SiteKey to Prevent Phishing

Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."

Useless.

[Seumas]

And those three personal questions will be:

What is your credit card number?

What is your credit card's expiration date?

What is your credit card's three-digit CCV number?

Seriously though, I don't care if you require users to use ten pieces of personal information. They'll still choose to use the same information at 90% of the sites they deal with. And there will still be people with access to that information - whether they're administrators and customer service persons or crackers who steal their database full of customer data. The only difference is that instead of having your password and maybe credit card stolen, you'll also have thieves who have three or more pieces of personal information about you.

Thanks, but I'll keep using the ambiguous password. It's easy to find out where a person was born or when or what their maiden name is. It's a lot more difficult to guess that their password is aPh1l@m8.

Besides, I never give those "personal question" fields real information. Then I end up not only having to remember a password for each site, but a fake maiden name, birthplace, favorite team, first pet and so on. Screw that noise.

And if you're dumb enough to think that PayPal really is sending you two dozen queries about the validity of your account per day, you should just give your money away and shoot yourself in the head anyway.

Good thought but...

People can't even remember their passwords let alone the answer to three questions and their password.

UK has had this kinda of tech for ages

[MikeDX]

"My" online bank http://www.cahoot.com/ (which is the online arm of the abbey national) has had this type of authentication for ages. everytime I login, I am asked different questions, each login is different and has worked exteremly well. Of course if you are phished you can still be tricked into giving away to the answers to the questions you gave and used during the signup process. Instead of providing your complete password, you give certain characters from the password, for example the 2nd and 6th characters, selected from a drop down box, so keyloggers are effectively rendered useless.

There are always going to be people who are too careless with their information, and there will always be other people who are very willing to take all of your personal information to clean out your bank accounts..

Re:UK has had this kinda of tech for ages

[Gaima]

everytime I login, I am asked different questions, each login is different and has worked exteremly well

Halifax do the same, but cahoots system is flawed in a different way than all multi-question systems are flawed.

Firstly, cahoots flaw, because it's funny.
I've had a cahoot account for a long time, long before they changed to asking for 2 letters from an answer, entered from drop down boxes. The first time I tried to login with this new system, I could not, because the answer to the question they kept asking me had characters in it the drop down boxes didn't have!
Why they couldn't just generate a list of all the characters in all the answers I don't know... Won't be doing any more business with them.

Second problem.
A *long* time ago I thought I'd go look at a phishing attempt for Halifax. They've always had multiple questions/answers AFAIK. The phishing site was quite simple, they asked for the answer to all 3 standard questions on one page!

As at least one other poster has mentioned, the Finish (?) system, with random numbers on a card is the way forward. No question.

Doh!

[Klivian]

the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."

Brilliant idea, not. If the phisher don't make a similar feature, they are rather incompetent I'd say. Something like: Click here -> Oh yes, it's us don't worry. Just give us your banking data, we are not some scammer's.

Re:Doh!

[MadCow42]

Brilliant comment, not.

The image/phrase shown is supposed to be a secret one that the customer chose beforehand (i.e. when setting up their account).

So, when I go to my bank site and click the button (presumably after logging in so they know who I am), if I don't see the cute little picture of my son and the phrase "you're cool", then I know it's a fraud.

It's not just a standard image/phrase... it's customized and unique.

RTFA, or even TFComments.

MadCow.

and this "prevents" it how?

[ack154]

If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam.

I don't understand how this is going to stop stupid people from entering their info on some other website that the phishers have setup. It's not like the fake website is going to say "hey, there's no sitekey button here, we're not real."

I just don't think changing the login procedure for the actual site has anything to do with stupid people clicking fake links and entering their info into a phishing site... If I'm missing a piece of this, please, do tell.

More feel good security

[thogard]

The button might help. But the button on the phishing site might go off to a bot network that pulls a real picture off the main site and there is no way to tell if thats happening from the bank side of things.

There are a few questions I'm not going answer online and I'm guessing most of them will suggested questions.

The last issue is why the high security when its not needed? My credit card balance is public knowledge at least to anyone that can do a credit check which limits it to about 10 million people.
A better system is typical lame password security access for read access to balances and transaction lists but an extra layer when I want to do something like move money to a different account and maybe an extra layer if I want to do something like move money to a foreign country.

Re:I don't have time for that junk

[DingerX]

Nonsense. "We're sorry. Our personal image and passphrase server is offline for routine maintenance. Please continue about your transaction."

Reverse the logic for it to work

[bigattichouse]

The bank site needs to tell *YOU* something secret first.

Me (arriving at site): zooble my gooble?
Bank Site: flooble
Me (ok I trust you)

Instead of the site asking me for a password, I give the bank a challenge word or phrase, and I expect a certain response.

Re:How will SiteKey stop phishing?

[iamdrscience]

From TFA: "Customers can also verify they are indeed at Bank of America's Web site by clicking on a SiteKey button. If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam."

So... once the person has given his account id, password, and answers to 3 personal questions, only then can he verify BofA's site identity?

What kind of idiot came up with that idea?

The idea works with two levels of verification. For instance, you might have to enter a username and password and then be allowed to see your secret image, then after that, you enter another username and password. This way, nobody can see your picture unless they already have your username and password, and if you get phished for those, you know it because the picture isn't right, but they don't have your second username and password required to actually access your account. I suspect that this system will work similar to that, but instead of a second username and password, you enter the answers to your personal questions.

Still though, it seems like a potential flaw would be that you have to click on something to verify you're on the banks site. Why not just show you your picture by default? It seems like a lot of people just wouldn't bother verifying the site and they would get phished the same as they would be now.

Hello, this is the Visa card center calling.

[Vo0k]

- Hello, this is the Visa card center calling. A I talking with mr. John Doe?
- Yes, that's me. What's the matter?
- We'd like to confirm. Are you trying to make a big purchase in a shop in New York?
- No! I'm in Washington, DC! Oh my god! My wallet is missing! My card has been stolen!
- Would you like to cancel the transaction and block your credit card?
- Yes, please! Right now!
- In order to do so, we need to confirm that you are indeed John Doe, the owner of the card and not that mr Doe's phone has been stolen.
- Please! How do we do it?
- Please give me the number of the credit card in question.
- I don't remember!
- Expiration date?
- Next year, july or june, or maybe august...
- sorry, I can't take that for an answer. Any other info? Maybe the account number associated with the card? Or maybe the PIN number?
- The PIN is 8352
- Thanks, sucker!

Re:keyloggers aren't useless

[daBass]

MikeDX said: "for example the 2nd and 6th characters, selected from a drop down box".

The important bit being the dropdown box. Sure, some browser plugin might still be able to get in the middle, but a keylogger is useless.

You say you lost money, did NatWest pony up the cash, or were you personaly responisble?

Re:I don't have time for that junk

[jesup]

As another poster pointed out, the Phisher can (instead of capturing your password) just initiate a MITM attack - create a spoof website that takes your info, passes it to the bank, and shows you what the bank sends you. Unless the bank overlays the apparent IP address (and the user knows if it's correct) of the source, this will work. More hassle, but lets them get all your info, then pass you off to finish your transaction, then they log in to strip your account.

There is a way to deal with this problem too, but I can't go into it at present. (Sorry)

One possible problem.

[argent]

You pick your "sitekey" image from their website?

Presumably they only have a limited number of images. The phisher can display one of the possible sitekey images at random. They will only catch at most 1/N victims, but they will have a better chance of catching the 1/N that they do match because that person will have seen the right sitekey.

back door taped shut, front door still wide open

[drfireman]

Phishers (or whatever you want to call them) don't want your credit card number so that they can long into your card issuer's site as you. They want it so that they can buy stuff using the card. Your site can ask for your fingerprints, a sample of your DNA, and a photograph of your bathroom, and it won't help a bit with the phishing problem as long as vendors, the people who accept credit cards in exchange for merchandise, are willing to make do with the kind of information phishers can get most easily.

Why not 143 passwords and 79 questions?

[gelfling]

This is absolute nonsense. I can't tell you how many websites I've stopped doing business with because of their insane registration and logon requirements. This will just make that worse.

Re:SSL?

[antxxxx]

Mention an SSL certificate or CA to the majority of people and they will give you a blank look. Getting them to only enter details on a site that uses SSL, let alone one that has a valid CA is hard enough.

Tell them they can check its the correct site by clicking on a button that shows them a picture they chose is a lot easier

Re:How will SiteKey stop phishing?

[eth1]

"This way, nobody can see your picture unless they already have your username and password, and if you get phished for those, you know it because the picture isn't right, but they don't have your second username and password required to actually access your account."

So, if I were a phisher, I'd work it like this:
User: *enter u/p on phishing site*
Phishing site: *slurp*
Phishing site: *log in to bank site with new u/p and retrieve image*
Phishing site: Look! We're really the bank, see??
User: *phew!* *enters other u/p*
Phishing site: *slurp*
User: NOOOO!!

And if you can't get the image imediately, just print an error and tell the user to either continue or return later.

Re:keyloggers aren't useless

[bonzooznob]

On his bank site (Cahoot), it requests that you use your mouse to pick, from a select list, with a scroll bar, which item you want. It isn't perfect, but it is fairly effective in stopping even a keylogger.

The keylogger, wouldn't recognize a keystroke, because there wouldn't be one. If it was a "good" app, it might pick up the mouse click, and the co-ordinates of the click, but... the browser window, may be in a different spot each time, the scrolling of the page may be different, AND, the scrolling within the select list, WILL likely be different.

So, hacker, if lucky, would have evidence of mouse clicks, but not know on which characters, for which positions (e.g. pos=2, pos=5, pos=3...)

Again, not the perfect solution, but definately a much better solution, than most.

"even by email to alert a user that it's happened"

[weierstrass]

"We have recieved a request to transfer $x to account number Y in Nigeria. If you did not request this please click here to connect to our fraud prevention dept., and confirm your account details and passwords..."

Why not properly use existing solutions?

[Moosifer]

Why do we keep trying to invent new (and fairly interruptive) methods of proving the identity of web-site when we have a perfect, yet sadly under-leveraged, method for this already available: SSL.

The certificate system underlying SSL is already largely in-place, particularly for trusted/confidential sites, and it provides relatively assured proof of identity. The problem is that there's no way we can expect users to click on the little lock icon, and examine or understand certification paths, issuers, subjectAltNames, etc.

Why don't browsers simply make this more plain and prominent? Why not just interpret this information and present it clearly to the user? Just an integrated toolbar that says in plain english/french/german/japanese/etc. "You and your browser know and trust the certifying authority of Verisign, and according to Verisign, this site [your bank name here] is who they claim to be. Chances are you're safe."

And if something is off, instead of a pop-up box with three relatively cryptic security alerts to which everyone has been trained to say "yes" regardless of understanding, try simply "The identity of this site cannot be confirmed. Click for details, proceed with caution." Different discrepancies can provide commensurate levels of warning to try to avoid cry-wolf syndrome.

This, combined with existing (and also underutilized) techniques to mitigate URL obfuscation won't be perfect, but they will go a long way, and it only requires a little effort from the browser folk.