    If I were fooled by a phishing site they'd get one of the hundred passwords required for a transaction, and the bank would notice pretty quick if they tried logging in and out for hours trying to get the correct challenge assigned to the session.

    Simple, yet very effective.

    --
    .: Max Romantschuk :: http://max.romantschuk.fi/
  2. How this actually works... by Anonymous Coward · · Score: 4, Informative

    I'm a BOA user and use Site Key. For those that have no clue - CNN's interpretation of this "feature" is off. That should not surprise you.

    At any rate - when you sign-up for site key, you have 3 questions you can pick and give the answer to. You also select YOUR "siteKey" image.

    From that point forward, when you go to the BOA site, you enter your Login ID, click "Login with siteKey" and it will display your sitekey image. This verifies that it is a BOA website because it displayed you the correct image.

    That's all the image is for- verify this is a real BOA website. That is the purpose anyway.

    You are then asked to enter your normal password and are directed to your account information.

    Now, for the secret questions. Those come into play when you are accessing your account via a PC that was not the original PC you setup siteKey on. If the PC is not recognized (via a cookie I am sure), you are displayed 1 of your 3 questions rather than the sitekey image.

    When you answer the question, you are displayed the sitekey for verification and login as normal.

    Anyway, that is how it actually works. It isnt asking you 3 questions AND your password every time you login.

  3. Re:Useless. by blatantdog · · Score: 4, Informative

    I have a BoA account with SiteKey and here is how it works:

    - Three questions are one time only and are NOT credit card or account related
    - You also choose a tacky photo
    - Once the questions are set then it will ask you only one time from the machine you are at to answer one of the three questions
    - Once you have answered you are presented with the tacky photo and a request for your password
    - You have to reauthenitcate at each machine you are at and let BoA know if you want that machine added to the list of "safe" machines, meaning you don't have to answer the question again and are presented with only the photo and request for password.

    whew!