Slashdot Mirror

← Back to Stories (view on slashdot.org)

SiteKey to Prevent Phishing

Posted by timothy on from the yeah-right dept.

Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."

18 of 377 comments (clear)

  1. I don't have time for that junk by A+Dafa+Disciple · · Score: 5, Interesting

    When I'm on the web, even when looking at my bank account, I'm not trying to be held up by extraneous questions.

    Keep the password.
    Keep the button (which seems like a great idea by the way).
    Ditch the three questions.

    --

    Falun Dafa is good!
    1. Re:I don't have time for that junk by LiquidCoooled · · Score: 5, Interesting

      (dunno why your marked as troll, but anyway)

      Phishing sites will include a big button as well
      clicking it will say:
      Of course your on the real bank website

      it does no good - i prefer the way my bank currently does it - I told them (in person when setting this up) a pass code, when logging in, they ask me for random sections of it (ie 1st, third and last digits).

      The scammers must manage to fool me multiple times to gain complete access to my account details.

      --
      liqbase :: faster than paper
    2. Re:I don't have time for that junk by iamdrscience · · Score: 2, Interesting
      Nonsense. "We're sorry. Our personal image and passphrase server is offline for routine maintenance. Please continue about your transaction."
      The thing about that is it's just one more thing to tip a user off that something's not right. You might catch some people with that, maybe even the vast majority, but suppose it only stops 5% of users from continuing. That's a 5% reduction in phished account passwords, and that's not too bad. Sure this scheme isn't going to solve the whole problem, but any little bit helps.

      Also, I don't think saying that the server is offline would be as effective as you think. I mean, with most phishing schemes that's not going to be the only thing that might tip off a potential phish that things aren't right. For instance, most phishing scams go by e-mail. Somebody might be a little suspicious of an e-mail asking for them to verify their bank information (if not because it's an e-mail, then because it's likely to contain spelling mistakes if it's spam from overseas), but decide to go to the site because of the urgency in the e-mail (most threaten that if the e-mail isn't responded to immediately, their account will be shut down). If they're already a little suspicious, this one more suspicious thing might be enough to get them to say "fuck it, I'm not sure about this" and call up the bank to see what's up instead (or more likely than calling, they'll probably just ignore the situation and hope everything works out right).
    3. Re:I don't have time for that junk by clausiam · · Score: 2, Interesting
      No, the bank uses your username to get you the image and your own personal sitekey text. You only enter the password once you're happy with the sitekey. If your machine is recognized (cookie) you only need to enter your username to get the sitekey. If not, you are asked to answer the 3 personal questions.

      For a phisher to break this he would either need to know the 3 questions or he would have to read your BofA-site-only cookies (don't know if such an exploit is possible) and use your username and cookie to retrieve the sitekey from BofA.

  2. Monkey in the middle by DaveCar · · Score: 2, Interesting

    Difficult to tell seeing as TFA is is almost completely content free, but if I was a scammer couldn't I just act as MITM with the SiteKey button to get the 'secret' image containing their magic phrase?

    1. Re:Monkey in the middle by DaveCar · · Score: 1, Interesting

      I think other have already pointed out the ways in which this is already done, so I won't go into them again, but, if HTTPS is so good at stopping phishing then we wouldn't need anything like SiteKey crap would we. For your average Joe, they will see a little padlock and think "Hey, I'm safe!". Sure, they are having an encrypted, secure session - with a phisher.

      Personally, I think it's all smoke and mirrors. It's banks just doing something to cover their ass. Then when you get ripped off they can say "we gave you secure stuff and you still gave out your details to fraudsters. you're liable now, not us".

  3. How will SiteKey stop phishing? by statemachine · · Score: 2, Interesting

    From TFA:
    "Customers can also verify they are indeed at Bank of America's Web site by clicking on a SiteKey button. If they fail to see a secret image and phrase they had chosen earlier, they could be at a fake Web site and the target of a "phishing" scam."

    So... once the person has given his account id, password, and answers to 3 personal questions, only then can he verify BofA's site identity?

    What kind of idiot came up with that idea?

  4. Similar but effective by toshidan · · Score: 2, Interesting

    Nationwide Building Society in England implement a system that still uses a PIN but each time you login you are asked for three random digits from your PIN.

    When it comes to cash, I'm more concerned with security than spending less time logging in. I think asking for randomized data sets at each login is a good move.

    While its not the perfect solution (if the machine is compromised it would only take a matter of time before the phisher got the info) having a rotating login is slightly more comforting.

  5. Bad rip-off by Eivind · · Score: 2, Interesting
    This seems like a combination of the typical insecure, stupid "personal question" with an actually good idea: the personal image.

    The first, using a "personal question" as a means of making easily guessable passwords more secure is dumb. It is true that people often choose easily guessable passwords. But people *even* more often choose easily guessable "personal questions". "Mothers maiden name" for example. That's how Paris Hiltons adress-book got cracked: She'd used the hugely difficult "personal question" about the name of her dog. It takes only 10 seconds of googling to find the answer to that...

    The personally selected secret image on the other hand is a good idea: phishers rely on the fact that they can easily create a fake website that looks like the real one.

    If the real one has some element that is unique to you, they won't be able to copy that, simply because they don't know what it is.

    This *ain't* the system common in Scandinavia (and other countries) by the way. What we have is generally a one-time "tan" to authorise transactions, provided either as a paper-list where you cancel out those you used, or from a small cryptographic device that generates them using the current time, your account-number and a secret embedded key.

    It is, however, just a weaker version of the proposed "security skins", which is an excellent idea to prevent or reduce phishing.

    My bank, Skandiabanken does this, sort of, already. (though they underpublizise it). There each user has a private security-certificate used to authenticate the user, in addition to the pin.

    This helps in two ways:

    First, even if you knew my customer-id and my pin, you still could not log in on my account, you wouldn't have the certificate.

    Secondly, it enables the bank to identify me even before I log in, thus giving me a personal greeting not easily copied by phishers: on the login page, before I've entered anything the bank says: "Hello Eivind Kjørstad."

    Phishers have no easy way of doing that, they generally don't have a clue which user is sitting behind which ip.

  6. Geezz ... by Elgreco1 · · Score: 2, Interesting

    This is not about "phishing" other than the button. Press the button and you verify it is your bank. The questions are to verify users, because users seem to use the same password for hotmail and blogg sites as with banks. I would suspect soon we will all cary a USB key coupled with a password to identify us. As for the button, all they should have is a picture of our selfs when we log in. If it is not there ... hey !!! Bingo, I am in Crusty Bank of Nigeria. Giorgis

  7. Not very effective.. by riflemann · · Score: 3, Interesting

    It's about time more banks started implementing true security online. In Europe, the majority of banks give a device which gives at least the same level of security as a normal cash machine/ POS transaction.

    You put your bank card in the device, enter your PIN, and then enter a number given on the site. Hit OK and put into the site a number returned by the device. The algorithm requires the pin number and specific card to calculate the number, so dictionary attacks are thwarted.

    Having these 3 personal questions is of limited effectiveness - until the scammers simply make a phishing site which asks the same questions.

    Why can't US (and Australian) banks just issue these card reader/token devices? It satisfies the requirements of user authentication.

    - Something you know (your PIN)
    - Something you have (card + device)

    I guess they're too cheap to do it and rely on fraud insurance to compensate for lost money.

    --
    Sparks:Gadget:Beer Maker
  8. Re:3 PERSONAL Questions by peterih · · Score: 2, Interesting

    That reminds me of the questions I had to answer when I wanted to travel to America in 1995 - Are you a communist? - Do you have connections to the mafia? - Do you know how to build your own handgun? And many more like that...

  9. Re:Simpler solution: password cards by Res3000 · · Score: 2, Interesting

    Here in Switzerland we have a similar system. I have a login name and a password, and a little card that changes all minutes the 6-digit number.

  10. SMS authentication is already being used! by clef · · Score: 5, Interesting

    The National Australia Bank launched SMS authentication earlier this year.

    Whenever you transfer money or pay a bill (ie. anything risky), it sends a unique code via SMS to your phone. You then type that number into the system before it does the transaction.

    It's free too.

    It's highly unlikely someon has both stolen your mobile phone AND phished your details.

  11. What the bank should do is ... by maxwell+demon · · Score: 2, Interesting

    ... to digitally sign the web page, and give a key fingerprint on paper to the customers (so they can check they are really installing the correct public key and not a fake). Signing the page would not only ensure that the page comes truly from the bank, but also that there's no malicious change in it (as might be done through a man-in-the-middle attack, e.g. to send the data to another than the bank's server).

    Does HTTP support signed web pages (as opposed to just encrypted transmission)?

    Note that the authenticity verification would not depend on some third-party certificate (where you have to trust some certification agency possibly unknown to you), but on a paper sent to you on paper by the bank itself. Thus you have only to trust your bank (if you don't trust that, you'd better change it anyway), and fraud would need to intercept both the bank web site and the postal delivery. Which I think will be beyond the ability of the typical phisher.

    --
    The Tao of math: The numbers you can count are not the real numbers.
  12. Re:Simpler solution: password cards by riflemann · · Score: 3, Interesting

    This is of limited effectiveness. It works for while, but has been cracked.

    A few months ago, a well known Dutch bank (Postbank) was targetted, with scammers directing people to a phishing site. This site asked for their username, password, and the next 3 of these codes (many people mark the ones they've used).

    Many people were duped, proving that it's not that good for security.

    Far better is the card/token type system (see my comment for details).

    --
    Sparks:Gadget:Beer Maker
  13. Re:keyloggers aren't useless by locofungus · · Score: 2, Interesting

    I won't use the Natwest online banking because it requires the use of Java and Javascript (at least it did less than a year ago)

    Any bank reasonably worried about security should not require either of these (and would recommend that they be switched off)

    Barclays don't require Java or Javascript and their online banking isn't that hard to use so there really isn't any excuse.

    Tim.

    --
    God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
  14. Banks are Dumb. by pyite · · Score: 2, Interesting

    So while Wachovia spent the last year or so moving AWAY from using a SSN to login to their site, Bank of America recently switched TO using SSNs. You'd think banks would have some sort of consensus on what sort of system to adopt, but obviously not. Oh, then there's ING Direct who, for some reason unbeknownst to me decides to not use usernames, not use SSN numbers, but use arbitrarily assigned "customer numbers" to login. When I sent them a long letter on why they should use something easy to remember to login, they never gave me a reply. So, people end up writing down their customer number or, in my case, calling up ING almost everytime I want to login to my account. Just give me a SecureID or Safeword password token and the problem is simply solved. I'll even pay for it!

    --

    "Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman