Slashdot Mirror

← Back to Stories (view on slashdot.org)

SiteKey to Prevent Phishing

Posted by timothy on from the yeah-right dept.

Perekrestok writes "An article at CNN talks about a new system called SiteKey which will be rolled out at Bank of America across the U.S. by this fall. The system would require an online user to not only enter a password but also answer three personal questions. More interestingly, the system will have a button which will allow the user to verify that they are indeed at the bank's website and not at some scammer's fake site."

5 of 377 comments (clear)

  1. I don't have time for that junk by A+Dafa+Disciple · · Score: 5, Interesting

    When I'm on the web, even when looking at my bank account, I'm not trying to be held up by extraneous questions.

    Keep the password.
    Keep the button (which seems like a great idea by the way).
    Ditch the three questions.

    --

    Falun Dafa is good!
    1. Re:I don't have time for that junk by LiquidCoooled · · Score: 5, Interesting

      (dunno why your marked as troll, but anyway)

      Phishing sites will include a big button as well
      clicking it will say:
      Of course your on the real bank website

      it does no good - i prefer the way my bank currently does it - I told them (in person when setting this up) a pass code, when logging in, they ask me for random sections of it (ie 1st, third and last digits).

      The scammers must manage to fool me multiple times to gain complete access to my account details.

      --
      liqbase :: faster than paper
  2. Not very effective.. by riflemann · · Score: 3, Interesting

    It's about time more banks started implementing true security online. In Europe, the majority of banks give a device which gives at least the same level of security as a normal cash machine/ POS transaction.

    You put your bank card in the device, enter your PIN, and then enter a number given on the site. Hit OK and put into the site a number returned by the device. The algorithm requires the pin number and specific card to calculate the number, so dictionary attacks are thwarted.

    Having these 3 personal questions is of limited effectiveness - until the scammers simply make a phishing site which asks the same questions.

    Why can't US (and Australian) banks just issue these card reader/token devices? It satisfies the requirements of user authentication.

    - Something you know (your PIN)
    - Something you have (card + device)

    I guess they're too cheap to do it and rely on fraud insurance to compensate for lost money.

    --
    Sparks:Gadget:Beer Maker
  3. SMS authentication is already being used! by clef · · Score: 5, Interesting

    The National Australia Bank launched SMS authentication earlier this year.

    Whenever you transfer money or pay a bill (ie. anything risky), it sends a unique code via SMS to your phone. You then type that number into the system before it does the transaction.

    It's free too.

    It's highly unlikely someon has both stolen your mobile phone AND phished your details.

  4. Re:Simpler solution: password cards by riflemann · · Score: 3, Interesting

    This is of limited effectiveness. It works for while, but has been cracked.

    A few months ago, a well known Dutch bank (Postbank) was targetted, with scammers directing people to a phishing site. This site asked for their username, password, and the next 3 of these codes (many people mark the ones they've used).

    Many people were duped, proving that it's not that good for security.

    Far better is the card/token type system (see my comment for details).

    --
    Sparks:Gadget:Beer Maker